Gatekeeper client-secret not verifying

Raghees-butt · February 18, 2020, 6:14am

I configure gatekeeper in front of my service. I create new client with access-type confidential and configure that client-id and client-secret to my gatekeeper file but when I intentionally alter client-secret it seems like gatekeeper didn’t check for the secret. It is running without any error.
here is my minimal configurations

listen: :3020
client-id: gatekeeper
client-secret: e514d9e3-b76c-4cdb-961b-bd70149c6f40

jangaraj · February 18, 2020, 9:25am

Client secret is not used, when Gatekeeper is starting. It is used when Gatekeeper exchanges code for token. You will have a problem with user login now, but not with Gatekeeper start.

Raghees-butt · February 18, 2020, 10:33am

But I am not facing any kind of error or warning while login or requesting to that service on which I
wrongly configure secret.

jangaraj · February 18, 2020, 10:35am

Please provide https://stackoverflow.com/help/minimal-reproducible-example.

jangaraj · February 18, 2020, 10:56am

You don’t have any special config. Clear cookies in the browser and start gatekeeper from the scratch with incorrect client secret. Auth should be fine, but gatekeeper shouldn’t be able to exchange code for token (Keycloak error like “incorrect client secret”). If yes, then client configuration configuration can be wrong.

Raghees-butt · February 18, 2020, 11:55am

I tried with wrong configurations in clean browser and incognito but nothing is happening.

jangaraj · February 18, 2020, 3:59pm

What is your login procedure, when you have:

no-redirects: true

Raghees-butt · February 19, 2020, 5:23am

I am using browser flow/standard flow for login. when I request to data server here is the flow of my request,
first it reaches to nginx, nginx passes it to gatekeeper ( gatekeeper configuration as mentioned above ), then it reaches to data server.

for the browser flow I have public client and for the gatekeeper I have confidential client.

I remove no-redirects: true from my configuration and restart my gatekeeper docker but nothing is happening.

jangaraj · February 20, 2020, 12:01am

=> Gatekeeper doesn’t exchange your code for token, so client secret in the Gatekeeper is never used and you can write any string there. I guess you have frontend which handles token generation/refresh and backend protected by Gatekeeper, which just verifies token.

Raghees-butt · February 20, 2020, 4:53am

Yes, I am handling token generation/refresh from the frontend. So my Gatekeeper just verifies token and roles. Thanks for the help

Topic		Replies	Views
Gatekeeper, signed JWT with client secret not working Securing applications gatekeeper	1	2519	May 22, 2020
Properly configuring the Gatekeeper Getting advice gatekeeper	6	5611	November 27, 2019
Gatekeeper enable-default-deny Configuring the server	6	2143	January 23, 2020
Gatekeeper client-credential flow config problem - "unsupported_grant_type" Securing applications gatekeeper	3	1715	July 1, 2020
Gatekeeper - Authorise against a list of Keycloak servers Configuring the server	0	300	June 25, 2020

Gatekeeper client-secret not verifying

Related Topics