Gatekeeper client-secret not verifying

I configure gatekeeper in front of my service. I create new client with access-type confidential and configure that client-id and client-secret to my gatekeeper file but when I intentionally alter client-secret it seems like gatekeeper didn’t check for the secret. It is running without any error.
here is my minimal configurations

listen: :3020
client-id: gatekeeper
client-secret: e514d9e3-b76c-4cdb-961b-bd70149c6f40

Client secret is not used, when Gatekeeper is starting. It is used when Gatekeeper exchanges code for token. You will have a problem with user login now, but not with Gatekeeper start.

But I am not facing any kind of error or warning while login or requesting to that service on which I
wrongly configure secret.

Please provide

You don’t have any special config. Clear cookies in the browser and start gatekeeper from the scratch with incorrect client secret. Auth should be fine, but gatekeeper shouldn’t be able to exchange code for token (Keycloak error like “incorrect client secret”). If yes, then client configuration configuration can be wrong.

I tried with wrong configurations in clean browser and incognito but nothing is happening.

What is your login procedure, when you have:

no-redirects: true

I am using browser flow/standard flow for login. when I request to data server here is the flow of my request,
first it reaches to nginx, nginx passes it to gatekeeper ( gatekeeper configuration as mentioned above ), then it reaches to data server.

for the browser flow I have public client and for the gatekeeper I have confidential client.

I remove no-redirects: true from my configuration and restart my gatekeeper docker but nothing is happening.

=> Gatekeeper doesn’t exchange your code for token, so client secret in the Gatekeeper is never used and you can write any string there. I guess you have frontend which handles token generation/refresh and backend protected by Gatekeeper, which just verifies token.

1 Like

Yes, I am handling token generation/refresh from the frontend. So my Gatekeeper just verifies token and roles. Thanks for the help