You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- shifting over to the echo rather than gin web framework
- adding the extra dependencies
- dropped the cors middleware and using the default middles from echo router
- completely removing gin tonic
- adding the Renderer implementation
- loading the templates for the custom pages
- hooking in the drop for the proxy middleware
- updating the readme to reflect the changes
- updating the CHANGELOG to reflect the changes
- updating the authors file
- adding the extra test for api errors and drop refresh cookie
- updated the golang version to v1.8
- shifting most of the checks into a common testing method makeFakeRequests()
- fixed the cli parsing for slices, was incorrectly setting the reflected value
- adding a quick check for the forwarding proxy
- changed the option log-requests to --enable-logging
- changed the option --json-format to --enable-json-logging
- ensure nothing in /oauth is passed to the proxy forwarder. Echo doesnt not run middleware if no
route is found, so was have to hack this slightly to get it to work
- removed unrequired elements from the testing code
- fixed the newTestToken; need to copy the map
- updated the authors file
- added test coverage for token refreshing
- cleaned up some of the code around tests
- fixed up the checks for the callback endpoint
- update the kubernetes example files to deployments
- fixed up the unit tests for the custom claims
- added 'any|ANY' to the resource definition and expanded the tests
Copy file name to clipboardExpand all lines: README.md
+31-20
Original file line number
Diff line number
Diff line change
@@ -24,15 +24,15 @@
24
24
Keycloak-proxy is a proxy service which at the risk of stating the obvious integrates with the [Keycloak](https://github.com/keycloak/keycloak) authentication service. Although technically the service has no dependency on Keycloak itself and would quite happily work with any OpenID provider. The service supports both access tokens in browser cookie or bearer tokens.
25
25
26
26
```shell
27
-
[jest@starfury keycloak-proxy]$ bin/keycloak-proxy help
--enable-security-filter enables the security filter handler (default: false)
60
61
--enable-refresh-tokens nables the handling of the refresh tokens (default: false) [$PROXY_ENABLE_SECURITY_FILTER]
@@ -68,6 +69,7 @@ GLOBAL OPTIONS:
68
69
--filter-frame-deny enable to the frame deny header (default: false)
69
70
--content-security-policy value specify the content security policy
70
71
--localhost-metrics enforces the metrics page can only been requested from 127.0.0.1 (default: false)
72
+
--access-token-duration value fallback cookie duration for the access token when using refresh tokens (default: 720h0m0s)
71
73
--cookie-domain value domain the access cookie is available to, defaults host header
72
74
--cookie-access-name value name of the cookie use to hold the access token (default: "kc-access")
73
75
--cookie-refresh-name value name of the cookie used to hold the encrypted refresh token (default: "kc-state")
@@ -89,9 +91,7 @@ GLOBAL OPTIONS:
89
91
--cors-max-age value max age applied to cors headers (Access-Control-Max-Age) (default: 0s)
90
92
--hostnames value list of hostnames the service will respond to
91
93
--store-url value url for the storage subsystem, e.g redis://127.0.0.1:6379, file:///etc/tokens.file
92
-
--encryption-key value encryption key used to encrpytion the session state
93
-
--log-requests enable http logging of the requests (default: false)
94
-
--json-format switch on json logging rather than text (default: false)
94
+
--encryption-key value encryption key used to encryption the session state [$PROXY_ENCRYPTION_KEY]
95
95
--no-redirects do not have back redirects when no authentication is present, 401 them (default: false)
96
96
--skip-token-verification TESTING ONLY; bypass token verification, only expiration and roles enforced (default: false)
97
97
--upstream-keepalives enables or disables the keepalive connections for upstream endpoint (default: false)
@@ -122,7 +122,7 @@ Docker image is available at [https://quay.io/repository/gambol99/keycloak-proxy
122
122
Configuration can come from a yaml/json file and or the command line options (note, command options have a higher priority and will override or merge any options referenced in a config file)
123
123
124
124
```YAML
125
-
# is the url for retrieve the openid configuration - normally the <server>/auth/realm/<realm_name>
125
+
# is the url for retrieve the OpenID configuration - normally the <server>/auth/realm/<realm_name>
By default all requests will be proxyed on to the upstream, if you wish to ensure all requests are authentication you can use
221
+
222
+
```shell
223
+
--resource=uri=/*# note, by default unless specified the methods is assumed to be 'any|ANY'
224
+
```
225
+
226
+
Note the HTTP routing rules following the guidelines from [echo](https://echo.labstack.com/guide/routing). Its also worth nothing the ordering of the resource do not matter, the router will handle that for you.
227
+
218
228
#### **Google OAuth**
229
+
219
230
Although the role extensions do require a Keycloak IDP or at the very least a IDP that produces a token which contains roles, there's nothing stopping you from using it against any OpenID providers, such as Google. Go to the Google Developers Console and create a new application *(via "Enable and Manage APIs -> Credentials)*. Once you've created the application, take the client id, secret and make sure you've added the callback url to the application scope *(using the default this would be http://127.0.0.1:3000/oauth/callback)*
@@ -403,13 +414,13 @@ By default the proxy will immediately redirect you for authentication and hand b
403
414
404
415
#### **White-listed URL's**
405
416
406
-
Depending on how the application url's are laid out, you might want protect the root / url but have exceptions on a list of paths, i.e. /health etc. Although you should probably fix this by fixing up the paths, you can add excepts to the protected resources. (Note: it's an array, so the order is important)
417
+
Depending on how the application url's are laid out, you might want protect the root / url but have exceptions on a list of paths, i.e. /health etc. Although you should probably fix this by fixing up the paths, you can add excepts to the protected resources.
@@ -445,7 +456,7 @@ A /oauth/logout?redirect=url is provided as a helper to logout the users. Aside
445
456
446
457
#### **Cross Origin Resource Sharing (CORS)**
447
458
448
-
You can add CORS header via the --cors-[method] command line or configuration options. By default this will inject CORS header into all response from the /oauth/* and any authentication required redirects, though you can enable these globally for all responses via the --enable-cors-global option.
459
+
You can add CORS header via the --cors-[method] command line or configuration options.
449
460
450
461
* Access-Control-Allow-Origin
451
462
* Access-Control-Allow-Methods
@@ -479,8 +490,8 @@ You can control the upstream endpoint via the --upstream-url option. Both http a
479
490
480
491
#### **Endpoints**
481
492
482
-
* **/oauth/authorize** is authentication endpoint which will generate the openid redirect to the provider
483
-
* **/oauth/callback** is provider openid callback endpoint
493
+
***/oauth/authorize** is authentication endpoint which will generate the OpenID redirect to the provider
494
+
***/oauth/callback** is provider OpenID callback endpoint
484
495
***/oauth/expired** is a helper endpoint to check if a access token has expired, 200 for ok and, 401 for no token and 401 for expired
485
496
***/oauth/health** is the health checking endpoint for the proxy, you can also grab version from headers
486
497
***/oauth/login** provides a relay endpoint to login via grant_type=password i.e. POST /oauth/login form values are username=USERNAME&password=PASSWORD (must be enabled)
0 commit comments