New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[keycloak 17.0.1] restrict ip access for keycloak admin console #12394
Comments
Do you have a proxy running in front of the server? Any chance you do that within the proxy using ACLs? It should be supported by the most common proxy impls. |
@pedroigor I dont have proxy running in front of the server, only ALB in front of it. I just wonder can we do this in keycloak itself |
As long as you are on the legacy distribution you can configure undertow to have these kinds of rules. I could provide you with a sample. However, it might not be that useful since it does not work for Keycloak.X. There, you would have to do this externally somehow. |
@sschu @pedroigor so for keycloak 17 we cannot easily do so? since we want to allow users access keycloak through cloudflare, only admin console is limited by our vpn ip, I think it is quite common security rule? |
It is, I agree. And you are not the first one asking for this. As @sschu said, this can only be achieved now if access goes through a proxy or WAF. Looks like we need to come up with something and for that, I would suggest opening a discussion so that others can chime in and give their opinions. Depending on how much adoption we have, we can define an initial scope and move this forward. @thomasdarimont implemented an add-on that does exactly what you want. Perhaps you can look at it and see if it also works for you. If it proves to be generic enough, we can also include it in the discussion to see if we can have it as a baseline to solve this problem. Do you want to create the discussion? Otherwise, let me know and I can create one. |
@manbobo2002 an example for such an IP based filtering can be found here AccessFilter.java |
@pedroigor please help me create if possible, thanks |
@manbobo2002 There we go #12481. |
Created PR #16497 |
Description
We dont want to expose keycloak admin page like
ourkeycloak.com/auth
to external, but we want to allow for some ips, like our VPN ip, how we can do it? is it set in security-admin-console in the keycloak ui?Discussion
No response
Motivation
No response
Details
No response
The text was updated successfully, but these errors were encountered: