I have configure enable-default-deny: true
in my gatekeeper and I also configure my resources with specific uri’s. The problem is that if I try to access those uir’s which I don’t allow in my resources tag it passes through gatekeeper, which shouldn’t supposed to be like that, gatekeeper must return 403 if any of the route not allowed in resources.
Could you provide config and used version, please? It is hard to say what is a problem without details, which help to replicate your issue.
I am using docker image quay.io/keycloak/keycloak-gatekeeper
and they are using 8.0.1
listen: :3020
discovery-url: #######
skip-openid-provider-tls-verify: true
no-redirects: true
client-id: ####
client-secret: ###
enable-default-deny: true
enable-refresh-tokens: true
encryption-key: #####
upstream-url: http://localhost:7274
enable-logging: true
verbose: true
secure-cookie: false
cors-methods:
- POST
- GET
- OPTIONS
#cors-max-age: 3600
cors-headers:
- Authorization
- Content-Type
- Dnt
resources:
# admin
- uri: /admin/check
methods:
- GET
roles:
- admin:support:view
- uri: /tickets/all
methods:
- GET
roles:
- admin:support:view
sorry I couldn’t provide client-id and secret here
Default deny adds default resource /* - so it is more like enable-default-required-auth
feature.
I recommend you to open issue https://issues.redhat.com/projects/KEYCLOAK to get review from Keycloak team.
thanks for help appreciated !!