Hello everyone,
I'm using Keycloak as an identity manager and since it also provides
optional authorization, I decided to use it to suit my access control
requirements as well. I have multiple microservices that I want to protect
using Keycloak Gatekeeper like the configuration below but with separate
Gatekeepers per service.
--------- ----------- -----------
------------
| UI | ---> | Proxy | ---> | GateK | ---> | Service |
--------- ------------ -----------
------------
| ||
| v
-----------------------------------> Keycloak
Aside from the CORS related issues this creates (KEYCLOAK-9099
<
https://issues.jboss.org/browse/KEYCLOAK-9099>), there's another important
issue that I'm struggling with. My UI already has keycloak js integrated
with a public client specifically for itself, which I was using for login
initially. Now that I want to use the Gatekeeper proxy, I want my
login/token refresh to happen on the UI such that it would automatically
generate the requisite cookies for Gatekeeper, because I want to disable
redirection on Gatekeeper and send 401 directly in case of expired/bad/no
token.
a) Is my understanding correct and is this the correct approach?
b) If so, how can I login via Keycloak directly or via Gatekeeper and get
the required cookies (without some proxy-level hacking)?
Right now I'm hovering between a couple of options, from using Kong oidc
with some custom authorization to using Gatekeeper. Any help would be much
appreciated.
Thanks.
Yumna