You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A typical Keycloak Setup does not directly expose the Keycloak server, but includes one or more proxy servers for terminating TLS traffic or load balancing. In that case the Keycloak server only sees the IP address of the proxy server, which can be a security risk - For example if you only want to trust IP addresses from your internal network, the Keycloak server only sees the IP address of your proxy server.
In this case, you can use the Parameter "Use a 'forwarded' header", which tells the plugin to use the client IP address from a header (typically "X-Forwarded-For"). To make this secure, you have to be aware how many proxy servers your setup includes, because the first IP addresses in this header can be spoofed by an attacker. For example, if your network setup includes 2 proxies, you should set the parameter "Number of trusted proxies" to 2. This means the second last IP from the forwarded header is used as the client IP address.
For more information see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#security_and_privacy_concerns
## Installation
* Download the `keycloak-ipaddress-authenticator-{version}-jar-with-dependencies.jar` from the [Releases Tab](https://github.com/evosec/keycloak-ipaddress-authenticator/releases) and verify the checksum. Alternatively you can build [build from source](#build-from-source).
