Client in client shows Keycloak and not end-user
adamboutcher opened this issue · 12 comments
Can we get the provider to send the end-user IP to keycloak to be shown as the client in the audit, this will help detect and investigate issues with specific remote locations / bruteforce attacks.
We will look into this, but never heard of that feature so might take some time.
Ok, it is pretty easy to understand. However, i do see the end-user client ip in the audit. I do not see how our provider has something to do with the audit. Can you explain your problem some more?
Apologies for the delay in a reply.
I only see the keycloak system's IP in the audit when you get an OTP request via keycloak.
I have X-Real-IP and X-Forwarded-For headers added to be passed onto privacyidea too.
Hi,
is it any different if you do not use our provider? This is not something we do "knowingly" in our code so we might have to check if we need to add something to change what is logged.
When I directly access privacy idea I get my actual remote IP.
Oh, i just now realized what you meant with your initial post. I thought you were talking about the keycloak audit.
This is a thing of the privacyIDEA server. I do not know how the audit is created there but i guess it just takes the ip from the request and does not evaluate the headers. You should open an issue there to request enhancement of the audit creation.
I suspect it is because the provider is the service that's requesting the OTP challenge, however, I suspect that it's the provider not being able to pass the IP onwards to privacyidea.
The provider will pass the headers as configured, but if the privacyidea server does not take them into consideration (at least for the audit), it does not matter. The forwarding headers feature is intended to be used with policies in the server that can be triggered upon receiving certain headers. That means the server has to be extended to check for X-Forwarded-For/X-Real-IP headers to consider them for the audit.
I believe PrivacyIdea does accept these headers as it shows correctly if I access it directly.
are you doing /validate/check or other authentication through your browser?
Any access to privacyidea shows my remote ip but via the provider doesn't.
I just checked again, the headers are forwarded correctly. Also privacyidea does not care about the x-forwarded-for header when creating the audit, so if you want the x-forwarded-for ip to appear in the audit (instead of the ip of the request, which would be the keycloak server), it has to be changed in the server.