[keycloak-user] Keycloak Proxy passing thorugh unauthenticated

Bill Burke bburke at redhat.com
Mon May 16 09:15:04 EDT 2016 

Again, there is mod-auth-mellon and mod-auth-oidc, but they are apache 
httpd plugins.


On 5/16/16 9:11 AM, Guy Bowdler wrote:
> Hi Chris,
>
> I need to do some tweaking, but basically you were right, I'd 
> neglected to configure the constraints.  Now hitting the URL redirects 
> to keycloak and authenticating redirects to the page so thanks very 
> much for the pointer.  We'll play around and get used to integrate it.
>
> The main concern now is that our idea to make this work is all based 
> on un maintained code
>
> Thanks again
>
> Guy
>
> On 2016-05-15 14:39, Chris Pitman wrote:
>> I'm using the proxy in one of my environments and it definitely is
>> requiring authentication. The logs are pretty poor, so debugging is a
>> pain.
>>
>> Two possibilities come to mind:
>>
>> First, are you sure you haven't already authenticated? If you look at
>> the network activity in your browser, are you redirected to keycloak
>> then directed back to your app?
>>
>> Second, have you set constraints in the proxy config? Do those
>> constraints (starting at your configured base path) match the urls you
>> are trying to hit?
>>
>> Bill: As far as I am aware, neither of those httpd modules are
>> supported by us either. A supported option for getting SSO in front of
>> legacy apps is step 1 of getting in the door at clients. If we do end
>> up telling customers to use an apache module, adding generated config
>> for them to the web ui would really help.
>>
>> Chris Pitman
>> Senior Architect, Red Hat Consulting
>>
>> ----- Original Message -----
>>>
>>>
>>> FYI I haven't touched this code in more than a year and have been 
>>> relying on
>>> the community to maintain it. Why? Well, we're not supporting it in 
>>> product
>>> and Apache plugins like mod-auth-mellon and mod-auth-oidc exist. 
>>> We're also
>>> talking to other teams like API Man to see if we can offload the 
>>> proxy on
>>> them. Anyways, sounds like lame excuses...I know you just want 
>>> answers...
>>>
>>> On 5/13/16 4:33 PM, Guy Bowdler wrote:
>>>
>>>
>>> Also, you just need to configure and back end proxy only to accept
>>> connections from the key cloak proxy to secure, we've just left it 
>>> open for
>>> now to troubleshoot
>>>
>>> On 13 May 2016 19:58:47 BST, Bill Burke <bburke at redhat.com> wrote:
>>>
>>>
>>> The idea of the proxy is that the secured app doesn't have to have a
>>> plugin.  The secured app is supposed to be on a private network and the
>>> proxy sits on a public one.
>>>
>>>
>>> On 5/13/16 11:52 AM, Jason Axley wrote:
>>>
>>> From my read of the design, it doesn’t look like the proxy design 
>>> provides a
>>> secure way of front-ending an application that won’t allow someone with
>>> network access behind the proxy to access the application either 
>>> without
>>> authentication or by impersonating any user since the design appears 
>>> to rely
>>> on HTTP headers set with identity information sent to the backend
>>> application.
>>>
>>>  A better design would have been to pass the actual Id Token to the 
>>> backend
>>>  application so that the backend application can actually verify the
>>>  identity signature on the JWT so that someone can’t just fabricate
>>> arbitrary identity information.  I would think this could work in 
>>> concert
>>> with an application plugin that could consume these tokens and 
>>> validate and
>>> make the identity information available to the application in a 
>>> trustworthy
>>> manner.
>>>
>>>  -Jason
>>>
>>>  On 5/13/16, 8:00 AM, "keycloak-user-bounces at lists.jboss.org on 
>>> behalf of Guy
>>>  Bowdler" <keycloak-user-bounces at lists.jboss.org on behalf of
>>>  guybowdler at dorsetnetworks.com> wrote:
>>>
>>> Hi,
>>>
>>>  We've got the Keycloak Security Proxy (official one -
>>>
>>> https://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html 
>>> )
>>>  running and passing to an nginx proxy which is in turn proxying out
>>>  different apps, ie:
>>>
>>>  [client] ----> [:80|443 KeyCloak Proxy ----> :8080 Nginx
>>> Reverse Proxy]
>>>  ------> [application]
>>>
>>>  Where [] denotes a different box, the ProxyBox is hostname.domain and
>>>  the apps are published as hostname.domain/appname
>>>
>>>
>>>  However, the client is able to access the application without
>>>  authentication, we have clients and roles set up in keycloak and the
>>>  config looks ok (although obviously isn't!)
>>>
>>>  Are there any KeyCloak Proxy logs we can look at, or debugging 
>>> options?
>>>  I haven't found any as yet andnothing is jumping out of the config.
>>>
>>>  We can access the back end apps ok either from the Keycloak proxy
>>>  running on ports 80 or 443 or via the nginx proxy on 8080 (and yes, 
>>> this
>>>  latter connection will be restricted to localhost when it's working!).
>>>  The keycloak proxy config is very similar to the default except the
>>>  values from the keycloak installation GUI have been pasted in.
>>>
>>>  Any troubleshooting tips would be much appreciated! thanks in 
>>> advance:)
>>>
>>>  Guy
>>> keycloak-user mailing list keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> keycloak-user mailing list keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> keycloak-user mailing list keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list