[keycloak-user] Zuul (Gateway) -> Keycloak Adapters Missing pieces

Mauricio Salatino salaboy at gmail.com
Thu Sep 7 10:21:07 EDT 2017


We are using a Reverse Proxy already .. I was checking that.. do we need
something specifically from it? I want to understand what is keycloak
expecting from that reverse proxy.

Cheers

On Thu, Sep 7, 2017 at 2:53 PM, Mauricio Salatino <salaboy at gmail.com> wrote:

> Sebastien, thanks a lot for the answer,
> regarding the discussion about removing "auth-server-url-for-backend-requests"
> I do understand why that was made.
> The main problem that we are facing right now is that solving those issues
> with DNS will work for most of the cases but not for environments such as
> docker compose and minikube, where the
> token verification is done comparing Strings and those strings contains
> hosts and ports all together.
>
> I good idea might be to add more flexibility to that verification, where
> we can compare that the host is the same but ports might be different. DNS
> resolution will work out the names but not the ports.
>
> Regarding a Reverse proxy, we are looking into it.
>
> On Thu, Sep 7, 2017 at 1:42 PM, Sebastien Blanc <sblanc at redhat.com> wrote:
>
>> Here is the discussion on why "auth-server-url-for-backend-requests" was
>> removed : http://lists.jboss.org/pipermail/keycloak-dev/2016-March/
>> 006783.html
>>
>> Can't you use a Reverse Proxy ? TBH I don't master enough this subject
>> and would liek to hear the opinions from the community on this subject.
>>
>> On Thu, Sep 7, 2017 at 12:35 PM, Mauricio Salatino <salaboy at gmail.com>
>> wrote:
>>
>>> Because I failed to mention that I'm using the Spring Boot Adapter, I'm
>>> wondering now if we need something like this:
>>> "auth-server-url-for-backend-requests"
>>>
>>> ->
>>> https://github.com/keycloak/keycloak/search?utf8=✓&q=auth-se
>>> rver-url-for-backend-requests&type=
>>>
>>> Or if it was deprecated or not recommeneded to use.
>>>
>>>
>>>
>>> On Thu, Sep 7, 2017 at 11:14 AM, Mauricio Salatino <salaboy at gmail.com>
>>> wrote:
>>>
>>> > Hi everyone,
>>> > We using Keycloak behind a gateway (Zuul) and we are having issues with
>>> > keycloak adapters not being able to validate the JWT token issued on
>>> behalf
>>> > of an external client. Our Gateway is forwarding all the X-FORWARDED-*
>>> > headers correctly so the token is issued correctly but the problem is
>>> that
>>> > our adapters (in our services) contains the following configuration:
>>> >
>>> > keycloak.auth-server-url=*<local ip of keycloak server>:<port>/auth*
>>> >
>>> > Now the problem that we are facing is that the token will not be able
>>> to
>>> > be validated by the adapter, because it was issued for the external IP
>>> and
>>> > the adapter is pointing to the local ip, so the token validation fails.
>>> >
>>> > I've seen several threads and jira issues about this problem without a
>>> > clear solution and it sounds like the adapter's code can be easily
>>> extended
>>> > to support this scenario. Now the question is where that information
>>> should
>>> > live:
>>> > 1) It can be set to the realm configuration so the adapter picks that
>>> up
>>> > on start up and then use that information for the token validation
>>> > 2) I can be picked up by the service that is getting the external IP in
>>> > the X-FORWARDED-* headers (this might cause a security issue ??? )
>>> >
>>> > We can provide the code for the solution but before start coding we
>>> want
>>> > to know what are your opinions on the matter and if this have been
>>> solved
>>> > before.
>>> >
>>> > Cheers
>>> >
>>> > Mauricio
>>> >
>>> >
>>> > --
>>> >  - MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
>>> >  - Co-Founder @ http://www.jugargentina.org
>>> >  - Co-Founder @ http://www.jbug.com.ar
>>> >
>>> >  - Salatino "Salaboy" Mauricio -
>>> >
>>>
>>>
>>>
>>> --
>>>  - MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
>>>  - Co-Founder @ http://www.jugargentina.org
>>>  - Co-Founder @ http://www.jbug.com.ar
>>>
>>>  - Salatino "Salaboy" Mauricio -
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
>
> --
>  - MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
>  - Co-Founder @ http://www.jugargentina.org
>  - Co-Founder @ http://www.jbug.com.ar
>
>  - Salatino "Salaboy" Mauricio -
>



-- 
 - MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
 - Co-Founder @ http://www.jugargentina.org
 - Co-Founder @ http://www.jbug.com.ar

 - Salatino "Salaboy" Mauricio -


More information about the keycloak-user mailing list