[keycloak-user] Keycloak and Gatekeeper HTTP Redirects strange issue
Sankar P
sankar.curiosity at gmail.com
Sat Nov 2 03:38:48 EDT 2019
Hi
I have deployed keycloak and keycloak-gatekeeper in kubernetes and running
into a strange issue, that I want to check here.
I have the following architecture. I have a kubernetes ingress, which
forwards all incoming request to a gatekeeper pod. I have configured the
gatekeeper to check for authentication against a keycloak pod. Once the
gatekeeper verifies that the authentication is successful, the requests are
forwarded to a different 3rd pod which has an angular app served from
nginx. I use the default keycloak login page to authenticate my angular app.
Now, this is all fine and everything works fine. When I launch my app, for
the first time, the request initially goes to the gatekeeper, then gets
redirected to the keycloak login page, then after login, my angularapp is
loaded in the browser.
However, in my angular app, in addition to the GET calls in the main thread
using the browser address bar, I also make some POST calls in a thread.
These POST calls too make use of the cookies in the browser and things work
fine, until:
After an initial timeout of about 30 minutes or so, the gatekeeper responds
with a `HTTP 302` for my POST calls because the token is timed out. Now the
gatekeeper also sends me a `Location`, something like:
`/oauth/authorize?state=00000000-0000-0000-0000-000000000001` with a uuid.
In the normal browser GET flow, if this response was obtained, the browser
would do a HTTP GET to the same `location` and it woudl get another `307`
after that and then the original requested url will be loaded. However, in
my case, since the `302` was received for a `POST` call, the browser
attempts to make a `POST
<my-ip>/oauth/authorize?state=00000000-0000-0000-0000-000000000001` call
and this gets a `403` error from the gatekeeper (or the keycloak).
I cannot receive `302` in my angular-app and change the HTTP method from
`POST` to `GET` because the browsers do not allow the javascript
applications to receive the 3XX responses. See:
https://stackoverflow.com/questions/58661577/angular-httpclient-receive-and-handle-302-307response-code-disable-redirect
I want to use the keycloak login screen. I do not mind writing a different
adapter instead of using gatekeeper but I prefer to use the standard
gatekeeper. Now is there a way for a browser application to make GET as
well as POST calls, using a single session, but correctly handle the
redirects ?
Is there something that I am missing ?
One approach that I could think of is, if it is gatekeeper that is
returning the `302` or `307` then I could replace gatekeeper with my custom
adapter built using gatekeeper (or even better contribute a patch to add an
option to gatekeeper) where instead of 3XX I can return a 401 or a (400
with a custom status text) to refresh the Auth token that I have in the
browser cookie.
Or is there a better approach ? I believe that using GET and POST calls in
a single app will not be a rare scenario. How do existing users handle
sessions in this case ?
Thanks.
--
Sankar P
http://psankar.blogspot.com
More information about the keycloak-user
mailing list