Force the use of Gatekeeper in Backend by checking traffic in Load Balancer

Getting advice
,
1

We are using an Enterprise F5 WAF for SSL Offloading and other specific tasks.
When integrating Keycloak, I’m trying to come up with a way to protect backends from ‘accidently’ forgetting to use gatekeeper (or their own OIDC implementation).

We are using wildcards, and only want to allow non-authenticated traffic on specific URL’s.
The list of URL’s that do not require authentication is known in the central Load Balancer.
We have something like $team.cloud.$enterprise-root-url. On these sites they can host their own applications. For these domains (that fall within the enterprise-root-url), we want to require Keycloak authentication. This means that users must use gatekeeper with a predefined “client” from keycloak.

But of course, users can just ‘forget’ this, and accidently open their application to the public.

Is there an easy way in the Load Balancer, to require the authentication flow?

To my understanding, a gatekeeper that is not recieving a challenge ‘code’ in the URL will always respond with a 302 redirect to the configured Keycloak realm. And if it’s receiving a ‘code’ redirect, it will respond with a bearer token.

I was thinking (pseudo-code):

if [headers] not contains [authorization] && [response].statuscode != 401 then
  block traffic and show warning
else
  allow traffic
finish

The hard part is, the ‘invalid’ request has already landed on the machine, and i’m just checking the response. This means that “POST” methods to the backend might already have had their impact, I’m just blocking the response from ending up at the end-user.

Anyone have any ideas?

2

That is right question for your Load Balancer doc/support, not for IDP (Keycloak) community.

You design is not clear and it may be a problem for some use cases:

  • where is gatekeeper - in front of LB or behind LB
  • how user can white list URL (for example post logout “goodbye” url, which must available for unauthenticated user
  • how it will be working with SPA apps - Gatekeeper works only with grant code flow, which is not the best flow for SPA apps
  • how you will solve unauthenticated AJAX requests - user won’t see any 302 redirect/IDP login page for this type of requests

IMHO it is good idea, but real life will be a problem.

3

Good point. This might make administrative overhead larger.

Let me rephrase to a more in-general question:
What would be your option to protect applications from accidentally publishing content without the use of Gatekeeper or any OIDC protection in general?

4

It doesn’t look like a task for IdP (such as Keycloak), which provides:

  • authentication (who is accessing content)
  • authorization (is the user allowed to access content)

¯_(ツ)_/¯ maybe it is task for data loss prevention tools.