Is generic route forwarding possible for Keycloak running on Docker/Cloud Foundry?

Luthien · August 10, 2020, 10:13am

Hello all,
we managed to set up a Standalone-HA cluster of Keycloak to run on IMB Cloud (Cloud Foundry).
We originally had it test-deployed using Thomas Darimont’s Spring-Boot POC project, which also allowed to add customisations like BCrypt password encryption with a pepper and some route forwarding for the main realm.

The encryption module turned out to be easy to package as a .jar module to /standalone/deployments/ inside the Docker image, but I’m afraid that adding this routing is a wholly different cup of tea; at least to set it up in either Keycloak itself, the Docker image, Wildfly, or in the CF environment.
Of course we can always set up a separate gateway to handle this, but that would be yet another deployment to maintain, so it would be great if this is possible without that.

In the Spring-Boot container, we achieved this by adding a separate Controller class to implement these route forwards:

GET  /login                         => /auth/realms/{realm}/account
GET  /oidc/certs                    => /auth/realms/{realm}/protocol/openid-connect/certs
GET  /oidc/login-status-iframe.html => /auth/realms/{realm}/protocol/openid-connect/login-status-iframe.html
GET  /oidc/logout                   => /auth/realms/{realm}/protocol/openid-connect/logout
POST /oidc/auth                     => /auth/realms/{realm}/protocol/openid-connect/auth
POST /oidc/token                    => /auth/realms/{realm}/protocol/openid-connect/token
POST /oidc/token/introspect         => /auth/realms/{realm}/protocol/openid-connect/logout
POST /oidc/userinfo                 => /auth/realms/{realm}/protocol/openid-connect/userinfo

One of the controller methods:

/**
 * Forwards certain OIDC GET requests to the appropriate Keycloak endpoints
 */
@GetMapping({BASE_PATH_OIDC + "/certs", BASE_PATH_OIDC + "/login-status-iframe.html", BASE_PATH_OIDC + "/logout"})
 public void forwardOidcGet(HttpServletRequest request, HttpServletResponse response) {
     String path = request.getRequestURI().substring(
                request.getRequestURI().lastIndexOf(BASE_PATH_OIDC) + BASE_PATH_OIDC.length() + 1);
     forward(forwardTokenPath + path, request, response);
 }

Nothing more complex than that.

However, in the new situation of running Keycloak as docker image on Cloud Foundry, I’ve so far not found a way to achieve this. I should add that I’m quite unfamiliar with JBoss / Wildfly; we always work with either Spring MVC or Spring Boot deployed on Tomcat (or a cloud environment), so I am especially curious if there exists a JBoss equivalent of adding another controller, like we did in Spring Boot - maybe in a similar way as we now deploy that additional BCrypt module.

Thanks,
Lúthien

Topic		Replies	Views
Spring OAuth2 Keycloak Kubernetes internal/external access Getting advice	3	2219	October 1, 2020
Keycloak behind pfSense/haproxy not loading administration console Getting advice	10	5550	October 9, 2022
Keycloak reverse proxy Getting advice	2	4161	January 14, 2020
Issue mapping realm for keycloak behind haproxy ingress via oidc in a kubernetes cluster Getting advice admin-console , oidc	0	1008	January 11, 2021
Keycloak in Kubernetes / Openshift Configuring the server	2	1381	April 15, 2020

Is generic route forwarding possible for Keycloak running on Docker/Cloud Foundry?

Related topics