We are using an Enterprise F5 WAF for SSL Offloading and other specific tasks.
When integrating Keycloak, I’m trying to come up with a way to protect backends from ‘accidently’ forgetting to use gatekeeper (or their own OIDC implementation).
We are using wildcards, and only want to allow non-authenticated traffic on specific URL’s.
The list of URL’s that do not require authentication is known in the central Load Balancer.
We have something like $team.cloud.$enterprise-root-url. On these sites they can host their own applications. For these domains (that fall within the enterprise-root-url), we want to require Keycloak authentication. This means that users must use gatekeeper with a predefined “client” from keycloak.
But of course, users can just ‘forget’ this, and accidently open their application to the public.
Is there an easy way in the Load Balancer, to require the authentication flow?
To my understanding, a gatekeeper that is not recieving a challenge ‘code’ in the URL will always respond with a 302 redirect to the configured Keycloak realm. And if it’s receiving a ‘code’ redirect, it will respond with a bearer token.
I was thinking (pseudo-code):
if [headers] not contains [authorization] && [response].statuscode != 401 then
block traffic and show warning
else
allow traffic
finish
The hard part is, the ‘invalid’ request has already landed on the machine, and i’m just checking the response. This means that “POST” methods to the backend might already have had their impact, I’m just blocking the response from ending up at the end-user.
Anyone have any ideas?