[keycloak-user] Keycloak Proxy passing thorugh unauthenticated

Guy Bowdler guybowdler at dorsetnetworks.com
Fri May 13 16:32:33 EDT 2016


As always, thanks for your replies btw:)

On 13 May 2016 19:58:47 BST, Bill Burke <bburke at redhat.com> wrote:
>The idea of the proxy is that the secured app doesn't have to have a 
>plugin.  The secured app is supposed to be on a private network and the
>
>proxy sits on a public one.
>
>
>On 5/13/16 11:52 AM, Jason Axley wrote:
>>  From my read of the design, it doesn’t look like the proxy design
>provides a secure way of front-ending an application that won’t allow
>someone with network access behind the proxy to access the application
>either without authentication or by impersonating any user since the
>design appears to rely on HTTP headers set with identity information
>sent to the backend application.
>>
>> A better design would have been to pass the actual Id Token to the
>backend application so that the backend application can actually verify
>the identity signature on the JWT so that someone can’t just fabricate
>arbitrary identity information.  I would think this could work in
>concert with an application plugin that could consume these tokens and
>validate and make the identity information available to the application
>in a trustworthy manner.
>>
>> -Jason
>>
>> On 5/13/16, 8:00 AM, "keycloak-user-bounces at lists.jboss.org on behalf
>of Guy Bowdler" <keycloak-user-bounces at lists.jboss.org on behalf of
>guybowdler at dorsetnetworks.com> wrote:
>>
>>> Hi,
>>>
>>> We've got the Keycloak Security Proxy (official one -
>>>
>https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html)
>>> running and passing to an nginx proxy which is in turn proxying out
>>> different apps, ie:
>>>
>>> [client] ----> [:80|443 KeyCloak Proxy ----> :8080 Nginx Reverse
>Proxy]
>>> ------> [application]
>>>
>>> Where [] denotes a different box, the ProxyBox is hostname.domain
>and
>>> the apps are published as hostname.domain/appname
>>>
>>>
>>> However, the client is able to access the application without
>>> authentication, we have clients and roles set up in keycloak and the
>>> config looks ok (although obviously isn't!)
>>>
>>> Are there any KeyCloak Proxy logs we can look at, or debugging
>options?
>>> I haven't found any as yet andnothing is jumping out of the config.
>>>
>>> We can access the back end apps ok either from the Keycloak proxy
>>> running on ports 80 or 443 or via the nginx proxy on 8080 (and yes,
>this
>>> latter connection will be restricted to localhost when it's
>working!).
>>> The keycloak proxy config is very similar to the default except the
>>> values from the keycloak installation GUI have been pasted in.
>>>
>>> Any troubleshooting tips would be much appreciated!
>>>
>>> thanks in advance:)
>>>
>>> Guy
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>_______________________________________________
>keycloak-user mailing list
>keycloak-user at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160513/b8b1e140/attachment-0001.html 


More information about the keycloak-user mailing list