Please, file a Jira as a feature request, providing all the details.
In this way, we don't miss it.
On Sat, Dec 15, 2018 at 11:02 AM Stan Silvert <ssilvert(a)redhat.com> wrote:
This sounds interesting, but I wouldn't expect much feedback until
January. A lot of the Keycloak team is already on holiday.
On 12/15/2018 5:57 AM, BIDON Frederic wrote:
> Hello all
> I am working on a hybrid use-case in which the API gateway (keycloak-gatekeeper)
checks trafficfrom (i) trusted server-side apps (e.g. serving server-based UIs) and (ii)
browser apps (e.g. react JS apps).
> With case (i), traffic is authenticated against a bearer token in header, which is
never exposed to the end user-agent.With case (ii), authentication is carried out with
encrypted, httpOnly, Secure cookies.
> I am fine with this setup, but for the classical cookie replay attack (however, this
is already strongly mitigated by the httpOnly flag, but not entirely satisfactory).
> So I have been experimenting a bit with introducing an automatic CSRF mechanism in
gatekeeper, based on gorilla/csrf package.
> With CSRF enabled on a per protected resource basis, another encrypted cookie is
carried back and forth to store the CSRF state and a header returned to the client.
Obviously, CSRF check is disabled when a bearer token is present.
> This forces the browser app to add a volatile CSRF token every time it calls a
mutable resource (e.g. with POST, PUT, DELETE) relayed by the gateway.
> I am currently polishing my POC with this feature and would be happy to contribute
it as a PR.
> Pieces of advice, feedback and opinions are welcome.
> keycloak-dev mailing list
keycloak-dev mailing list