TechQA.

keycloak gatekeeper doesn't block any request

1.2k views Asked by At

I am trying using keycloak + keycloak-gatekeeper for authorization in a personal api: api.mydomain.com. so far i have done:

  1. Created a realm MY-REALM in keycloak, the URL for keycloak is https://auth.mydomain.com
  2. Created a confidential client in the same realm with Authorization Enabled ON and Valid redirect URIS: https://api.mydomain.com/*
  3. Created a user
  4. Inside my server https://api.mydomain.com points to 127.0.0.1:5000
  5. 127.0.0.1:5001 is the "real API"
  6. Configured keycloak-gatekeeper with this config.yaml:
client-id: <MY-API-CLIENT-ID>
client-secret: <SECRET>
discovery-url: https://auth.mydomain.com/auth/realms/<MY-REALM>
enable-default-deny: true
listen: 127.0.0.1:5000
upstream-url: http://127.0.0.1:5001
verbose: true
enable-logging: true
enable-security-filter: true
enable-json-logging: true

Right now if i access in a browser https://api.mydomain.com i am redirected to https://auth.mydomain.com asking for an user and password. i supply the user created in the point 3 and as expected redirected again to https://api.mydomain.com. so far so good.

The problem lies in the configuration of the Authorization part: In keycloak -> Clients -> <MY-API-CLIENT-ID> -> Authorization -> Resources i edit the default policy to Deny every request in the resource /* but i can access every resource (URL) in https://api.mydomain.com just as before.

I have tried:

  1. Restrict by realm role (only admins can access to a particular resource).
  2. Restrict by scope.
  3. Negate the logic in the policy.
  4. Restrict by client role.
  5. Pray.
  6. Cry.

Of course i have tried every combination of the above in the Evaluate Tab on keycloak and effectively here the simulated policy show DENY.

So what i am doing wrong? By the way, after every request this is the log from keycloak-gatekeeper: 

{"level":"debug","ts":1554936731.4022436,"caller":"keycloak-gatekeeper/middleware.go:337","msg":"access permitted to resource","access":"permitted","email":"[email protected]","expires":201.59779997,"resource":"/*"}

Any ideas will be deeply appreciated.

keycloak keycloak-gatekeeper louketo-proxy
Original Q&A
1

There are 1 answers

4
Jan Garaj On BEST ANSWER

Gatekeeper doesn't use Keycloak -> Clients -> <MY-API-CLIENT-ID> -> Authorization -> Resources.

It has own configuration of resources, e.g.:

resources:
- uri: /admin/*
  methods:
  - GET
  roles:
  - openvpn:vpn-user
  - openvpn:commons-prod-vpn

Doc: https://www.keycloak.org/docs/latest/securing_apps/index.html#configuration-options

Related Questions in KEYCLOAK

Related Questions in KEYCLOAK-GATEKEEPER

Related Questions in LOUKETO-PROXY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions