Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
None
Description
As a follow up for HAWKULAR-615 , we need a more permanent solution for the issue of matching hosts from tokens vs. host used to contact the KC backend.
A thread was started on the keycloak-user mailing list and I discussed this with mposolda@redhat.com, and it seems that the best solution for now is to have this implemented in Hawkular.
As such, we need to identify the cases and problems for such feature.
Points to consider:
- We need a whitelist of some sort. For security reasons, we cannot blindly accept a token with a random host as the token issuer and make HTTP calls to this random host.
- On a similar aspect: should we trust all hosts listed on the synonyms list? I'd say that we could trust all of them, as an admin would have specified this list as a system property.
- Should we fail the request, in case the token was requested with a host that is not included in the list?
- Should we try to identify all the IPs and hosts for the Hawkular server? If so, which kind of service could we use for that?