[keycloak-dev] [keycloak-gatekeeper] Defense against cookie replay

Stan Silvert ssilvert at redhat.com
Sat Dec 15 08:02:02 EST 2018


This sounds interesting, but I wouldn't expect much feedback until 
January.  A lot of the Keycloak team is already on holiday.

On 12/15/2018 5:57 AM, BIDON Frederic wrote:
> Hello all
> I am working on a hybrid use-case in which the API gateway (keycloak-gatekeeper) checks trafficfrom (i) trusted server-side apps (e.g. serving server-based UIs) and (ii) browser apps (e.g. react JS apps).
> With case (i), traffic is authenticated against a bearer token in header, which is never exposed to the end user-agent.With case (ii), authentication is carried out with encrypted, httpOnly, Secure cookies.
> I am fine with this setup, but for the classical cookie replay attack (however, this is already strongly mitigated by the httpOnly flag, but not entirely satisfactory).
> So I have been experimenting a bit with introducing an automatic CSRF mechanism in gatekeeper, based on gorilla/csrf package.
> With CSRF enabled on a per protected resource basis, another encrypted cookie is carried back and forth to store the CSRF state and a header returned to the client. Obviously, CSRF check is disabled when a bearer token is present.
>
> This forces the browser app to add a volatile CSRF token every time it calls a mutable resource (e.g. with POST, PUT, DELETE) relayed by the gateway.
> I am currently polishing my POC with this feature and would be happy to contribute it as a PR.
>
> Pieces of advice, feedback and opinions are welcome.
> Cheers,
> Frederic
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev




More information about the keycloak-dev mailing list