My Keycloak system has many users from different companies and the mass market.
For example, users which have email domains @company-x.com, @apple.com, @gmail.com,…
The base-URL account console is public on the Internet. So all users in the realm can log in to the account console from anywhere.
But one day, the company-x want their employees (users have email domain @company-x.com) can only log in to the URL (*) from the whitelist IP address of their company’s network.
Could you give me the solution or some advice, please.
Take a look at the Authentication SPI Server Developer Guide
You can build a custom Authenticator that blocks users for a given domain for IPs that are not in a configured set.
Thank you for your reply!
How can I capture the public IP address user log into the “account console”?
I’m looking forward to hearing from you. Once again, thank you.
The company-x want their employees (users have email domain @company-x.com) can only log in to the URL (*) from the whitelist IP address of their company’s network. When they back home or go to other locations (with different public IP addresses), they will no longer be able to log in.
If you are trying to do that in a custom Authenticator you can use the AuthenticationFlowContext. Depending if you’re using a reverse proxy the IP can come from one of the following methods:
// no reverse proxy
authenticationFlowContext.getHttpRequest().getRemoteAddress();
// with reverse proxy
authenticationFlowContext.getHttpRequest().getHttpHeaders().getHeaderString("X-Forwarded-For");
Sorry, I was looking at the wrong Javadoc for Resteasy. It looks like getRemoteAddress() isn’t there until version 4. I’d enumerate all of the headers from getHttpHeaders() and see if any of them contain the IP when you’re not using a reverse proxy.
We’re running Keycloak on a K8s cluster with no reverse proxy.
I’ve tested standalone too, and it returned 127.0.0.1 which is localhost.
So when I test on a K8s cluster, using keycloak for single sign on from one of my website, it return an IP like 172.x.x.x, which is local IP of worker node running Keycloak on K8s cluster.
The problem is we want to get user’s public IP when user login to Keycloak. Is that posible ?
When we implemented the following method in our custom Authenticator
We could retrieve the Public IP of Clients in logs of Ingress Nginx Controller.
But, when we checked logs on Keycloak pods, we only got the private IP of LoadBalancer.
I’m not familiar with ingress-nginx, but you need to make sure it properly sets the “X-Forwarded-For” header to the public IP of the client before sending the request to Keycloak
I had this same issue when using Keycloak in Docker Swarm. I don’t have any experience with K8s but maybe this might help.
For us, there were two parts. The docker ingress network uses IPVS and SNAT which masquerades the source IP as the docker node’s ingress IP, so we would see the private IP of the docker nodes on the ingress network instead of the true source IP of the client. We have a workaround in place using the docker-ingress-routing-daemon as it seems to just be built this way by design in Docker Swarm.
The other part was that for our container, we needed to ensure the following environment variable was set:
PROXY_ADDRESS_FORWARDING: “true”
With these two changes, we were able to see the true source IP address of the client.
From there we added IP restrictions using the undertow subsystem on certain paths so that, for example, our master realm was only accessible from our internal IPs. This can be done through the jboss cli located by default in the container at /opt/jboss/keycloak/bin/jboss-cli.sh. For us, we do this with JBoss CLI and extend the Keycloak Image because we do other customizing, but if you didn’t want to extend the keycloak image, I suppose you could just create a script that edits the standalone.xml file and just mount it at in the startup-scripts directory. Here’s a link explaining how this is done: keycloak-documentation/admin.adoc at master · keycloak/keycloak-documentation · GitHub