[keycloak-user] Keycloak Gatekeeper access token encryption

Wed Jun 26 09:51:08 EDT 2019

Hi Jody, I'm glad that worked for you. I just returned back from travel
and will try do a proper review/merge it.

On 2019-06-25, Jody H wrote:
> Hi Bruno,
> 
> this was exactly what we were looking for, thank you.
> Would be great if this also gets merged sometime soon.
> 
> Best regards,
> 
> Am Do., 20. Juni 2019 um 17:10 Uhr schrieb Bruno Oliveira <
> bruno at abstractj.org>:
> 
> > Hi Jody, don't need to be sorry. The more details, the better. Are you
> > looking for something like this[1] ?
> >
> > [1] - https://github.com/keycloak/keycloak-gatekeeper/pull/445
> >
> > On 2019-06-20, Jody H wrote:
> > > Hi,
> > >
> > > I am trying to use the Keycloak Gatekeeper proxy and have found a
> > problem I
> > > can't seem to solve.
> > >
> > > I have a service which is hosting a webservice and an api.
> > > Keycloak gatekeeper is protecting this application.
> > > I have another webservice which is making requests to this api.
> > > I have encrypted tokens/cookies enabled in my gatekeeper config.
> > > I have looked into the source code of gatekeeper to figure out how the
> > > token is being decrypted, when it is coming inside of the Authorization
> > > header instead of a cookie. It is like this:
> > >
> > > 1) The token is read from the "Authorization: Bearer" header:
> > >
> > https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L75
> > > 2) If encryption is enabled, the access token needs be decrypted:
> > >
> > https://github.com/keycloak/keycloak-gatekeeper/blob/master/session.go#L36-L39
> > > 3) Before decryption, the access token from the Authorization header will
> > > be base64-decoded:
> > >
> > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L197
> > > 4) After decoding, it will be decrypted by AES-GCM:
> > >
> > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L167-L183
> > >
> > > I can't seem to figure out how to make requests to the gatekeeper proxy
> > so
> > > that the access token I pass in the Authorization header can be read by
> > the
> > > gatekeeper. I have checked multiple times that the key I use to encrypt
> > my
> > > access token is identical to the one I use in the gatekeeper config.
> > > I am using this javascript code to encrypt my data:
> > > https://gist.github.com/chrisveness/43bcda93af9f646d083fad678071b90a -
> > then
> > > after encryption, I base64 encode it and add it to the "Autorization:
> > > Bearer [base64-encoded encrypted-access-token]" header. The error
> > > gatekeeper gives me is this:
> > >
> > https://github.com/keycloak/keycloak-gatekeeper/blob/master/utils.go#L204
> > >
> > > The relevant javascript code looks like this:
> > > const key = "MY_KEY_HERE_WITH_32_CHARACTERS"; //key is equal to the on in
> > > the gatekeeper config
> > > const ciphertext = await aesGcmEncrypt(keycloak.token, key);
> > > console.log(ciphertext);
> > > var req = new XMLHttpRequest();
> > > req.open('GET', url, true);
> > > req.setRequestHeader('Accept', 'application/json');
> > > req.setRequestHeader('Authorization', 'Bearer ' + btoa(ciphertext));
> > >
> > > req.onreadystatechange = function () {
> > > if (req.readyState == 4) {
> > > if (req.status == 200) {
> > > document.getElementById("userid").innerHTML = req.responseText + " (" +
> > new
> > > Date() + ")";
> > > } else if (req.status == 403) {
> > > console.log('Forbidden');
> > > } else if (req.status == 401) {
> > > console.log('Unauthorized');
> > > }
> > > }
> > > }
> > >
> > > req.send();
> > >
> > > Can someone help me out? Sorry for the wall of text and thanks in
> > advance!
> > >
> > > Best regards,
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > --
> >
> > abstractj
> >

-- 

abstractj