[keycloak-user] Keycloak Gatekeeper access token encryption

Jody H j9dy1g at gmail.com
Thu Jun 20 05:35:06 EDT 2019


Hi,

I am trying to use the Keycloak Gatekeeper proxy and have found a problem I
can't seem to solve.

I have a service which is hosting a webservice and an api.
Keycloak gatekeeper is protecting this application.
I have another webservice which is making requests to this api.
I have encrypted tokens/cookies enabled in my gatekeeper config.
I have looked into the source code of gatekeeper to figure out how the
token is being decrypted, when it is coming inside of the Authorization
header instead of a cookie. It is like this:

1) The token is read from the "Authorization: Bearer" header:
https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L75
2) If encryption is enabled, the access token needs be decrypted:
https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L36-L39
3) Before decryption, the access token from the Authorization header will
be base64-decoded:
https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L197
4) After decoding, it will be decrypted by AES-GCM:
https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L167-L183

I can't seem to figure out how to make requests to the gatekeeper proxy so
that the access token I pass in the Authorization header can be read by the
gatekeeper. I have checked multiple times that the key I use to encrypt my
access token is identical to the one I use in the gatekeeper config.
I am using this javascript code to encrypt my data:
https://gist.github.com/chrisveness/43bcda93af9f646d083fad678071b90a - then
after encryption, I base64 encode it and add it to the "Autorization:
Bearer [base64-encoded encrypted-access-token]" header. The error
gatekeeper gives me is this:
https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L204

The relevant javascript code looks like this:
const key = "MY_KEY_HERE_WITH_32_CHARACTERS"; //key is equal to the on in
the gatekeeper config
const ciphertext = await aesGcmEncrypt(keycloak.token, key);
console.log(ciphertext);
var req = new XMLHttpRequest();
req.open('GET', url, true);
req.setRequestHeader('Accept', 'application/json');
req.setRequestHeader('Authorization', 'Bearer ' + btoa(ciphertext));

req.onreadystatechange = function () {
if (req.readyState == 4) {
if (req.status == 200) {
document.getElementById("userid").innerHTML = req.responseText + " (" + new
Date() + ")";
} else if (req.status == 403) {
console.log('Forbidden');
} else if (req.status == 401) {
console.log('Unauthorized');
}
}
}

req.send();

Can someone help me out? Sorry for the wall of text and thanks in advance!

Best regards,


More information about the keycloak-user mailing list