bnfinet
commented
6 months ago see the README
section Tips, Tricks and Advanced Configurations "Filter by IP address before VP validation by using satisfy any;"
Closed IngwiePhoenix closed 6 months ago
bnfinet
commented
6 months ago see the README
section Tips, Tricks and Advanced Configurations "Filter by IP address before VP validation by using satisfy any;"
Describe the problem Hello there!
Discussions were turned off and I didn't find a forum or the like; so, I thought I'd just post my question here. Apologies if this is the wrong endpoint. :)
I am looking to secure several non-OIDC capable applications to use my Keycloak OIDC to prevent unauthenticated access - or more specifically, only to people that I want. The setup is very, very minimal: I use Keycloak with the Discord provider in combination with a single local user (myself) with certain guild IDs allowed. This way, some services can be accessed by my friends in the same Discord server as myself.
I am running k3s with Traefik, Keycloak 24 and have tried a few alternatives such as
traefik-forward-authandoauth2-proxy. The former ignores my CIDRs, the latter does not support multi-domain use.Structure:
birb.it(root)keycloak.birb.itvouch.birb.it<- Should be the "catch-all" for Vouch.*.birb.it<- Other services.So far, from the config, I could find whitelisting usernames, emails and teams. But, I could not find any whitelisting for IP CIDRs. My cluster runs at home, so it can see when i access it from home, or from afar. When I am at home, I don't want to be asked to authenticate there is no need for that. When I, or someone else from outside, accesses these endpoints, I want them to be forced to authenticate first through Keycloak.
Expected behavior I would expect a configuration parameter that checks against the
X-Real-IPor similiar header to see if the given IP is in a known good CIDR or not, and apply authentication as needed.Desktop (please complete the following information):
Smartphone (please complete the following information):
Additional context