3

I'm trying to set up Keycloak Gatekeeper as a reverse proxy in front of my service, but I don't know what the purpose is of the redirection-url. I figured I could just put Gatekeeper in front of my service, without my service needing to know anything about the authn/z. This doesn't seem possible if it needs a callback endpoint.

I was able to deploy the Keycloak Server, Keycloak Gatekeeper, and a simple node service (all deployed locally in docker containers). With a bit of hacking to my hosts file, I was able to send a request to Gatekeeper, which properly authenticated me and redirected me back to my node service. However, my node service needed to add a /oauth/callback endpoint, since Gatekeeper adds that suffix to whatever is specified in the redirection-url.

Here is what my Gatekeeper config looks like:

discovery-url: http://keycloak-server:8080/auth/realms/master
client-id: proxy-node-server
client-secret: abcabcab-abca-abca-abca-abcabcabcabc
listen: ':3001'
enable-refresh-tokens: true
redirection-url: http://node-server:3000
encryption-key: <ENCRYPTION_KEY>
upstream-url: http://node-server:3000
resources:
- uri: /*
secure-cookie: false

I expect to be able to put Gatekeeper in front of a service that has no knowledge of authentication, authorization, OIDC, etc, but with the redirection-url that doesn't seem possible.

Is there any way to get Gatekeeper to do authnz when needed and just act as a simple proxy when the user is properly authenticated? Or is there something I don't understand where this is not possible?

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
Andrew DiNunzio
  • 143
  • 4
  • 17

1 Answers1

2

Gatekeeper help:

--redirection-url      value redirection url for the oauth callback url, defaults to host header is absent [$PROXY_REDIRECTION_URL]

You will need to use redirection-url, only when gatekeeper sits behind loadbalancer or another reverse proxy. That redirection-url is required for Open ID Connect flow. When user is authenticated, then redirect-url is not applied of course.

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
  • Found an issue that was the [missing client id in the aud for the access token](https://stackoverflow.com/questions/53550321/keycloak-gatekeeper-aud-claim-and-client-id-do-not-match). Still just seeing a blank page, and now getting a 400 instead of a 403, but making progress. Will update if I find anything else. – Andrew DiNunzio Oct 15 '19 at 16:45
  • Turns out express doesn't like ~something about the request~ the size of the headers of the request and considers it malformed (400). I was able to get it working with an echo server. Thanks – Andrew DiNunzio Oct 15 '19 at 17:56