Hi @abstractj,
What I would like to see in the keycloak-gatekeeper:
-
Cloud Foundry (CF) route service mode - doc
User will have config optioncloud-foundry-route-service
, which enables special mode for CF. The easiest workaround is to wrap gatekeeper with input/output proxy where will be modified request/response headers accordingly -
GDPR data log compliance
Config optionpersonalinfo-level
, which will modify logged personal identifiable information (client_ip, email, id, name, subject, username, ...
) in the log. Available levels:hidden
- PII are completely rectracted,md5
- PII are replaced by their md5 hash, original - PII have -
TLS configuration
at leasttls-min-version
andcipher-suites
with log warning for vulnerable tls versions and ciphers), mutual TLS configuration for upstream, certs from env variables (base64 encoded, because some tools doesn’t support container volumes very well) -
Docker image hardening
Rootless image without OS base image (scratch
base image only), statically compiled binaries with CloudFoundry support and with image healthcheck binary/command -
Showcase application
+ the most secure gatekeeper config (cookie, csp, …), it shows request headers from the upstream app perspective + highlights gatekeeper headers + simplified “postman” interface to test resource configuration, it will be nice to have it as public internet app with public internet demo keycloak (both can be deployed by CI as:latest
Docker images) -
CI testing with other OIDC IdPs
They may have a slightly different OIDC implementation, so I would like to be sure that gatekeeper works with majority of OIDC IdPs, not with just Keycloak (see my go-oidc PR - it was fine for Keycloak, but problem for another OIDC IdP)