Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[keycloak 17.0.1] restrict ip access for keycloak admin console #12394

Open
manbobo2002 opened this issue Jun 8, 2022 · 9 comments
Open

[keycloak 17.0.1] restrict ip access for keycloak admin console #12394

manbobo2002 opened this issue Jun 8, 2022 · 9 comments
Labels
area/dist/quarkus kind/enhancement Categorizes a PR related to an enhancement status/needs-discussion PR needs discussion on developer mailing list

Comments

@manbobo2002
Copy link

Description

We dont want to expose keycloak admin page like ourkeycloak.com/auth to external, but we want to allow for some ips, like our VPN ip, how we can do it? is it set in security-admin-console in the keycloak ui?

Discussion

No response

Motivation

No response

Details

No response
@manbobo2002 manbobo2002 added kind/enhancement Categorizes a PR related to an enhancement status/triage labels Jun 8, 2022
@manbobo2002 manbobo2002 changed the title restrict ip access for keycloak admin console [keycloak 17.0.1] restrict ip access for keycloak admin console Jun 8, 2022
@pedroigor
Copy link
Contributor

Do you have a proxy running in front of the server? Any chance you do that within the proxy using ACLs? It should be supported by the most common proxy impls.

@manbobo2002
Copy link
Author

@pedroigor I dont have proxy running in front of the server, only ALB in front of it. I just wonder can we do this in keycloak itself

@sschu
Copy link
Contributor

sschu commented Jun 9, 2022

As long as you are on the legacy distribution you can configure undertow to have these kinds of rules. I could provide you with a sample. However, it might not be that useful since it does not work for Keycloak.X. There, you would have to do this externally somehow.

@manbobo2002
Copy link
Author

@sschu @pedroigor so for keycloak 17 we cannot easily do so? since we want to allow users access keycloak through cloudflare, only admin console is limited by our vpn ip, I think it is quite common security rule?

@pedroigor
Copy link
Contributor

It is, I agree. And you are not the first one asking for this.

As @sschu said, this can only be achieved now if access goes through a proxy or WAF.

Looks like we need to come up with something and for that, I would suggest opening a discussion so that others can chime in and give their opinions. Depending on how much adoption we have, we can define an initial scope and move this forward.

@thomasdarimont implemented an add-on that does exactly what you want. Perhaps you can look at it and see if it also works for you. If it proves to be generic enough, we can also include it in the discussion to see if we can have it as a baseline to solve this problem.

Do you want to create the discussion? Otherwise, let me know and I can create one.

@thomasdarimont
Copy link
Contributor

@manbobo2002 an example for such an IP based filtering can be found here AccessFilter.java

@manbobo2002
Copy link
Author

@pedroigor please help me create if possible, thanks

@pedroigor
Copy link
Contributor

@manbobo2002 There we go #12481.

@pedroigor pedroigor added area/dist/quarkus status/needs-discussion PR needs discussion on developer mailing list and removed status/triage labels Jun 13, 2022
@TDog42 TDog42 mentioned this issue Oct 18, 2022
Open
@boschcrank boschcrank mentioned this issue Jan 17, 2023
Closed
@boschcrank
Copy link

Created PR #16497

@sschu sschu mentioned this issue Jan 31, 2023
Closed
@vmuzikar vmuzikar mentioned this issue Jul 21, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/dist/quarkus kind/enhancement Categorizes a PR related to an enhancement status/needs-discussion PR needs discussion on developer mailing list
Projects
Keycloak: Quarkus distribution
Status: In Discussion
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add request filtering SPI and IP based access filter bosch-io/keycloak
5 participants
@thomasdarimont @pedroigor @sschu @manbobo2002 @boschcrank