[keycloak-user] Keycloak Gatekeeper configuration with SPA

[Bruno Oliveira]

Hi Yumna,

The CORS issue was fixed, but if persists, please let us know so we can
figure out what's going on.

On 2019-08-31, Yumna Ghazi wrote:
> Hello everyone,
> 
> I'm using Keycloak as an identity manager and since it also provides
> optional authorization, I decided to use it to suit my access control
> requirements as well. I have multiple microservices that I want to protect
> using Keycloak Gatekeeper like the configuration below but with separate
> Gatekeepers per service.
> 
> ---------              -----------              -----------
>  ------------
> |  UI    |    --->   |  Proxy  |    --->   | GateK |   --->   | Service |
> ---------              ------------             -----------
>  ------------
>      |                                                    ||
>      |                                                    v
>      ----------------------------------->  Keycloak
> 
> Aside from the CORS related issues this creates (KEYCLOAK-9099
> <https://issues.jboss.org/browse/KEYCLOAK-9099>), there's another important
> issue that I'm struggling with. My UI already has keycloak js integrated
> with a public client specifically for itself, which I was using for login
> initially. Now that I want to use the Gatekeeper proxy, I want my
> login/token refresh to happen on the UI such that it would automatically
> generate the requisite cookies for Gatekeeper, because I want to disable
> redirection on Gatekeeper and send 401 directly in case of expired/bad/no
> token.

If I understood correctly, you would like to do the authentication
using Gatekeeper and the authorization in the UI right? If that's the
case, I don't think there's an option on Gatekeeper to do this. 

But if you provide some code examples with what you're trying to achieve. I
will be more than happy to try and give you an accurate answer.

> 
> a) Is my understanding correct and is this the correct approach?
> b) If so, how can I login via Keycloak directly or via Gatekeeper and get
> the required cookies (without some proxy-level hacking)?

There are two options which may help you "--enable-session-cookies" and
"--enable-authorization-cookies".
> 
> Right now I'm hovering between a couple of options, from using Kong oidc
> with some custom authorization to using Gatekeeper. Any help would be much
> appreciated.
> 
> Thanks.
> Yumna
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj