Re: [keycloak-user] Keycloak Gatekeeper access token encryption

Hi Jody, don't need to be sorry. The more details, the better. Are you looking for something like this[1] ? [1] - https://github.com/keycloak/keycloak-gatekeeper/pull/445 On 2019-06-20, Jody H wrote: > Hi, > > I am trying to use the Keycloak Gatekeeper proxy and have found a problem I > can't seem to solve. > > I have a service which is hosting a webservice and an api. > Keycloak gatekeeper is protecting this application. > I have another webservice which is making requests to this api. > I have encrypted tokens/cookies enabled in my gatekeeper config. > I have looked into the source code of gatekeeper to figure out how the > token is being decrypted, when it is coming inside of the Authorization > header instead of a cookie. It is like this: > > 1) The token is read from the "Authorization: Bearer" header: > https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L75 > 2) If encryption is enabled, the access token needs be decrypted: > https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L3... > 3) Before decryption, the access token from the Authorization header will > be base64-decoded: > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L197 > 4) After decoding, it will be decrypted by AES-GCM: > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L167... > > I can't seem to figure out how to make requests to the gatekeeper proxy so > that the access token I pass in the Authorization header can be read by the > gatekeeper. I have checked multiple times that the key I use to encrypt my > access token is identical to the one I use in the gatekeeper config. > I am using this javascript code to encrypt my data: > https://gist.github.com/chrisveness/43bcda93af9f646d083fad678071b90a - then > after encryption, I base64 encode it and add it to the "Autorization: > Bearer [base64-encoded encrypted-access-token]" header. The error > gatekeeper gives me is this: > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L204 > > The relevant javascript code looks like this: > const key = "MY_KEY_HERE_WITH_32_CHARACTERS"; //key is equal to the on in > the gatekeeper config > const ciphertext = await aesGcmEncrypt(keycloak.token, key); > console.log(ciphertext); > var req = new XMLHttpRequest(); > req.open('GET', url, true); > req.setRequestHeader('Accept', 'application/json'); > req.setRequestHeader('Authorization', 'Bearer ' + btoa(ciphertext)); > > req.onreadystatechange = function () { > if (req.readyState == 4) { > if (req.status == 200) { > document.getElementById("userid").innerHTML = req.responseText + " (" + new > Date() + ")"; > } else if (req.status == 403) { > console.log('Forbidden'); > } else if (req.status == 401) { > console.log('Unauthorized'); > } > } > } > > req.send(); > > Can someone help me out? Sorry for the wall of text and thanks in advance! > > Best regards, > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj