[keycloak-user] keycloak security proxy does not proxy to external application url
Dmitry Telegin
dt at acutus.pro
Thu Jan 17 23:40:01 EST 2019
Hello Dimitris,
If you want your application to be accessible under its original URL, you should use Keycloak adapters instead. When using proxy, the original URL remains hidden - this is how reverse proxying works. In this regard Keycloak security proxy is not much different from Apache mod_proxy, HAProxy or nginx. Your application needs to be able to handle the situation where it is exposed under different URL, and adjust the internal URLs (CSS, scripts etc.) accordingly. You can do this either by introducing a config param, or by processing X-Forwarded-Host and X-Forwarded-Proto headers.
Also I'd recommend that you use Keycloak Gatekeeper [1] instead of the now deprecated Keycloak proxy.
[1] https://github.com/keycloak/keycloak-gatekeeper
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Thu, 2019-01-17 at 15:57 +0200, Dimitris Charlaftis wrote:
> Hello,
>
> I have built the architecture shown in the attached image.
>
> Step 1. A client authentication request reaches the keycloak security
> proxy docker container
>
> Step 2. Proxy asks the actual keycloak server docker container
>
> Step 3. Keycloak Server asks an external LDAP for user credentials
>
> Step 4. Keycloak server replies OK
>
> Step 5. Keycloak proxy replies OK and passes control to the external
> application url.
>
>
> THE PROBLEM IS that after successful authentication, the url of the host
> server (i.e. where the keycloak proxy container and keyclak
> authentication container lie) appears on the address bar of the browser
> instead of the actual external application url.
>
> For example, if the host machine where the keycloak containers lie is
> keycloak.containers.gr, and the external application domain name is
> www.external.application.gr, then, after a SUCCESSFUL login to the
> keycloak SSO login page, the url in the address bar appears to
> > behttp://keycloak.containers.gr <http://keycloak.containers.gr/>instead
> > ofhttp://www.external.application.gr
> > <http://www.external.application.gr/>. This fact destroys all the
> relative css, js scripts, etc, attached to the site
> www.external.application.gr.
>
>
> KEYCLOAK SECURITY PROXY CONFIGURATION
>
> {
> > "target-url": "http://www.external.application.gr",
> "bind-address": "0.0.0.0",
> "send-access-token": true,
> "http-port": "8180",
> "https-port": "8443",
> "applications": [{
> "base-path": "/",
> "adapter-config": {
> "realm": "internal_applications",
> "auth-server-url": "http://keycloak.containers.gr:8202/auth",
> "resource": "test_app",
> "ssl-required": "external",
> "credentials": {
> "secret": "xxxxx-xxx-xxx-xxxx-xxxxxxxxxxx"
> }
> },
> "constraints": [{
> "pattern": "/*",
> "authenticate": true
> }],
> "proxy-address-forwarding": true
> }]
> }
>
> I use a proxy.json for the keycloak security proxy configuration
>
>
> NOTE: I have tried to change the "bind-address": "0.0.0.0" parameter,
> > from 0.0.0.0 to the IP of the www.external.application.gr but with no
> luck...
>
> please... any help??
>
> Thank you!!
>
> Dimitris
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list