Properly configuring the Gatekeeper


I’m having a hard time correctly configuring the Gatekeeper. I’m not even sure it supports my use case, but I can’t really find any description (that I can understand) on what use cases it does support, what its intended to do or what it’s limits are.

My use case seems pretty trivial, but I’ll define it:
I have a Keycloak server as an identity provider, one service and one web frontend. The frontend is to authenticate the user, then pass on the access token when sending requests to the service. Since HttpOnly cookies aren’t that easy to aquire in a frontend only situation, I had to build a authentication proxy backend to it. Auth is however something I don’t want too much custom code in, and the Gatekeeper looked promising.

My need is / I need something to:

  1. Exchange the code from keycloak to a token and send it back to the user agent as an HttpsOnly cookie
  2. Proxy requests from the user agent to the service and turn the HttpsOnly access token cookie into an Authorization header bearer token

Is this something the Gatekeeper can do? Is there some guide on how to configure it like this? Any examples? The JSESSIONID cookie, is this also something that should be HttpsOnly?

Right now its set up like this:

  1. The user agent login button redirects the user to the Gatekeeper (https://gatekeeper:3000/)
  2. The Gatekeeper sees that the user isn’t authenticated and redirects the user to the Keycloak login form
  3. User logs in, and the redirect uri points to Gatekeeper’s /oauth/callback url which Keycloak then redirects to on successful login
  4. Blank screen because the Gatekeeper doesn’t redirect the user back to the site. The HttpsOnly cookie is likely set somewhere strange since theres nothing to redirect to.

Thanks alot for taking the time to read through. Sorry if theres something obvious I’m missing

– Julius

Edit 1:
Gatekeeper config.yaml:

You should to provide minimal, reproducible example of your setup. It looks like a config problem, but no config (client, gatekeeper) is not provided.

Ok. I updated the main post to include my Gatekeeper config.yaml.

Not sure what should provide from the user agent. It’s basically just an a href="http://localhost:3000/"login/a where localhost:3000 is the gatekeeper.

Thank you for taking the time to reply.

I’m still lost:

  • you are mixing https/http gatekeeper/localhost
  • what is app, where is keycloak
  • where is redirected browser
  • how is configure used OIDC client

You can check completely whole flow in the browser network console. 90% of the correct answer is correct meaningful question.

Blind guess redirection-url: http://localhost:3000 should be removed.

If I’ve been unclear, I’m sorry. I’ll try to specify:

  • Both backend and keycloak require SSL/https, I’ve disabled the secure cookie setting for now because the app runs locally on my machine until I deploy it
  • My frontend is a Nuxt/VueJS web application. One can consider this an SPA, but I do have server side possibilities if needed
  • App / the service is a spring boot api service
  • Keycloak runs on some server - I don’t know the details around the hosting, but I can access it to administrate it
  • Not sure what you mean by “where is redirected browser”
  • By OIDC client, you mean the Keycloak realm client? If so, theres a lot of settings. If theres any specific settings you wonder about, I’ll write them down. If you need it all - let me know and I’ll try to find some way to export it

I’ll try to remove the redirection-url and try to grab it from the browser network console for Keycloak whitelisting. I found it in some tutorial somewhere, and just assumed it had to be there since the Gatekeeper might not automatically know where it is located

I hope you want to protect only App / the service is a spring boot api service and not SPA frontend.

My guess: you are using gatekeeper 8.0.0, where is enabled enable-default-deny by default and you have defined only one resource /apis. But you are redirected back to the resource /, which is not defined => gatekeeper returns deny 403 = your blank page - as I mentioned check network console and response code of that “blank page”.

Define additional “wildcard” resource:

- uri: /*

and you should be fine (/ will be forwarded to the upstream). Am I right?

For the record your config:

listen: :3000
client-id: gatekeeper
client-secret: 'secret-key-that-is-hidden'
discovery-url: 'https://keycloak.server/auth/realms/api-catalog'
enable-default-deny: true
encryption_key: thisisrandomeachtime
redirection-url: http://localhost:3000 // Gatekeeper runs locally for now
upstream-url: https://myservice.ep/
secure-cookie: false
  - uri: /apis
    white-listed: true
     - GET
1 Like

Due to time limitations, I’ve decided to run with my custom code instead. The documentation seems lacking, but that might just be my incompetence. Anyway - thanks for taking the time to help out @jangaraj