WIP

.gitignore

@@ -0,0 +1 @@
+.history

Dockerfile

@@ -0,0 +1,18 @@
+FROM openjdk:8-jre-alpine
+
+ENV KEYCLOAK_VERSION 3.0.0.Final
+ENV DOCKERIZE_VERSION v0.4.0
+
+RUN apk --no-cache update && apk add ca-certificates openssl unzip &&\
+ wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz && \
+ tar -C /usr/local/bin -xzvf dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz && \
+ rm dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz 
+RUN wget http:https://central.maven.org/maven2/org/keycloak/keycloak-proxy-dist/$KEYCLOAK_VERSION/keycloak-proxy-dist-$KEYCLOAK_VERSION.zip && \
+ unzip keycloak-proxy-dist-$KEYCLOAK_VERSION.zip && mv keycloak-proxy-$KEYCLOAK_VERSION /app && rm keycloak-proxy-dist-$KEYCLOAK_VERSION.zip && \
+ chmod -R g+rwX /app
+
+EXPOSE 8080 8443
+
+WORKDIR /app
+
+CMD ["java", "-jar", "bin/launcher.jar"]

README.md

@@ -2,43 +2,34 @@
 
 The Keycloak Auth Proxy makes it possible to protect web resources that have no build in authentication.
 
+This Auth Proxy Service uses [Keycloak Proxy][kcp] a Java/Undertow solution designed for Keycloak but that should work with any other IMA that support OpenID/Connect.
+
 ## How is it working
 
+![How reverse auth proxy works][prx_diag]
+
+1. External unauthenticated traffic is directed to the auth proxy. 
+2. The Auth Proxy is configured to work together with the IAM and redirects the user to the IAM so the user can login.
+3. After a successful login the proxy forwards the user to the protected content. According to proxy configuration setting the proxy checks if the user is allowed to access the path.
+
+## Use cases
 
-``` 
-+------------+ 
-| | 
-| Internet |
-| |
-+------|-----+
- | 
- | 
- | 
-+------|-----+ +------------+ 
-| | | |
-| Auth Proxy ----------------- Keycloak |
-| | | |
-+------|-----+ +------------+
- | 
- | 
- | 
-+------|-----+ 
-| Secured | 
-| Content | 
-| | 
-+------------+ 
-```
-
-## Usecases
-
-There are two very common usecases why one would like to use Keycloak Auth Proxy together with an Identity & Access Management Service (IAM)
-
-- Protect static website and allow only authenticated users to see the content
-- Outsource the authentication to Keycloak Auth Proxy on just relay on the header parameter about the user then Keycloak Auth Proxy forward to you.
+There are two very common use cases why one would use the Keycloak Auth Proxy together with an Identity & Access Management Service (IAM)
+
+- Protect static websites from unauthorized access only allowing authenticated users to see the content. 
+ This is useful in combination with static website generator or other generated documentation.
+- Outsource the authentication/authorization to Keycloak Auth Proxy and just relay on the header parameter with username and grants which are forwared to the upstream application.
 
 ## Alternatives
 
 Despite the uniqueness of _keycloak-auth-proxy_ there are other project that solve the similar problem differently.
 
-...
+- [OpenID / Keycloak Proxy service](https://github.com/gambol99/keycloak-proxy) This in Golang written proxy should work nicely with Keycloak and might be a value alternative to the current jvm proxy.
+- [OAuth2 Proxy](https://github.com/bitly/oauth2_proxy)
+- [Lua Resty OpenID/Connect](https://github.com/pingidentity/lua-resty-openidc) This library is designed for Nginx/OpenResty. 
+
+
+<!-- Links -->
 
+[kcp]: https://github.com/keycloak/keycloak/tree/master/proxy
+[prx_diag]: docs/images/How_Keycloak_Auth_Proxy_works.svg

proxy.json

@@ -0,0 +1,30 @@
+{
+ "target-url": "http:https://172.17.0.2:2015",
+ "bind-address": "0.0.0.0",
+ "http-port": "8080",
+ "applications": [
+ {
+ "base-path": "/",
+ "adapter-config": {
+ "realm": "horizon-docs",
+ "realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmy26qnQkdzE9LtXsir1sgqCb914Iovt13TReQ6UDPGExQvsGidlkrLBKBf823n4sdG6PjVJBom7Hwj5yQkLEmYiGdFVLcecWa5SH0WYeWD/F2093cxc+B76EaetgvKRVtlDuW4M/2BIk+AAsJO6cxx4crafRE/Cg4yzZz6W/W7ztroGVg4TtylQnvnT4H9ybPsFd5D46QnqiLliahVdSXsQKhPp3gllqqdzUHe35TVjAU000UdXjK3ly68sRIrlN76DZVIitlYuJuHEP8snICJw1f21asuXRR6i7ywNBsl03dy1oCqlAIRboeRYZM52w4dgrTaGNUwx9J2aRBEAVawIDAQAB",
+ "auth-server-url": "http:https://keycloak-fs20-feasibility.apps.rasos.co.uk/auth",
+ "ssl-required": "external",
+ "resource": "account",
+ "credentials": {
+ "secret": "f2175af3-4465-445f-9d79-ede712c6ad91"
+ }
+ },
+ "constraints": [
+ {
+ "pattern": "/*",
+ "authenticate": true
+ }
+ ],
+ "proxy-address-forwarding": true
+ }
+ ],
+ "header-names": {
+ "keycloak-username": "X-Horizion-Username"
+ }
+}

start-proxy.sh

@@ -0,0 +1,3 @@
+#! /bin/sh
+
+dockerize