[keycloak-user] Keycloak Gatekeeper configuration with SPA

[Yumna Ghazi]

Hello everyone,

I'm using Keycloak as an identity manager and since it also provides
optional authorization, I decided to use it to suit my access control
requirements as well. I have multiple microservices that I want to protect
using Keycloak Gatekeeper like the configuration below but with separate
Gatekeepers per service.

---------              -----------              -----------
 ------------
|  UI    |    --->   |  Proxy  |    --->   | GateK |   --->   | Service |
---------              ------------             -----------
 ------------
     |                                                    ||
     |                                                    v
     ----------------------------------->  Keycloak

Aside from the CORS related issues this creates (KEYCLOAK-9099
<https://issues.jboss.org/browse/KEYCLOAK-9099>), there's another important
issue that I'm struggling with. My UI already has keycloak js integrated
with a public client specifically for itself, which I was using for login
initially. Now that I want to use the Gatekeeper proxy, I want my
login/token refresh to happen on the UI such that it would automatically
generate the requisite cookies for Gatekeeper, because I want to disable
redirection on Gatekeeper and send 401 directly in case of expired/bad/no
token.

a) Is my understanding correct and is this the correct approach?
b) If so, how can I login via Keycloak directly or via Gatekeeper and get
the required cookies (without some proxy-level hacking)?

Right now I'm hovering between a couple of options, from using Kong oidc
with some custom authorization to using Gatekeeper. Any help would be much
appreciated.

Thanks.
Yumna