KeycloakClientBundle icon indicating copy to clipboard operation
KeycloakClientBundle copied to clipboard
verified publisher icon mainick

BASE_URL should be splitted between front_channel and back_channel

Open tdel opened this issue 11 months ago • 3 comments

Hello,

Right now, we can only declare one URL for Keycloak. This URL is used for redirecting the user and calling the API.

In my scenario, I have 2 URLs :

  • One for the front channel, the user is redirected to the front page to be able to log in
  • One for the back channel, only used for API access between my app and keycloak (exchange tokens, etc...)

Is it possible to have 2 URLs like :

  • IAM_BASE_URL_FRONTEND = "https://xyz.abc"
  • IAM_BASE_URL_BACKEND = "https://xyz.internal"

Thanks a lot,

tdel avatar Jan 22 '25 15:01 tdel

Thank you! This is also what we need. We use symfony and keycloak in a container - Kubernetes environment - so the backend communication should be via the internal service url (keycloak.default) while the frontend should use https:///auth which is published via traefik reverse proxy

edoc-tibens avatar Apr 11 '25 10:04 edoc-tibens

This to work, it must also be implemented in https://github.com/stevenmaguire/oauth2-keycloak afaik, or there could be 2 instances, of keycloak client, one for frontchannel and one for backchannel.

tskorupka avatar Jun 26 '25 20:06 tskorupka

After some digging through code, I made it to work having front channel and back channel.

What I did is simply to add two environment variables.

IAM_BASE_URL_FRONTCHANNEL=<front_url>
IAM_BASE_URL_BACKCHANNEL=<back_url>

Then in mainick_keycloak_client.yaml use simply your front channel, as follows

mainick_keycloak_client:
  keycloak:
    verify_ssl: "%env(bool:IAM_VERIFY_SSL)%"
    base_url: "%env(IAM_BASE_URL_FRONTCHANNEL)%"
    realm: "%env(IAM_REALM)%"
    client_id: "%env(IAM_CLIENT_ID)%"
    client_secret: "%env(IAM_CLIENT_SECRET)%"
    redirect_uri: "%env(IAM_REDIRECT_URI)%"
    encryption_algorithm: "%env(IAM_ENCRYPTION_ALGORITHM)%"
    encryption_key: "%env(IAM_ENCRYPTION_KEY)%"
    encryption_key_path: ""
    version: "%env(IAM_VERSION)%"
  security:
    default_target_route_name: "%env(IAM_TARGET_ROUTE_NAME)%"

And for user provider, and authenticator you need to create new aliased keycloak client with back channel configuration, in your services.yaml you do

...
services:
  mainick.keycloak_client_backchannel:
    class: Mainick\KeycloakClientBundle\Provider\KeycloakClient
    bind:
      bool $verify_ssl: "%mainick_keycloak_client.keycloak.verify_ssl%"
      string $base_url: "%env(IAM_BASE_URL_BACKCHANNEL)%"
      string $realm: "%mainick_keycloak_client.keycloak.realm%"
      string $client_id: "%mainick_keycloak_client.keycloak.client_id%"
      string $client_secret: "%mainick_keycloak_client.keycloak.client_secret%"
      string $redirect_uri: "%mainick_keycloak_client.keycloak.redirect_uri%"
      string $encryption_algorithm: "%mainick_keycloak_client.keycloak.encryption_algorithm%"
      string $encryption_key: "%mainick_keycloak_client.keycloak.encryption_key%"
      string $encryption_key_path: "%mainick_keycloak_client.keycloak.encryption_key_path%"
      string $version: "%mainick_keycloak_client.keycloak.version%"

  Mainick\KeycloakClientBundle\Security\User\KeycloakUserProvider:
    bind:
      $iamClient: "@mainick.keycloak_client_backchannel"

  Mainick\KeycloakClientBundle\Security\Authenticator\KeycloakAuthenticator:
    bind:
      $iamClient: "@mainick.keycloak_client_backchannel"
...

tskorupka avatar Jun 27 '25 11:06 tskorupka