[keycloak-user] keycloak-gatekeeper bearer-only

Geoffrey Cleaves geoff at opticks.io
Fri Nov 2 05:32:00 EDT 2018 

Hi Eric,

I'm a beginner like you so please consider my responses accordingly.

1. Often your scenario is similar to a front end app accessing the REST
API. You can find an example of how to do this here:
https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter.
First the user logs in to the front end app, which gets the token and uses
it for calls to the backend. IMPORTANT: You need to include the backend's
client id in the front end's aud claim:
https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak#file-notes.md

Another hurdle you might find using Gatekeeper in this AJAX setup is CORS.
I believe Gatekeeper has a bug and isn't sending the correct headers:
https://issues.jboss.org/browse/KEYCLOAK-8722

2. I have the same question as you. After reading the docs, I think the
answer is NO. If your back end stack does not have a Keycloak adapter (are
you using PHP like me?) then you would have to do all the UMA calls
"manually". There are UMA2 specifications out there which would guide us,
but I think it's a lot of work. There's also the Gluu oxd
<https://gluu.org/docs/oxd/> project which seems similar to Keycloak
Gatekeeper, but I doubt oxd is interoperable with Keycloak.

3. I think that normally a REST service should work with a bearer only
client, which expects the token and does not do authentication redirection.
You could instruct your API consumers to get the token directly from
Keycloak (using a confidential client?) before hitting your Gatekeeper
endpoint. Once again, keep in mind that by default the token retrieved from
one client won't work to hit a different client unless you set up the aud
claim properly.

Hopefully an expert will join and correct me.

Regards,
Geoffrey Cleaves







On Wed, 31 Oct 2018 at 23:00, Eric Boyd Ramirez <eric.ramirez.sv at gmail.com>
wrote:

> Dear All,
> I am trying to test Keycloak-gatekeeper, have read the docs I could find
> (keaycloak-proxy as well) but I still have a few questions:
>
> 1- I am trying to secure a number of REST APIs, configured behind
> bearer-only clients. I think I need to first get a access token trough a
> confidential client using a 'grant-type=password' request and then do a
> second request to the REST client resource. Is this the right approach, how
> would I implement this using Keycloak-Gatekeeper?.
>
> 2- Keycloak-Gatekeeper uses uri->methods->roles to manage resource access.
> Is there a way to use Keycloak's authorization settings to manage access to
> a client's resource  (i.e. policies, permissions, uma-ticket, etc.)?
>
> 3- How do I set up multiple clients, do I have to run and configure
> separate instances of Keycloak-Gatekeeper?
>
> Thanks in advance for your time and help.
>
> Regards,
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list