2

I am in the middle of setting up SSO in our infrastructure and I am wondering if people would more experience could share their learnings.

  • I already have a reverse-proxy in-front of our system.
  • We have several legacy java apps running on tomcat
  • We have SPA apps as well written in JS
  • We have few APIs that will also need to be protected

I have two ways to set SSO up for us.

  1. set up SSO on the reverse proxy using mod_auth_openidc so our gatekeeper makes sure that anyone who is hitting our services is already validated.

  2. add a keycloak libs to each individual service

My preference is to set this up on the referse proxy.

Are there any disadvantages / best practices when it comes to this?

For legacy apps I would just use the HTTP headers added by the reverse proxy to find user details For the new apps I would like to use the keycloak libs to get user details.

I do not want to go down some routes which is obviously problematic. So Any tips so that I can save some time are very welcome.

So far I have come up with the following list

pros to use a proxy server and mod_auth_openidc

  • Single place to handle all auth specific configuration
  • Abstracts out the implementation detail of the SSO. E.g. we do not need to integrate keycloak into each service. In my opinion this could cause issues if we decided later to actually move to a different SSO. ( I know this does not happen often )

cons to use a proxy server and mod_auth_openidc

  • an additional piece of software to maintain ( bugs etc )
  • possible extra checks on credentials if the app also integrated with keycloak ( not required it is possible but only needed if keycloak specific features are required in the app and those not available in the headers )

I would be interested in other's opinion on the pros and cons?

Thanks

Istvano
  • 992
  • 1
  • 12
  • 19
  • As the primary author of mod_auth_openidc I would agree with your preference ;-) I'm also interested in other peoples opinions on this and will create a writeup based on that at https://github.com/pingidentity/mod_auth_openidc/wiki/Keycloak – Hans Z. Jan 10 '17 at 11:40
  • Hi, thank you very much for your comment! I had one question on the module as well. Perhaps you would be kind and answer it here. is mod_auth_openidc transparent to the proxied service? e.g. if I used the keycloack library on the API side. will the keycloak lib see the cookies and the bearer token in the header and treat the request as logged-in ? Will there be an extra round-trip in this case from the API side to the idp? – Istvano Jan 10 '17 at 12:57
  • 1
    mod_auth_openidc can be transparent indeed wrt. this OAuth 2.0 scenario; the request would be validated first by the Apache server/module and then a second time at the keycloak lib; nothing will be stripped from the original request, some information *may* optionally be added in headers – Hans Z. Jan 10 '17 at 14:33
  • just a comment on your last/2nd con: there's no need for an app to integrate with keycloak and its libraries; typically it would rely on headers being set by the reverse proxy in front of it – Hans Z. Jan 11 '17 at 15:29

0 Answers0