[keycloak-user] Serving SPA + API with keycloak-gatekeeper

[Rafael Almeida]

Hello,

I think I must be missing something. I have a SPA and a backend. Currently,
for simplicity, they are being served together from the same hostname (and
server). I was able to configure keycloak-gatekeeper in front of it and
everything seemed to work well at first. The / (root), which serves my SPA,
redirects the user and, after they login, all endpoints become available.

However, if the user logs out and still have the SPA loaded, the javascript
will attempt to make requests to the API, but it will be unauthorized at
this time. The API, however, instead of giving out a helpful 401, will
respond with a 307. Understandable.

I looked into the gatekeeper's docs and there is a no-redirects option.
However, it's a global one, rather than per endpoint. That means that the
only option to get the behaviour I want is to have two gatekeepers, one for
the API and the other for the SPA, both sharing the same encryption key (so
that they use the same session). They also need to be behind the same load
balancer so they share hostnames. I think that'd work but it seems rather
cumbersome. What am I missing? Am I doing things in a very unusual way? How
else could I set this up?

Thanks,
Rafael