keycloak/louketo gatekeeper -- doesn't automatically redirect to keycloak login

1.8k views Asked by At

I am setting up gatekeeper/louketo as a reverse proxy for a browser app. I have the proxy deployed as a sidecar in a kubernetes pod, with keycloak elsewhere in the same cluster (but accessed by a public URL). Gatekeeper is behind an nginx ingress, which does tls termination.

[I have tried both the most current louketo version and also the fork oneconcern/keycloak-gatekeeper. Some differences, but the issue is the same, so I think its a problem in my configuration.]

Gatekeeper, no matter how I set up the config, reads the discovery url of my realm, but then doesn't redirect on login there. Rather it redirects to my upstream app, using the /oauth/authorize path. I can manually force my app to redirect again to keycloak, but on return from keycloak, gatekeeper doesn't recognize the cookie, and catches me in a redirect loop.

It would seem I am making some simple config error, but I've been working on this for two days, and am at my wit's ends. (Even hacked in extra debugging into the go code, but haven't studied it enough to really know what it is doing.)

My config (best guess of many different variants tried):

        - --config=/var/secrets/auth-proxy-keycloak-config.yaml
        - --discovery-url=https://auth.my-domain.com/auth/realms/my-realm
        - --listen=:4000
        - --upstream-url=http://127.0.0.1:3000
        - --redirection-url=https://dev.my-domain.com/
        - --enable-refresh-tokens=true
        - --enable-default-deny=true
        - --resources=uri=/*|roles=developer
        - --resources=uri=/about|white-listed=true
        - --resources=uri=/oauth/*|white-listed=true

The ingress serves https://dev.my-domain.com and routes to port 4000, which is the auth proxy sidecar. It is setup with a lets-encrypt certificate, and terminates tls. I don't use tls in the proxy (should I?). Upstream app at port 3000. Keycloak is at auth.my-domain.com. In auth-proxy-keycloak-config.yaml I have encryption key, and client_id. The keycloak client is setup for public access and standard flow (hence no client_secret needed, I presume). I have fiddled with the various uri settings, and also put in web origins "*" for CORS for testing.

When I try a protected url in the browser, I see:

no session found in request, redirecting for authorization  {"error": "authentication session not found"}

in the proxy logs, and it redirects me to /oauth/authorize, not to https://auth.my-domain.com/auth/realms/my-realm/protocol/openid-connect/auth where I think it should redirect me.

UPDATE -- as @jan-garaj noted in comment to answer, /oauth/* shouldn't have been whitelisted. (I got that from a possibly mistaken interpretation of someone else's answer.) I then had to make the cookie not http-only, and finally hit on this issue - Keycloak-gatekeeper: 'aud' claim and 'client_id' do not match ... after that it works!

1

There are 1 answers

6
Jan Garaj On BEST ANSWER

From the Louketo-proxy doc:

/oauth/authorize is authentication endpoint which will generate the OpenID redirect to the provider

So that redirect is correct. It is louketo-proxy endpoint. It is not request for your app, it will be processed by louketo-proxy. It will generate another redirect to your IDP, where user needs to login.

Off topic:

  • you really need confidential client and client secret for authorization code flow
  • web origins "*" for CORS is correct only for http protocol, explicit origin specification is needed for https