[keycloak-user] keycloak-gatekeeper bearer-only

Eric Boyd Ramirez eric.ramirez.sv at gmail.com
Fri Nov 2 13:23:32 EDT 2018 

Thanks everyone for your replies, it definitely cleared things up for me. It seems that as a ‘generic’  adapter Keycloak-Gatekeeper has limited functionality, its a matter of finding the right use case to take advantage of this tool.

Regards, 

> On Nov 2, 2018, at 9:27 AM, Pedro Igor Silva <psilva at redhat.com> wrote:
> 
> 
> 
> On Fri, Nov 2, 2018 at 6:36 AM Geoffrey Cleaves <geoff at opticks.io <mailto:geoff at opticks.io>> wrote:
> Hi Eric,
> 
> I'm a beginner like you so please consider my responses accordingly.
> 
> 1. Often your scenario is similar to a front end app accessing the REST
> API. You can find an example of how to do this here:
> https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter <https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter>.
> First the user logs in to the front end app, which gets the token and uses
> it for calls to the backend. IMPORTANT: You need to include the backend's
> client id in the front end's aud claim:
> https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak#file-notes.md <https://bitbucket.org/snippets/gcleaves/5ebB58/sso-keycloak#file-notes.md>
> 
> Another hurdle you might find using Gatekeeper in this AJAX setup is CORS.
> I believe Gatekeeper has a bug and isn't sending the correct headers:
> https://issues.jboss.org/browse/KEYCLOAK-8722 <https://issues.jboss.org/browse/KEYCLOAK-8722>
> 
> 2. I have the same question as you. After reading the docs, I think the
> answer is NO. If your back end stack does not have a Keycloak adapter (are
> you using PHP like me?) then you would have to do all the UMA calls
> "manually". There are UMA2 specifications out there which would guide us,
> but I think it's a lot of work. There's also the Gluu oxd
> <https://gluu.org/docs/oxd/ <https://gluu.org/docs/oxd/>> project which seems similar to Keycloak
> Gatekeeper, but I doubt oxd is interoperable with Keycloak.
> 
> Yes, it is. We did recently a collaborative work with Gluu team to check interoperability. In fact, they used oxd to check that both Gluu and Keycloak ASs could be used to support UMA.
>  
> 
> 3. I think that normally a REST service should work with a bearer only
> client, which expects the token and does not do authentication redirection.
> You could instruct your API consumers to get the token directly from
> Keycloak (using a confidential client?) before hitting your Gatekeeper
> endpoint. Once again, keep in mind that by default the token retrieved from
> one client won't work to hit a different client unless you set up the aud
> claim properly.
> 
> Hopefully an expert will join and correct me.
> 
> Regards,
> Geoffrey Cleaves
> 
> 
> 
> 
> 
> 
> 
> On Wed, 31 Oct 2018 at 23:00, Eric Boyd Ramirez <eric.ramirez.sv at gmail.com <mailto:eric.ramirez.sv at gmail.com>>
> wrote:
> 
> > Dear All,
> > I am trying to test Keycloak-gatekeeper, have read the docs I could find
> > (keaycloak-proxy as well) but I still have a few questions:
> >
> > 1- I am trying to secure a number of REST APIs, configured behind
> > bearer-only clients. I think I need to first get a access token trough a
> > confidential client using a 'grant-type=password' request and then do a
> > second request to the REST client resource. Is this the right approach, how
> > would I implement this using Keycloak-Gatekeeper?.
> >
> > 2- Keycloak-Gatekeeper uses uri->methods->roles to manage resource access.
> > Is there a way to use Keycloak's authorization settings to manage access to
> > a client's resource  (i.e. policies, permissions, uma-ticket, etc.)?
> >
> > 3- How do I set up multiple clients, do I have to run and configure
> > separate instances of Keycloak-Gatekeeper?
> >
> > Thanks in advance for your time and help.
> >
> > Regards,
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>

More information about the keycloak-user mailing list