Configure Backchannel logout behind corporate proxy

eskava · November 12, 2020, 1:25pm

Dear Community

I need to provide a Single Sign Out solution for my company.
Single Sign On has been implemented successfully thanks to Hydra, your soft is awesome guys, thanks so much for the great work. We are running smoothly on production with just two legs and Hydra is using next to nothing resources (I am not talking about Keycloak the ogre).

I setup a backchannel logout solution but some of my clients are on a different network and I need to use the corporate proxy to access theses network.

I cannot find any documentation on how to setup these proxy. Does some of you guys came up with similar setting? How did you solve it?

Best regards,
Alexandre

ghenry · November 14, 2020, 9:39pm

Just a normal reverse proxy. Try:

tacurran · November 16, 2020, 10:19am

@eskava have you looked into Oathkeeper?

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules. The BeyondCorp Model is designed by Google and secures applications in Zero-Trust networks.

An Identity & Access Proxy is typically deployed in front of (think API Gateway) web-facing applications and is capable of authenticating and optionally authorizing access requests. The Access Control Decision API can be deployed alongside an existing API Gateway or reverse proxy. ORY Oathkeeper’s Access Control Decision API works with:

Ambassador via auth service.
Envoy via the External Authorization HTTP Filter
AWS API Gateway via Custom Authorizers
Nginx via Authentication Based on Subrequest Result

among others.

eskava · November 24, 2020, 8:23am

Dear @ghenry,
I have been looking into your solution, it seems not easy to configure NGINX to add custome headers and route calls to another http proxy. look like forward proxying is not well supported.
Did you actually managed to get this working?

Thanks for your inputs.

Eskava

ghenry · November 24, 2020, 9:21am

What did you try? Nginx proxying isn’t new We use it to front lots of Docker Swarm things and other processes, even SSH.

eskava · November 24, 2020, 1:16pm

Dear @ghenry

I am glad you have plenty of usage for NGINX, I juste used it to serve HTML (PHP mainly) and as reverse proxy to deal with CORS issues mainly.
I would be so glad if you could provide me with a working example of NGINX configuration adding some headers and forward the request to a HTML PROXY.

Thanks for sharing
Eskava