Configure Backchannel logout behind corporate proxy

Dear Community

I need to provide a Single Sign Out solution for my company.
Single Sign On has been implemented successfully thanks to Hydra, your soft is awesome guys, thanks so much for the great work. We are running smoothly on production with just two legs and Hydra is using next to nothing resources (I am not talking about Keycloak the ogre).

I setup a backchannel logout solution but some of my clients are on a different network and I need to use the corporate proxy to access theses network.

I cannot find any documentation on how to setup these proxy. Does some of you guys came up with similar setting? How did you solve it?

Best regards,

1 Like

Just a normal reverse proxy. Try:

@eskava have you looked into Oathkeeper?

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. The BeyondCorp Model is designed by Google and secures applications in Zero-Trust networks.

An Identity & Access Proxy is typically deployed in front of (think API Gateway) web-facing applications and is capable of authenticating and optionally authorizing access requests. The Access Control Decision API can be deployed alongside an existing API Gateway or reverse proxy. ORY Oathkeeper’s Access Control Decision API works with:

among others.

Dear @ghenry,
I have been looking into your solution, it seems not easy to configure NGINX to add custome headers and route calls to another http proxy. look like forward proxying is not well supported.
Did you actually managed to get this working?

Thanks for your inputs.


What did you try? Nginx proxying isn’t new :slight_smile: We use it to front lots of Docker Swarm things and other processes, even SSH.

Dear @ghenry

I am glad you have plenty of usage for NGINX, I juste used it to serve HTML (PHP mainly) and as reverse proxy to deal with CORS issues mainly.
I would be so glad if you could provide me with a working example of NGINX configuration adding some headers and forward the request to a HTML PROXY.

Thanks for sharing :slight_smile: