[keycloak-user] Zuul (Gateway) -> Keycloak Adapters Missing pieces

Sebastien Blanc sblanc at redhat.com
Thu Sep 7 08:42:26 EDT 2017


Here is the discussion on why "auth-server-url-for-backend-requests" was
removed :
http://lists.jboss.org/pipermail/keycloak-dev/2016-March/006783.html

Can't you use a Reverse Proxy ? TBH I don't master enough this subject and
would liek to hear the opinions from the community on this subject.

On Thu, Sep 7, 2017 at 12:35 PM, Mauricio Salatino <salaboy at gmail.com>
wrote:

> Because I failed to mention that I'm using the Spring Boot Adapter, I'm
> wondering now if we need something like this:
> "auth-server-url-for-backend-requests"
>
> ->
> https://github.com/keycloak/keycloak/search?utf8=✓&q=auth-
> server-url-for-backend-requests&type=
>
> Or if it was deprecated or not recommeneded to use.
>
>
>
> On Thu, Sep 7, 2017 at 11:14 AM, Mauricio Salatino <salaboy at gmail.com>
> wrote:
>
> > Hi everyone,
> > We using Keycloak behind a gateway (Zuul) and we are having issues with
> > keycloak adapters not being able to validate the JWT token issued on
> behalf
> > of an external client. Our Gateway is forwarding all the X-FORWARDED-*
> > headers correctly so the token is issued correctly but the problem is
> that
> > our adapters (in our services) contains the following configuration:
> >
> > keycloak.auth-server-url=*<local ip of keycloak server>:<port>/auth*
> >
> > Now the problem that we are facing is that the token will not be able to
> > be validated by the adapter, because it was issued for the external IP
> and
> > the adapter is pointing to the local ip, so the token validation fails.
> >
> > I've seen several threads and jira issues about this problem without a
> > clear solution and it sounds like the adapter's code can be easily
> extended
> > to support this scenario. Now the question is where that information
> should
> > live:
> > 1) It can be set to the realm configuration so the adapter picks that up
> > on start up and then use that information for the token validation
> > 2) I can be picked up by the service that is getting the external IP in
> > the X-FORWARDED-* headers (this might cause a security issue ??? )
> >
> > We can provide the code for the solution but before start coding we want
> > to know what are your opinions on the matter and if this have been solved
> > before.
> >
> > Cheers
> >
> > Mauricio
> >
> >
> > --
> >  - MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
> >  - Co-Founder @ http://www.jugargentina.org
> >  - Co-Founder @ http://www.jbug.com.ar
> >
> >  - Salatino "Salaboy" Mauricio -
> >
>
>
>
> --
>  - MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
>  - Co-Founder @ http://www.jugargentina.org
>  - Co-Founder @ http://www.jbug.com.ar
>
>  - Salatino "Salaboy" Mauricio -
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list