Is a split Keycloak setup possible?
Hi everyone, I need to allow cloud-access to some on-premises services. I would like them protected by OIDC via Keycloak since UCS already comes with Keycloak. That means I need to pass the authentication endpoints through a reverse proxy. This is working so far.
Caddyfile
sso.public.domain {
encode gzip
@oidc path_regexp oidc ^/realms/[^/]+/(\.well-known|protocol/openid-connect).*
reverse_proxy @oidc https://ucs-sso-ng.internal.lan {
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Host {host}
header_up Host ucs-sso-ng.internal.lan
}
@deny not path_regexp oidc ^/realms/[^/]+/(\.well-known|protocol/openid-connect).*
respond @deny 403
}
Hopefully it’s clear from this example that my company’s domain was set up using the host name internal.lan, but we have a public domain for our colleagues using the public.domain example domain.
Since Keycloak comes preconfigured by UCS to serve the https://ucs-sso-ng.internal.lan hostname, reverse-proxying to https://sso.external.domain produces an autodiscovery endpoint with urls pointing to the internal name which are not accessible externally.
My question is whether this kind of setup is possible using the UCS configuration registry?
Possible approach
One approach I had considered that I don’t really like because of its “fiddliness” is to configure keycloak to always serve the external hostname, but add some DNS entries that point to the internal name.
While this is doable, we cannot guarantee that everyone will be using our DNS service and it breaks down if a service cannot reach the internet but needs keycloak access.
Any suggestions or guides would be greatly appreciated.