4

I am trying using keycloak + keycloak-gatekeeper for authorization in a personal api: api.mydomain.com. so far i have done:

  1. Created a realm MY-REALM in keycloak, the URL for keycloak is https://auth.mydomain.com
  2. Created a confidential client in the same realm with Authorization Enabled ON and Valid redirect URIS: https://api.mydomain.com/*
  3. Created a user
  4. Inside my server https://api.mydomain.com points to 127.0.0.1:5000
  5. 127.0.0.1:5001 is the "real API"
  6. Configured keycloak-gatekeeper with this config.yaml:
client-id: <MY-API-CLIENT-ID>
client-secret: <SECRET>
discovery-url: https://auth.mydomain.com/auth/realms/<MY-REALM>
enable-default-deny: true
listen: 127.0.0.1:5000
upstream-url: http://127.0.0.1:5001
verbose: true
enable-logging: true
enable-security-filter: true
enable-json-logging: true

Right now if i access in a browser https://api.mydomain.com i am redirected to https://auth.mydomain.com asking for an user and password. i supply the user created in the point 3 and as expected redirected again to https://api.mydomain.com. so far so good.

The problem lies in the configuration of the Authorization part: In keycloak -> Clients -> <MY-API-CLIENT-ID> -> Authorization -> Resources i edit the default policy to Deny every request in the resource /* but i can access every resource (URL) in https://api.mydomain.com just as before.

I have tried:

  1. Restrict by realm role (only admins can access to a particular resource).
  2. Restrict by scope.
  3. Negate the logic in the policy.
  4. Restrict by client role.
  5. Pray.
  6. Cry.

Of course i have tried every combination of the above in the Evaluate Tab on keycloak and effectively here the simulated policy show DENY.

So what i am doing wrong? By the way, after every request this is the log from keycloak-gatekeeper: 

{"level":"debug","ts":1554936731.4022436,"caller":"keycloak-gatekeeper/middleware.go:337","msg":"access permitted to resource","access":"permitted","email":"testmail@mail.com","expires":201.59779997,"resource":"/*"}

Any ideas will be deeply appreciated.

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
Christian
  • 75
  • 7
  • If you know another free OpenidConnect/Identity and Access Management/Authorization server (or a combination of systems with the same purpose) that you can recommend that would be also super cool. – Christian Apr 11 '19 at 00:15
  • 1
    The enforcement of Keycloak authorizations in Gatekeeper has been requested here : https://issues.jboss.org/browse/KEYCLOAK-7502 – Quentin Gillet Oct 09 '19 at 11:39

1 Answers1

2

Gatekeeper doesn't use Keycloak -> Clients -> <MY-API-CLIENT-ID> -> Authorization -> Resources.

It has own configuration of resources, e.g.:

resources:
- uri: /admin/*
  methods:
  - GET
  roles:
  - openvpn:vpn-user
  - openvpn:commons-prod-vpn

Doc: https://www.keycloak.org/docs/latest/securing_apps/index.html#configuration-options

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
  • 2
    OMG I have lost _days_ thinking that i misconfigured something... So... you know how i can use keycloak authorization services if my api is not writen in java and there is no `client adapter` for my language?... I'm screwed ? – Christian Apr 11 '19 at 09:46
  • 1
    Is there no way to get this to respect the role restrictions in keycloak itself, instead of having to specify it again in the manifest? – cclloyd Sep 09 '19 at 06:20
  • @Christian you can use louketo-proxy, which is a proxy you'll have in front of front/backends, there you can apply the configuration on this answer. As JWT is seld-contained, the louketo-proxy itself can authorize the app behind it, with no need to connect to keycloak server. – asd123ea Jul 28 '20 at 17:51
  • 2
    @bck `louketo-proxy` = `Gatekeeper` (that is former name). louketo-proxy needs connection to the Keycloak server - it is using OIDC discovery URL, to get more details about IDP (for example auth URL, realm keys, ...) – Jan Garaj Jul 28 '20 at 17:56