proxy-mapping in Keycloak.X

[nφ]

I'm trying to setup the proxy-mapping in Keycloak.X (15.0.2) for outgoing connections. Following https://www.keycloak.org/docs/latest/server_installation/index.html#outgoing-http-requests and https://github.com/keycloak/keycloak-community/blob/master/design/keycloak.x/configuration.md#spis-and-provider-configuration I have to set these settings :

• spi.connectionsHttpClient.default.enabled=true
• spi.connectionsHttpClient.default.proxy-mappings=[".*;http://proxy:3128"]

For the first one, I pass --spi-connectionsHttpClient-default-enabled=true to the command kc.sh config (indirectly with --auto-config option from Keycloak.X docker image). For the second one I write the property in /opt/jboss/keycloak/conf/keycloak.properties

I didn't manage to make Keycloak.X use the given proxy server so far. I have no issues when I configure the proxy-mappings in "classic" Keycloak. I also tried to write both properties in the keycloak.properties file, with the same result.

You can find in attachment a minimal docker-compose file that reproduces the environment in which I try to make this configuration work.

In the docker-compose file:

• Keycloak and Keycloak.X are both running v15.0.2 and are configured with an isolated network
• a container runs a squid proxy, waiting for requests on port 3128
• two containers are running socat to allow exposing the two isolated keycloaks on the host

The Keycloak.X server is configured from the docker-compose file.

The proxy-mappings on the "classic" keycloak server has to be configured manualy, or example by executing the following command in the container :

printf 'connect\n/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.proxy-mappings,value=[".*;http://squid:8080"])\nreload\n' | /opt/jboss/keycloak/bin/jboss-cli.sh

Does anyone see a mistake in my proxy-mapping configuration for Keycloak.X ? Or am I going in the wrong direction to setup the outgoing-request proxy for Keycloak.X ?

Cheers,

Nicolas

[Pedro Igor Craveiro e Silva]

Hi,

Thanks for trying out Dist.X.

I think the property format you are using is wrong, it should be `spi.connections-http-client.default.proxy-mappings`. The same goes for CLI options.

And you do not need to enable the `default` provider because it is already in that state by default.

Sorry for the lack of documentation, we are working on it. The best we have now is https://github.com/keycloak/keycloak-community/blob/master/design/keycloak.x/configuration.md, which is not very clear about this too.

You should also be able to use env vars: `KC_SPI_CONNECTIONS_HTTP_CLIENT_DEFAULT_PROXY_MAPPINGS=<value>`. Perhaps a more suitable option when running our image.

Regards.

Pedro Igor

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/7ff69659-bbf4-46da-a4bb-149bc54bf116n%40googlegroups.com.

[nφ]

Thank you so much for clarifying that. Indeed, the first sentence of this section misled me :

 > SPIs and provider names currently use a mix between - and camelCase for multi-word names. We should introduce a convention here, and use -.

My mistake was to assume that the camelCase variant was still in use.

I was able to make it work properly after figuring out a change in the array value syntax. For anybody having this issue, it seems that Keycloak.X waits a comma-separated list (regex1;proxy1,regex2;proxy2) instead of the JSON-style array (["regex1;proxy1","regex2;proxy2"])


Cheers,
Nicolas