12:40 a.m.
Hello everyone,
I'm using Keycloak as an identity manager and since it also provides
optional authorization, I decided to use it to suit my access control
requirements as well. I have multiple microservices that I want to protect
using Keycloak Gatekeeper like the configuration below but with separate
Gatekeepers per service.
--------- ----------- -----------
------------
| UI | ---> | Proxy | ---> | GateK | ---> | Service |
--------- ------------ -----------
------------
| ||
| v
-----------------------------------> Keycloak
Aside from the CORS related issues this creates (KEYCLOAK-9099
<https://issues.jboss.org/browse/KEYCLOAK-9099>), there's another important
issue that I'm struggling with. My UI already has keycloak js integrated
with a public client specifically for itself, which I was using for login
initially. Now that I want to use the Gatekeeper proxy, I want my
login/token refresh to happen on the UI such that it would automatically
generate the requisite cookies for Gatekeeper, because I want to disable
redirection on Gatekeeper and send 401 directly in case of expired/bad/no
token.
a) Is my understanding correct and is this the correct approach?
b) If so, how can I login via Keycloak directly or via Gatekeeper and get
the required cookies (without some proxy-level hacking)?
Right now I'm hovering between a couple of options, from using Kong oidc
with some custom authorization to using Gatekeeper. Any help would be much
appreciated.
Thanks.
Yumna
4:18 a.m.
Hi Yumna,
The CORS issue was fixed, but if persists, please let us know so we can
figure out what's going on.
On 2019-08-31, Yumna Ghazi wrote:
Hello everyone,
I'm using Keycloak as an identity manager and since it also provides
optional authorization, I decided to use it to suit my access control
requirements as well. I have multiple microservices that I want to protect
using Keycloak Gatekeeper like the configuration below but with separate
Gatekeepers per service.
--------- ----------- -----------
------------
| UI | ---> | Proxy | ---> | GateK | ---> | Service |
--------- ------------ -----------
------------
| ||
| v
-----------------------------------> Keycloak
Aside from the CORS related issues this creates (KEYCLOAK-9099
<https://issues.jboss.org/browse/KEYCLOAK-9099>), there's another important
issue that I'm struggling with. My UI already has keycloak js integrated
with a public client specifically for itself, which I was using for login
initially. Now that I want to use the Gatekeeper proxy, I want my
login/token refresh to happen on the UI such that it would automatically
generate the requisite cookies for Gatekeeper, because I want to disable
redirection on Gatekeeper and send 401 directly in case of expired/bad/no
token.
If I understood correctly, you would like to do the authentication
using Gatekeeper and the authorization in the UI right? If that's the
case, I don't think there's an option on Gatekeeper to do this.
But if you provide some code examples with what you're trying to achieve. I
will be more than happy to try and give you an accurate answer.
a) Is my understanding correct and is this the correct approach?
b) If so, how can I login via Keycloak directly or via Gatekeeper and get
the required cookies (without some proxy-level hacking)?
There are two options which may help you "--enable-session-cookies" and
"--enable-authorization-cookies".
Right now I'm hovering between a couple of options, from using Kong oidc
with some custom authorization to using Gatekeeper. Any help would be much
appreciated.
Thanks.
Yumna
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
1935
days inactive
1944
days old
1 comments
2 participants
participants (2)
-
Bruno Oliveira -
Yumna Ghazi