Keycloak gatekeeper: is it possible to have more than 1 upstream URL?

y0zg · January 22, 2020, 9:57pm

Documentation:

keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/keycloak-gatekeeper.adoc

[[_keycloak_generic_adapter]]
=== {generic_adapter_name_full}

{project_name} provides a Go programming language adapter for use with OpenID Connect (OIDC) that supports both access tokens in a browser cookie or bearer tokens.

This documentation details how to build and configure {generic_adapter_name} followed by details of how to use each of its features.

For further information, see the included help file which includes a full list of commands and switches. View the file by entering the following at the command line (modify the location to match where you install {generic_adapter_name}):

[source,bash]
----
    $ bin/keycloak-gatekeeper help
----

==== Building

.Prerequisites
* Golang must be installed.
* Make must be installed.

This file has been truncated. show original

jangaraj · January 23, 2020, 7:03am

No, but nobody is stopping you to point upstream URL to reverse proxy/loadbalancer, where you can do that.

y0zg · January 23, 2020, 7:49am

Thanks @jangaraj,
Yep, we considered loadbalancer as an option.
Do you think it would be ok to put one more reverse proxy, if we already have react app + nginx which is used for static js content hosting and reverse proxy behind keycloak gatekeeper.

jangaraj · January 23, 2020, 8:20am

That depends on use case. If you are in High-frequency trading, where every millisecond counts, then it won’t be acceptable. But it won’t be a issue for majority web apps - users will not notice a few milliseconds delay.

y0zg · January 23, 2020, 4:23pm

with having 2 containers keycloak gatekeepr and react+nginx (keycloak itself is hosting on separate infra)

Should I provision certs for keycloak gatekeeper or for react+nginx or both?

With http after entering login/password I receive ERR_TOO_MANY_REDIRECTS in browser.
With https ngrok pointed to http keycloak gk - it works

jangaraj · January 23, 2020, 6:28pm

It is a good practice to encrypt web traffic + https is mandatory for Open ID SSO protocol (so prod Keycloak exposed for user on http port is insecure ).

y0zg · January 23, 2020, 8:30pm

yep, that’s clear
keycloak itself is https, but I wonder why there might be errors I mention with keycloak gatekeeper

jangaraj · January 23, 2020, 11:49pm

You are asking question, which may have a million root causes, e.g.:

Nginx config
huge cookies (so browser refuses them silently), because to many information in the access token
…

It can be absolutely unrelated to Gatekeeper.

y0zg · January 24, 2020, 9:35am

If I configured nginx as upstream app with https/443.
What listen port should I use for keycloak gatekeeper?
Currently I use 80 port for keycloak gatekeeper, but I see there is an option to use https directly with keycloak gatekeeperю
Is there any proper config for proper https configuration with keycloak gatekeeper?
Should I add certificates inside keycloak gatekeeper?

reference doc: https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/keycloak-gatekeeper.adoc

Topic		Replies	Views
Force the use of Gatekeeper in Backend by checking traffic in Load Balancer Getting advice gatekeeper , oidc	3	543	April 6, 2020
Is it possible to have multiple upstreams configured in Gatekeeper? Securing applications gatekeeper , oidc	2	1412	June 5, 2020
Keycloak (not) responding to multiple names behind reverse proxy Configuring the server	3	2355	June 15, 2022
Properly configuring the Gatekeeper Getting advice gatekeeper	6	5595	November 27, 2019
Redundant connection to Keycloak Getting advice clustering	4	209	January 6, 2024

Keycloak gatekeeper: is it possible to have more than 1 upstream URL?

Related Topics