Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-7967

Hostname SPI

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Done
    • Major
    • 4.3.0.Final
    • None
    • None
    • None
    • NEW
    • NEW

    Description

      Keycloak needs to know its public URL for a number of reasons. For example in the OIDC well-known endpoint, issuer in tokens and emails sent to users.

      At the moment we retrieve this from the request headers and have documented how to block requests with invalid URLs (https://www.keycloak.org/docs/latest/server_admin/index.html#host). The latter is important in production installations.

      There's two problems with the current approach:

      1) Clients in the same subnet can't use internal IP to communicate with Keycloak
      2) Configuring the valid URLs is an important step to secure a production installation, but the current approach is probably not well known and is rather messy to configure

      I propose we introduce an Hostname SPI to allow a flexible way to determine the base URL. We would add two implementations OOTB:

      1) Request - this would be set as the default-provider and would determine the base url from request headers as we do today
      2) Fixed - this would allow setting a hardcoded public URL

      In standalone.xml it would look like this:

      <spi name="baseURL">
    <default-provider>request</default-provider>
    <provider name="fixed">
       <properties>
         <property name="hostname" value="localhost"/>
         <property name="httpPort" value="-1"/>
         <property name="httpsPort" value="-1"/>
       </properties>
   </provider>
</spi>

      For production the default-provider should be changed to fixed and the hostname value should be changed. This can be handled either through manual editing standalone.xml or with jboss-cli. If allowRealmOverride is set to true it should be possible to configure a base url for a realm that will override the global base url.

      Once this is incorporated it will make it easy to add support for backchannel URL back to the adapters to allow adapters to use internal IP address when communicating with Keycloak.

      Implementation shouldn't be hard. It's mainly about making sure that UriInfo is retrieved from KeycloakSession#KeycloakContext and not injected directly.

      If anyone has more complex requirements for determining the public URL they can implement their own provider to handle it.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. KEYCLOAK-7989 Running server config migration fails due the Hostname SPI

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. KEYCLOAK-8310 Fixed Hostname provider SPI doesn't support URL schema

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          incorporates

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. KEYCLOAK-7874 Allow invoking token introspection and review endpoints through a different URL

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Feature Request - Feature requests from customers and/or users KEYCLOAK-6073 Add support for OpenID Connect Discovery to Java adapters

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. KEYCLOAK-7731 KeycloakUriBuilder removes well known ports (80 / 443) even if the issuer url in the token includes it

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            Public project attachment banner

              context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
              current Project key: KEYCLOAK

              People

                sthorger@redhat.com Stian Thorgersen
                sthorger@redhat.com Stian Thorgersen
                Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: