JBoss.orgCommunity Documentation

Chapter 25. Keycloak Security Proxy

25.1. Proxy Install and Run
25.2. Proxy Configuration
25.2.1. Basic Config
25.2.2. Application Config
25.3. Keycloak Identity Headers

Keycloak has an HTTP(S) proxy that you can put in front of web applications and services where it is not possible to install the keycloak adapter. You can set up URL filters so that certain URLs are secured either by browser login and/or bearer token authentication. You can also define role constraints for URL patterns within your applications.

Download the keycloak proxy distribution from the Keycloak download pages and unzip it.

$ unzip keycloak-proxy-dist.zip

To run it you must have a proxy config file (which we'll discuss in a moment).

$ java -jar bin/launcher.jar [your-config.json]

If you do not specify a path to the proxy config file, the launcher will look in the current working directory for the file named proxy.json

Here's an example configuration file.

{
    "target-url": "http://localhost:8082",
    "send-access-token": true,
    "bind-address": "localhost",
    "http-port": "8080",
    "https-port": "8443",
    "keystore": "classpath:ssl.jks",
    "keystore-password": "password",
    "key-password": "password",
    "applications": [
        {
            "base-path": "/customer-portal",
            "error-page": "/error.html",
            "adapter-config": {
                "realm": "demo",
                "resource": "customer-portal",
                "realm-public-key": "MIGfMA0GCSqGSIb",
                "auth-server-url": "http://localhost:8081/auth",
                "ssl-required" : "external",
                "principal-attribute": "name",
                "credentials": {
                    "secret": "password"
                }
            }
            ,
            "constraints": [
                {
                    "pattern": "/users/*",
                    "roles-allowed": [
                        "user"
                    ]
                },
                {
                    "pattern": "/admins/*",
                    "roles-allowed": [
                        "admin"
                    ]
                },
                {
                    "pattern": "/users/permit",
                    "permit": true
                },
                {
                    "pattern": "/users/deny",
                    "deny": true
                }
            ]
        }
    ]
}

The basic configuration options for the server are as follows:

target-url

The URL this server is proxying REQUIRED..

send-access-token

Boolean flag. If true, this will send the access token via the KEYCLOAK_ACCESS_TOKEN header to the proxied server. OPTIONAL.. Default is false.

bind-address

DNS name or IP address to bind the proxy server's sockets to. OPTIONAL.. The default value is localhost

http-port

Port to listen for HTTP requests. If you do not specify this value, then the proxy will not listen for regular HTTP requests. OPTIONAL..

https-port

Port to listen for HTTPS requests. If you do not specify this value, then the proxy will not listen for HTTPS requests. OPTIONAL..

keystore

Path to a Java keystore file that contains private key and certificate for the server to be able to handle HTTPS requests. Can be a file path, or, if you prefix it with classpath: it will look for this file in the classpath. OPTIONAL.. If you have enabled HTTPS, but have not defined a keystore, the proxy will auto-generate a self-signed certificate and use that.

buffer-size

HTTP server socket buffer size. Usually the default is good enough. OPTIONAL..

buffers-per-region

HTTP server socket buffers per region. Usually the default is good enough. OPTIONAL..

io-threads

Number of threads to handle IO. Usually default is good enough. OPTIONAL.. The default is the number of available processors * 2.

worker-threads

Number of threads to handle requests. Usually the default is good enough. OPTIONAL.. The default is the number of available processors * 16.

Next under the applications array attribute, you can define one or more applications per host you are proxying.

When forwarding requests to the proxied server, Keycloak Proxy will set some additional headers with values from the OIDC identity token it received for authentication.

KEYCLOAK_SUBJECT

User id. Corresponds to JWT sub and will be the user id Keycloak uses to store this user.

KEYCLOAK_USERNAME

Username. Corresponds to JWT preferred_username

KEYCLOAK_EMAIL

Email address of user if set.

KEYCLOAK_NAME

Full name of user if set.

KEYCLOAK_ACCESS_TOKEN

Send the access token in this header if the proxy was configured to send it. This token can be used to make bearer token requests.