Hi Jody, I'm glad that worked for you. I just returned back from travel
and will try do a proper review/merge it.
On 2019-06-25, Jody H wrote:
Hi Bruno,
this was exactly what we were looking for, thank you.
Would be great if this also gets merged sometime soon.
Best regards,
Am Do., 20. Juni 2019 um 17:10 Uhr schrieb Bruno Oliveira <
bruno(a)abstractj.org>:
> Hi Jody, don't need to be sorry. The more details, the better. Are you
> looking for something like this[1] ?
>
> [1] -
https://github.com/keycloak/keycloak-gatekeeper/pull/445
>
> On 2019-06-20, Jody H wrote:
> > Hi,
> >
> > I am trying to use the Keycloak Gatekeeper proxy and have found a
> problem I
> > can't seem to solve.
> >
> > I have a service which is hosting a webservice and an api.
> > Keycloak gatekeeper is protecting this application.
> > I have another webservice which is making requests to this api.
> > I have encrypted tokens/cookies enabled in my gatekeeper config.
> > I have looked into the source code of gatekeeper to figure out how the
> > token is being decrypted, when it is coming inside of the Authorization
> > header instead of a cookie. It is like this:
> >
> > 1) The token is read from the "Authorization: Bearer" header:
> >
>
https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L75
> > 2) If encryption is enabled, the access token needs be decrypted:
> >
>
https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L3...
> > 3) Before decryption, the access token from the Authorization header will
> > be base64-decoded:
> >
>
https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L197
> > 4) After decoding, it will be decrypted by AES-GCM:
> >
>
https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L167...
> >
> > I can't seem to figure out how to make requests to the gatekeeper proxy
> so
> > that the access token I pass in the Authorization header can be read by
> the
> > gatekeeper. I have checked multiple times that the key I use to encrypt
> my
> > access token is identical to the one I use in the gatekeeper config.
> > I am using this javascript code to encrypt my data:
> >
https://gist.github.com/chrisveness/43bcda93af9f646d083fad678071b90a -
> then
> > after encryption, I base64 encode it and add it to the "Autorization:
> > Bearer [base64-encoded encrypted-access-token]" header. The error
> > gatekeeper gives me is this:
> >
>
https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L204
> >
> > The relevant javascript code looks like this:
> > const key = "MY_KEY_HERE_WITH_32_CHARACTERS"; //key is equal to the
on in
> > the gatekeeper config
> > const ciphertext = await aesGcmEncrypt(keycloak.token, key);
> > console.log(ciphertext);
> > var req = new XMLHttpRequest();
> > req.open('GET', url, true);
> > req.setRequestHeader('Accept', 'application/json');
> > req.setRequestHeader('Authorization', 'Bearer ' +
btoa(ciphertext));
> >
> > req.onreadystatechange = function () {
> > if (req.readyState == 4) {
> > if (req.status == 200) {
> > document.getElementById("userid").innerHTML = req.responseText +
" (" +
> new
> > Date() + ")";
> > } else if (req.status == 403) {
> > console.log('Forbidden');
> > } else if (req.status == 401) {
> > console.log('Unauthorized');
> > }
> > }
> > }
> >
> > req.send();
> >
> > Can someone help me out? Sorry for the wall of text and thanks in
> advance!
> >
> > Best regards,
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>