I’m having a hard time correctly configuring the Gatekeeper. I’m not even sure it supports my use case, but I can’t really find any description (that I can understand) on what use cases it does support, what its intended to do or what it’s limits are.
My use case seems pretty trivial, but I’ll define it:
I have a Keycloak server as an identity provider, one service and one web frontend. The frontend is to authenticate the user, then pass on the access token when sending requests to the service. Since HttpOnly cookies aren’t that easy to aquire in a frontend only situation, I had to build a authentication proxy backend to it. Auth is however something I don’t want too much custom code in, and the Gatekeeper looked promising.
My need is / I need something to:
Exchange the code from keycloak to a token and send it back to the user agent as an HttpsOnly cookie
Proxy requests from the user agent to the service and turn the HttpsOnly access token cookie into an Authorization header bearer token
Is this something the Gatekeeper can do? Is there some guide on how to configure it like this? Any examples? The JSESSIONID cookie, is this also something that should be HttpsOnly?
The Gatekeeper sees that the user isn’t authenticated and redirects the user to the Keycloak login form
User logs in, and the redirect uri points to Gatekeeper’s /oauth/callback url which Keycloak then redirects to on successful login
Blank screen because the Gatekeeper doesn’t redirect the user back to the site. The HttpsOnly cookie is likely set somewhere strange since theres nothing to redirect to.
Thanks alot for taking the time to read through. Sorry if theres something obvious I’m missing
Ok. I updated the main post to include my Gatekeeper config.yaml.
Not sure what should provide from the user agent. It’s basically just an a href="http://localhost:3000/"login/a where localhost:3000 is the gatekeeper.
If I’ve been unclear, I’m sorry. I’ll try to specify:
Both backend and keycloak require SSL/https, I’ve disabled the secure cookie setting for now because the app runs locally on my machine until I deploy it
My frontend is a Nuxt/VueJS web application. One can consider this an SPA, but I do have server side possibilities if needed
App / the service is a spring boot api service
Keycloak runs on some server - I don’t know the details around the hosting, but I can access it to administrate it
Not sure what you mean by “where is redirected browser”
By OIDC client, you mean the Keycloak realm client? If so, theres a lot of settings. If theres any specific settings you wonder about, I’ll write them down. If you need it all - let me know and I’ll try to find some way to export it
I’ll try to remove the redirection-url and try to grab it from the browser network console for Keycloak whitelisting. I found it in some tutorial somewhere, and just assumed it had to be there since the Gatekeeper might not automatically know where it is located
I hope you want to protect only App / the service is a spring boot api service and not SPA frontend.
My guess: you are using gatekeeper 8.0.0, where is enabled enable-default-deny by default and you have defined only one resource /apis. But you are redirected back to the resource /, which is not defined => gatekeeper returns deny 403 = your blank page - as I mentioned check network console and response code of that “blank page”.
Define additional “wildcard” resource:
- uri: /*
and you should be fine (/ will be forwarded to the upstream). Am I right?
Due to time limitations, I’ve decided to run with my custom code instead. The documentation seems lacking, but that might just be my incompetence. Anyway - thanks for taking the time to help out @jangaraj