[keycloak-dev] [keycloak-gatekeeper] Defense against cookie replay

[BIDON Frederic]

Hello all
I am working on a hybrid use-case in which the API gateway (keycloak-gatekeeper) checks trafficfrom (i) trusted server-side apps (e.g. serving server-based UIs) and (ii) browser apps (e.g. react JS apps).
With case (i), traffic is authenticated against a bearer token in header, which is never exposed to the end user-agent.With case (ii), authentication is carried out with encrypted, httpOnly, Secure cookies.
I am fine with this setup, but for the classical cookie replay attack (however, this is already strongly mitigated by the httpOnly flag, but not entirely satisfactory).
So I have been experimenting a bit with introducing an automatic CSRF mechanism in gatekeeper, based on gorilla/csrf package.
With CSRF enabled on a per protected resource basis, another encrypted cookie is carried back and forth to store the CSRF state and a header returned to the client. Obviously, CSRF check is disabled when a bearer token is present.

This forces the browser app to add a volatile CSRF token every time it calls a mutable resource (e.g. with POST, PUT, DELETE) relayed by the gateway.
I am currently polishing my POC with this feature and would be happy to contribute it as a PR. 

Pieces of advice, feedback and opinions are welcome.
Cheers,
Frederic