Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-6073

Add support for OpenID Connect Discovery to Java adapters

    XMLWordPrintable

Details

    • NEW
    • NEW

    Description

      What?

      Adapters should support using different URLs for frontend and backend requests.

      Why?

      When clients are located on the same network as the Keycloak server can communicate directly with Keycloak using an internal domain name or IP address.

      How?

      With the introduction of a new default hostname provider Keycloak now has support to have different URLs configured for frontend requests and backchannel requests. See https://issues.jboss.org/browse/KEYCLOAK-11728 for more details.

      By making the adapters load issuer and endpoints dynamically using the OpenID Connect Discovery endpoint from the Keycloak server instead of hard-coding the endpoints we allow the Keycloak server to select the correct URLs based on the request. With KEYCLOAK-11728 Keycloak will by use the frontend URL for authorization_endpoint (which is loaded by user agent), issuer (in order to have the issuer consistent regardless of URL used to contact Keycloak) and any emails sent to users will use frontend URL as well.

      Notes

      We will not support setting the issuer field separately as that is only solving one part of the problem, as it would only solve part of the problem, and this approach solves all the issues with using different URLs.

      The previous proposal of having separate URLs for frontend and backchannel requests in the client would mean it would be more work to configure clients as it would require two URLs. With this approach the client only needs to know what address to contact Keycloak on and doesn't have to know the frontend/public URL as that will be advertised by the Keycloak server itself.

      Attachments

        Issue Links

          is duplicated by

          Feature Request - Feature requests from customers and/or users KEYCLOAK-5014 Allow token validation against multiple issuers, not just the realm URL

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Enhancement - An enhancement or refactoring of existing functionality KEYCLOAK-5045 Support different URLs for front-end redirect and back-channel endpoints

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Enhancement - An enhancement or refactoring of existing functionality KEYCLOAK-5501 Specify different `authServerUrl` for server vs. browser.

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          is related to

          Feature Request - Feature requests from customers and/or users KEYCLOAK-7967 Hostname SPI

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Feature Request - Feature requests from customers and/or users KEYCLOAK-11728 Default hostname provider

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. KEYCLOAK-8310 Fixed Hostname provider SPI doesn't support URL schema

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            Public project attachment banner

              context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
              current Project key: KEYCLOAK

              People

                sthorger@redhat.com Stian Thorgersen
                sthorger@redhat.com Stian Thorgersen
                Votes:
                79 Vote for this issue
                Watchers:
                68 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: