[keycloak-dev] Mixed tokens with an upstream application (change request proposal)

Hello everybody, I'm contacting the dev community of Keycloak-Gatekeeper concerning the Keycloak access token lookup behavior. A few links : * The full story is here : https://issues.jboss.org/browse/KEYCLOAK-9885 * Associated PR : https://github.com/keycloak/keycloak-gatekeeper/pull/473 The long story made short : I am deploying an application that has been configured to work behind a proxy. The proxy must set specific HTTP Headers (i.e. X-Auth-Username, X-Auth-Email) if the request is successfully authenticated and forwards the request to the upstream. The application is working in "blind" mode : it looks only for HTTP headers sent by the proxy (the application does not have any Gatekeeper specific configuration). However, in its authentication process, the application set a Bearer token. All queries that are targeting the application API are authenticated against this Bearer token. For now, Keycloak Gatekeeper inspects the Authorization header first in order to verify the Keycloak access token. Since the Bearer token is not issued by Keycloak, but by the proxied application, the token is refused and the request redirected to the SSO. There are no fallback to the cookie if the Authorization header check fails. I would like to propose more tuning about token inspection for an incoming request. I see two approaches for this problem : * Fallback to the cookie checkup if the authorization header is not valid/present * Help the proxy by specifying where to look at the keycloak access token, for example force cookie lookup (my approach with this PR #473<https://github.com/keycloak/keycloak-gatekeeper/pull/473> ) I have chosen the second approach. The goal is to bring more behavior tuning to Keycloak-Gatekeeper : * Being able to configure the Keycloak token lookup (for example force cookie lookup for the access token). * Being able to forward Authorization header "as-is" to the upstream application (without altering it, transparent way). What is your point of view ? Let me know if this email is clear enough. Thank you for your feedback and your kindness for new contributors, Best Regards, Gfi Informatique Nikita Rousseau Alternant DevOps Infrastructures Services nikita.rousseau@gfi.fr<mailto:> Emerald Square, Bâtiment B, Avenue Evariste Galois BP 199, 06904 Sophia Antipolis Cedex Tél : +33 (0)6 25 44 01 37