Keycloak Gatekeeper - wishlist

Hi @abstractj,

What I would like to see in the keycloak-gatekeeper:

  1. Cloud Foundry (CF) route service mode - doc
    User will have config option cloud-foundry-route-service, which enables special mode for CF. The easiest workaround is to wrap gatekeeper with input/output proxy where will be modified request/response headers accordingly

  2. GDPR data log compliance
    Config option personalinfo-level, which will modify logged personal identifiable information (client_ip, email, id, name, subject, username, ...) in the log. Available levels: hidden - PII are completely rectracted, md5 - PII are replaced by their md5 hash, original - PII have

  3. TLS configuration
    at least tls-min-version and cipher-suites with log warning for vulnerable tls versions and ciphers), mutual TLS configuration for upstream, certs from env variables (base64 encoded, because some tools doesn’t support container volumes very well)

  4. Docker image hardening
    Rootless image without OS base image (scratch base image only), statically compiled binaries with CloudFoundry support and with image healthcheck binary/command

  5. Showcase application
    + the most secure gatekeeper config (cookie, csp, …), it shows request headers from the upstream app perspective + highlights gatekeeper headers + simplified “postman” interface to test resource configuration, it will be nice to have it as public internet app with public internet demo keycloak (both can be deployed by CI as :latest Docker images)

  6. CI testing with other OIDC IdPs
    They may have a slightly different OIDC implementation, so I would like to be sure that gatekeeper works with majority of OIDC IdPs, not with just Keycloak (see my go-oidc PR - it was fine for Keycloak, but problem for another OIDC IdP)

1 Like

Hi @jangaraj, thanks for sharing your feedback. I will check with others, about what they think and if this is something to include in our roadmap.

Regards the testing with other IdPs, I’m curious. Have you tried other IdPs? Which ones? Would you mind to share which issues you faced while integrating Gatekeeper with other IdPs?

It was legacy IdP and keycloak-proxy was not able to exchange code for the token, because keycloak-proxy (used go-oidc v1) sends 2 auth methods (post+basic auth) in that exchange request. It was acceptable for Keycloak, but it was unacceptable for legacy IdP - it implements https://tools.ietf.org/html/rfc6749#section-2.3 correctly:

the client MUST NOT use more than one authentication method in each request

Issue: https://github.com/gambol99/keycloak-proxy/issues/336 (not available atm, because GitHub issue tracker was disabled)

@jangaraj I see, we need to upgrade these dependencies. If we do that, I believe Gatekeeper will be able to work with other IdPs.

1 Like

Inspiration for Keycloak demo instance: https://demo.identityserver.io/

We are also using gatekeeper docker image to secure our web-based stack (Docker based). From my point of view it might be interessting to have a way of configuring the access log format.

We are currently able to configure the access logs from all container of our stack (NGINX, Gunicorn or PHP-FPM) with almost the same JSON info. However the gatekeeper JSON logging capabilities is currently static.

By doing this we are able to track down a client request on all the way from the client request to the endpoint response.

2 Likes