[keycloak-user] Keycloak Gatekeeper access token encryption

Jody H j9dy1g at gmail.com
Tue Jun 25 09:06:49 EDT 2019


Hi Bruno,

this was exactly what we were looking for, thank you.
Would be great if this also gets merged sometime soon.

Best regards,

Am Do., 20. Juni 2019 um 17:10 Uhr schrieb Bruno Oliveira <
bruno at abstractj.org>:

> Hi Jody, don't need to be sorry. The more details, the better. Are you
> looking for something like this[1] ?
>
> [1] - https://github.com/keycloak/keycloak-gatekeeper/pull/445
>
> On 2019-06-20, Jody H wrote:
> > Hi,
> >
> > I am trying to use the Keycloak Gatekeeper proxy and have found a
> problem I
> > can't seem to solve.
> >
> > I have a service which is hosting a webservice and an api.
> > Keycloak gatekeeper is protecting this application.
> > I have another webservice which is making requests to this api.
> > I have encrypted tokens/cookies enabled in my gatekeeper config.
> > I have looked into the source code of gatekeeper to figure out how the
> > token is being decrypted, when it is coming inside of the Authorization
> > header instead of a cookie. It is like this:
> >
> > 1) The token is read from the "Authorization: Bearer" header:
> >
> https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L75
> > 2) If encryption is enabled, the access token needs be decrypted:
> >
> https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L36-L39
> > 3) Before decryption, the access token from the Authorization header will
> > be base64-decoded:
> >
> https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L197
> > 4) After decoding, it will be decrypted by AES-GCM:
> >
> https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L167-L183
> >
> > I can't seem to figure out how to make requests to the gatekeeper proxy
> so
> > that the access token I pass in the Authorization header can be read by
> the
> > gatekeeper. I have checked multiple times that the key I use to encrypt
> my
> > access token is identical to the one I use in the gatekeeper config.
> > I am using this javascript code to encrypt my data:
> > https://gist.github.com/chrisveness/43bcda93af9f646d083fad678071b90a -
> then
> > after encryption, I base64 encode it and add it to the "Autorization:
> > Bearer [base64-encoded encrypted-access-token]" header. The error
> > gatekeeper gives me is this:
> >
> https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L204
> >
> > The relevant javascript code looks like this:
> > const key = "MY_KEY_HERE_WITH_32_CHARACTERS"; //key is equal to the on in
> > the gatekeeper config
> > const ciphertext = await aesGcmEncrypt(keycloak.token, key);
> > console.log(ciphertext);
> > var req = new XMLHttpRequest();
> > req.open('GET', url, true);
> > req.setRequestHeader('Accept', 'application/json');
> > req.setRequestHeader('Authorization', 'Bearer ' + btoa(ciphertext));
> >
> > req.onreadystatechange = function () {
> > if (req.readyState == 4) {
> > if (req.status == 200) {
> > document.getElementById("userid").innerHTML = req.responseText + " (" +
> new
> > Date() + ")";
> > } else if (req.status == 403) {
> > console.log('Forbidden');
> > } else if (req.status == 401) {
> > console.log('Unauthorized');
> > }
> > }
> > }
> >
> > req.send();
> >
> > Can someone help me out? Sorry for the wall of text and thanks in
> advance!
> >
> > Best regards,
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>


More information about the keycloak-user mailing list