[keycloak-user] Keycloak Gatekeeper access token encryption

Thu Jun 20 16:09:59 EDT 2019

Hi Jody, don't need to be sorry. The more details, the better. Are you
looking for something like this[1] ?

[1] - https://github.com/keycloak/keycloak-gatekeeper/pull/445

On 2019-06-20, Jody H wrote:
> Hi,
> 
> I am trying to use the Keycloak Gatekeeper proxy and have found a problem I
> can't seem to solve.
> 
> I have a service which is hosting a webservice and an api.
> Keycloak gatekeeper is protecting this application.
> I have another webservice which is making requests to this api.
> I have encrypted tokens/cookies enabled in my gatekeeper config.
> I have looked into the source code of gatekeeper to figure out how the
> token is being decrypted, when it is coming inside of the Authorization
> header instead of a cookie. It is like this:
> 
> 1) The token is read from the "Authorization: Bearer" header:
> https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L75
> 2) If encryption is enabled, the access token needs be decrypted:
> https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L36-L39
> 3) Before decryption, the access token from the Authorization header will
> be base64-decoded:
> https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L197
> 4) After decoding, it will be decrypted by AES-GCM:
> https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L167-L183
> 
> I can't seem to figure out how to make requests to the gatekeeper proxy so
> that the access token I pass in the Authorization header can be read by the
> gatekeeper. I have checked multiple times that the key I use to encrypt my
> access token is identical to the one I use in the gatekeeper config.
> I am using this javascript code to encrypt my data:
> https://gist.github.com/chrisveness/43bcda93af9f646d083fad678071b90a - then
> after encryption, I base64 encode it and add it to the "Autorization:
> Bearer [base64-encoded encrypted-access-token]" header. The error
> gatekeeper gives me is this:
> https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L204
> 
> The relevant javascript code looks like this:
> const key = "MY_KEY_HERE_WITH_32_CHARACTERS"; //key is equal to the on in
> the gatekeeper config
> const ciphertext = await aesGcmEncrypt(keycloak.token, key);
> console.log(ciphertext);
> var req = new XMLHttpRequest();
> req.open('GET', url, true);
> req.setRequestHeader('Accept', 'application/json');
> req.setRequestHeader('Authorization', 'Bearer ' + btoa(ciphertext));
> 
> req.onreadystatechange = function () {
> if (req.readyState == 4) {
> if (req.status == 200) {
> document.getElementById("userid").innerHTML = req.responseText + " (" + new
> Date() + ")";
> } else if (req.status == 403) {
> console.log('Forbidden');
> } else if (req.status == 401) {
> console.log('Unauthorized');
> }
> }
> }
> 
> req.send();
> 
> Can someone help me out? Sorry for the wall of text and thanks in advance!
> 
> Best regards,
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj