[keycloak-dev] [keycloak-gatekeeper] Defense against cookie replay

Bruno Oliveira bruno at abstractj.org
Mon Dec 17 06:50:28 EST 2018


Please, file a Jira as a feature request, providing all the details.
In this way, we don't miss it.

On Sat, Dec 15, 2018 at 11:02 AM Stan Silvert <ssilvert at redhat.com> wrote:
>
> This sounds interesting, but I wouldn't expect much feedback until
> January.  A lot of the Keycloak team is already on holiday.
>
> On 12/15/2018 5:57 AM, BIDON Frederic wrote:
> > Hello all
> > I am working on a hybrid use-case in which the API gateway (keycloak-gatekeeper) checks trafficfrom (i) trusted server-side apps (e.g. serving server-based UIs) and (ii) browser apps (e.g. react JS apps).
> > With case (i), traffic is authenticated against a bearer token in header, which is never exposed to the end user-agent.With case (ii), authentication is carried out with encrypted, httpOnly, Secure cookies.
> > I am fine with this setup, but for the classical cookie replay attack (however, this is already strongly mitigated by the httpOnly flag, but not entirely satisfactory).
> > So I have been experimenting a bit with introducing an automatic CSRF mechanism in gatekeeper, based on gorilla/csrf package.
> > With CSRF enabled on a per protected resource basis, another encrypted cookie is carried back and forth to store the CSRF state and a header returned to the client. Obviously, CSRF check is disabled when a bearer token is present.
> >
> > This forces the browser app to add a volatile CSRF token every time it calls a mutable resource (e.g. with POST, PUT, DELETE) relayed by the gateway.
> > I am currently polishing my POC with this feature and would be happy to contribute it as a PR.
> >
> > Pieces of advice, feedback and opinions are welcome.
> > Cheers,
> > Frederic
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



-- 
- abstractj


More information about the keycloak-dev mailing list