[keycloak-user] keycloak-gatekeeper bearer-only
Bruno Oliveira
bruno at abstractj.org
Fri Nov 2 11:12:38 EDT 2018
Hi Geoffrey,
On Fri, Nov 2, 2018 at 6:34 AM Geoffrey Cleaves <geoff at opticks.io> wrote:
>
> Hi Eric,
>
> I'm a beginner like you so please consider my responses accordingly.
>
> 1. Often your scenario is similar to a front end app accessing the REST
> API. You can find an example of how to do this here:
> https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter.
> First the user logs in to the front end app, which gets the token and uses
> it for calls to the backend. IMPORTANT: You need to include the backend's
> client id in the front end's aud claim:
> https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak#file-notes.md
>
> Another hurdle you might find using Gatekeeper in this AJAX setup is CORS.
> I believe Gatekeeper has a bug and isn't sending the correct headers:
> https://issues.jboss.org/browse/KEYCLOAK-8722
>
> 2. I have the same question as you. After reading the docs, I think the
> answer is NO. If your back end stack does not have a Keycloak adapter (are
> you using PHP like me?) then you would have to do all the UMA calls
> "manually". There are UMA2 specifications out there which would guide us,
> but I think it's a lot of work. There's also the Gluu oxd
> <https://gluu.org/docs/oxd/> project which seems similar to Keycloak
> Gatekeeper, but I doubt oxd is interoperable with Keycloak.
You are correct about this. It's a lot of work :) But nothing stops us
from planning an capture it on Jiras.
Feel free to do this if possible.
>
> 3. I think that normally a REST service should work with a bearer only
> client, which expects the token and does not do authentication redirection.
> You could instruct your API consumers to get the token directly from
> Keycloak (using a confidential client?) before hitting your Gatekeeper
> endpoint. Once again, keep in mind that by default the token retrieved from
> one client won't work to hit a different client unless you set up the aud
> claim properly.
Like I mentioned to Eric, the scope of gatekeeper is to act more as
sidecar, instead of a proxy. So you pretty
much need to deploy one gatekeeper per client.
>
> Hopefully an expert will join and correct me.
>
> Regards,
> Geoffrey Cleaves
>
>
>
>
>
>
>
> On Wed, 31 Oct 2018 at 23:00, Eric Boyd Ramirez <eric.ramirez.sv at gmail.com>
> wrote:
>
> > Dear All,
> > I am trying to test Keycloak-gatekeeper, have read the docs I could find
> > (keaycloak-proxy as well) but I still have a few questions:
> >
> > 1- I am trying to secure a number of REST APIs, configured behind
> > bearer-only clients. I think I need to first get a access token trough a
> > confidential client using a 'grant-type=password' request and then do a
> > second request to the REST client resource. Is this the right approach, how
> > would I implement this using Keycloak-Gatekeeper?.
> >
> > 2- Keycloak-Gatekeeper uses uri->methods->roles to manage resource access.
> > Is there a way to use Keycloak's authorization settings to manage access to
> > a client's resource (i.e. policies, permissions, uma-ticket, etc.)?
> >
> > 3- How do I set up multiple clients, do I have to run and configure
> > separate instances of Keycloak-Gatekeeper?
> >
> > Thanks in advance for your time and help.
> >
> > Regards,
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
- abstractj
More information about the keycloak-user
mailing list