How to use Keycloak gatekeeper bearer token instead of cookie

Getting advice
1

As per documentation Keycloak gatekeeper supports bearer token for authentication. After deployment https://hub.helm.sh/charts/gabibbo97/keycloak-gatekeeper it seems that only browser cookie works. But in tcpdump from upstream application I can see x-auth-token details which are not visible in browser.

Please elaborate how can I use Bearer token(not cookie) in order to authentication as client e.g. using curl curl -v http://$INGRESS_HOST --header "Authorization: Bearer $TOKEN"

https://www.keycloak.org/docs/latest/securing_apps/index.html#_keycloak_generic_adapter

Keycloak Gatekeeper is an adapter which integrates with the Keycloak authentication service supporting both access tokens in browser cookie or bearer token

2

Browser cookie works, because you are using it in the browser. Nothing stops you to generate TOKEN outside of Gatekeeper and then use it the request to Gatekeeper protected endpoint.

Typical use case:

  • frontend (Angular, React) uses implicit flow and it gets own TOKEN
  • frontend uses this TOKEN for backend requests (backend is protected by Gatekeeper, which only verifies TOKEN validity)

Of course frontent/backend needs to use the same OIDC client + properly configured Gatekeeper (e.g. symetric token encryption should be disabled, …)

3

Thank you @jangaraj

Described use case is exactly what we are going to achieve.
Please check my understanding and help with steps to reproduce:

  1. Frontend gets own TOKEN by calling demo realm https://keycloak.com/auth/realms/demo/protocol/openid-connect/token with client id and secret.

  2. Frontend calls backend with header --header "Authorization: Bearer $TOKEN"

Using curl

Get TOKEN:

TOKEN=$(curl -s -d "client_secret=xxxxx" -d "client_id=type=client_credentials" "https://keycloak/auth/realms/demo/protocol/openid-connect/token" | jq -r ".access_token"); echo $TOKEN

Access application:
curl -X GET -kL https://demo.app/ --header "Authorization: Bearer $TOKEN"

Curl provides keycloak login page instead of demo application page. I’m confused here

Also by meaning disable symetric token encryption I understand you are asking to change Client Authenticator in Keycloak from Client ID and Secret to Signed JWT or X509.
The probelm with changing symetric authentication type is that I didn’t find any documentation reference how to use Signed JWT in Keycloak Gatekeeper keycloak-gatekeeper 4.0.0 · helm/gabibbo97

I can see some reference in keycloak gatekeeper for JWKS in oauth_test.go and e2e_test.go files, but not sure this could be used in configuration somehow.

grep -R -i -n jwk *
e2e_test.go:105:				"jwks_uri":"http://`+e2eOauthListener+`/auth/realms/master/protocol/openid-connect/certs"
oauth_test.go:40:	key        jose.JWK
oauth_test.go:82:	JwksURI                          string   `json:"jwks_uri"`
oauth_test.go:103:		key: jose.JWK{
oauth_test.go:162:		JwksURI:                          fmt.Sprintf("http://%s/auth/realms/hod-test/protocol/openid-connect/certs", r.location.Host),
oauth_test.go:176:	renderJSON(http.StatusOK, w, req, jose.JWKSet{Keys: []jose.JWK{r.key}})

Here are my another questions posted related to how Signed JWT in Keycloak, in simply world, when I change Client Authenticator in Keycloak to Signed JWT I receive 403 error from browser after login via keycloak gatekeeper. Probably because keycloak gatekeeper is configured with client id and secret

I wonder if there is any guide or at least reference how to use JWKS URL in Keycloak , specially with keycloak gatekeeper

4

This is client credential flow - it is designated for machine to machine communication. SPA should use implicit flow (or better Authorization Code with PKCE Flow).

Check the gatekeeper debug logs to see reason, why call is redirected to the login.

Symmetric encryption is on Gatekeeper level:

--enable-encrypted-token                     enable encryption for the access tokens (default: false)

Signed JWT is not supported by Gatekeeper. JWKS URL is discovered trough OIDC discovery and it is used to verify token signatures.

1 Like
5

@jangaraj

How to disable symetric token encryption in keycloak gatekeeper?

6 


metadata:
  name: gatekeeper-forward
...
      containers:
        - name: gatekeeper
          image: keycloak/gatekeeper:2.0.0
          args:
            - '--discovery-url=https://keycloak.k8s.office.example.com/realms/test'
            - '--enable-forwarding=true'
            - '--forwarding-username=ad_user'
            - '--forwarding-password=ad_pass'
            - '--client-id=client-test-forward'
            - '--listen=:3001'
            - '--enable-metrics=true'
            - '--enable-json-logging=true'
            - '--enable-authorization-header=true'
            - '--skip-openid-provider-tls-verify=true'
            - '--skip-upstream-tls-verify=true'
            - '--verbose=true'


metadata:
  name: gatekeeper
...
      containers:
        - name: gatekeeper
          image: keycloak/gatekeeper:2.0.0
          args:
            - '--discovery-url=https://keycloak.k8s.office.example.com/realms/test'
            - '--redirection-url=http://whoami.k8s.office.example.com'
            - '--upstream-url=http://whoami:80'
            - '--cors-origins=*'
            - '--cors-methods=*'
            - '--client-id=client-test'
            - '--resources=uri=/|white-listed=true'
            - '--resources=uri=/foo/*|white-listed=true'
            - '--resources=uri=/bar/*|groups=groups1,groups4'
            - '--headers=BiTest=allowed'
            - '--listen=:3000'
            - '--listen-admin=:4000'
            - '--enable-metrics=true'
            - '--enable-refresh-tokens=true'
            - '--enable-encrypted-token=false'
            - '--encryption-key=MbcMNL9jkkp5HLvULQOQ1QnPpt2IjzK1'
            - '--enable-json-logging=true'
            - '--enable-authorization-header=true'
            - '--enable-logout-redirect=true'
            - '--secure-cookie=false'
            - '--skip-openid-provider-tls-verify=true'
            - '--skip-upstream-tls-verify=true'
            - '--verbose=true'

http_proxy=gatekeeper-forward:8080 curl -kvL http://whoami.k8s.office.example.com/bar