[keycloak-user] keycloak-gatekeeper bearer-only

Pedro Igor Silva psilva at redhat.com
Fri Nov 2 11:27:40 EDT 2018


On Fri, Nov 2, 2018 at 6:36 AM Geoffrey Cleaves <geoff at opticks.io> wrote:

> Hi Eric,
>
> I'm a beginner like you so please consider my responses accordingly.
>
> 1. Often your scenario is similar to a front end app accessing the REST
> API. You can find an example of how to do this here:
>
> https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter
> .
> First the user logs in to the front end app, which gets the token and uses
> it for calls to the backend. IMPORTANT: You need to include the backend's
> client id in the front end's aud claim:
> https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak#file-notes.md
>
> Another hurdle you might find using Gatekeeper in this AJAX setup is CORS.
> I believe Gatekeeper has a bug and isn't sending the correct headers:
> https://issues.jboss.org/browse/KEYCLOAK-8722
>
> 2. I have the same question as you. After reading the docs, I think the
> answer is NO. If your back end stack does not have a Keycloak adapter (are
> you using PHP like me?) then you would have to do all the UMA calls
> "manually". There are UMA2 specifications out there which would guide us,
> but I think it's a lot of work. There's also the Gluu oxd
> <https://gluu.org/docs/oxd/> project which seems similar to Keycloak
> Gatekeeper, but I doubt oxd is interoperable with Keycloak.
>

Yes, it is. We did recently a collaborative work with Gluu team to check
interoperability. In fact, they used oxd to check that both Gluu and
Keycloak ASs could be used to support UMA.


>
> 3. I think that normally a REST service should work with a bearer only
> client, which expects the token and does not do authentication redirection.
> You could instruct your API consumers to get the token directly from
> Keycloak (using a confidential client?) before hitting your Gatekeeper
> endpoint. Once again, keep in mind that by default the token retrieved from
> one client won't work to hit a different client unless you set up the aud
> claim properly.
>
> Hopefully an expert will join and correct me.
>
> Regards,
> Geoffrey Cleaves
>
>
>
>
>
>
>
> On Wed, 31 Oct 2018 at 23:00, Eric Boyd Ramirez <eric.ramirez.sv at gmail.com
> >
> wrote:
>
> > Dear All,
> > I am trying to test Keycloak-gatekeeper, have read the docs I could find
> > (keaycloak-proxy as well) but I still have a few questions:
> >
> > 1- I am trying to secure a number of REST APIs, configured behind
> > bearer-only clients. I think I need to first get a access token trough a
> > confidential client using a 'grant-type=password' request and then do a
> > second request to the REST client resource. Is this the right approach,
> how
> > would I implement this using Keycloak-Gatekeeper?.
> >
> > 2- Keycloak-Gatekeeper uses uri->methods->roles to manage resource
> access.
> > Is there a way to use Keycloak's authorization settings to manage access
> to
> > a client's resource  (i.e. policies, permissions, uma-ticket, etc.)?
> >
> > 3- How do I set up multiple clients, do I have to run and configure
> > separate instances of Keycloak-Gatekeeper?
> >
> > Thanks in advance for your time and help.
> >
> > Regards,
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list