[keycloak-user] Keycloak Gatekeeper to secure API services via Bearer Token results to 307

Ed Dave Tan tan.edwill at gmail.com
Mon Jun 17 11:51:27 EDT 2019 

Hi,

I have deployed Keycloak Gatekeeper to Kubernetes using helm chart here:
https://hub.kubeapps.com/charts/gabibbo97/keycloak-gatekeeper/1.2.1

The configuration I used is:
listen=0.0.0.0:3000
--set discoveryURL=https://domain.com/auth/realms/manager
--set upstreamURL=http://up-domain.com:port
--set ClientID=manager
--set ClientSecret=$secret
--set rules={"uri=/*|roles=manager"}
--set droolsPolicyEnabled=false

My intended use case for Keycloak Gatekeeper is use it to secure API
services.
1.) I imagine the flow will be like Angular frontend (using JS Adapter) to
login the user.
2.) Angular frontend will receive Bearer Token from authentication.
3.) Angular frontend will send Bearer Token to Keycloak Gatekeeper to
access needed resources.

So far I tested accessing the resource directly by accessing the
0.0.0.0:3000 via kubectl portfoward. Which worked fine. I was redirected to
the login page then redirected to the resource after successful login.

However, I tried mimicking my intended workflow via Curl. (Similar to this
https://medium.com/@vcorreaniche/securing-serverless-services-in-kubernetes-with-keycloak-gatekeeper-6d07583e7382
)
1.)  I was able to get the access token and refresh token from using:
curl -X POST \
    'https://domain.com/auth/realms/manager/protocol/openid-connect/token' \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d
'username=manager1&password=<manager1_passowrd>&grant_type=password&client_id=manager-service&client_secret=<secret>'

2.) I'm getting a HTTP 307: Temporary Redirect. When I try to access the
resource using:
curl -H 'Authorization: Bearer <access_token>' \
    --proxy http://127.0.0.1:3000 http://up-domain.com/api/v1/manager \
    -v

>     --proxy http://127.0.0.1:3000 http://up-domain:port/api/v1/manager \
>     -v
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 3000 (#0)
> GET http://up-domain:port/api/v1/manager HTTP/1.1
> Host: up-domain:port
> User-Agent: curl/7.58.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> Authorization: Bearer <TOKEN>
>
< HTTP/1.1 307 Temporary Redirect
< Content-Type: text/html; charset=utf-8
< Location: /oauth/authorize?state=8688edc1-f05d-49c5-ae33-f4f10605d8d8

My question: Is my intended work flow viable using Keycloak Gatekeeper? Or
Did I do something wrong?

PS: My Keycloak version is 5.0 and I change the image being pulled by the
helm chart above to 5.0.0 because the 4.8.0.Final cant be found.
*Note: droolsPolicyEnabled is set to false since it was causing issue in
starting Keycloak.

More information about the keycloak-user mailing list