keycloakopenid-connectkeycloak-gatekeeperlouketo-proxy

What is the purpose of redirection-url in keycloak gatekeeper?


I'm trying to set up Keycloak Gatekeeper as a reverse proxy in front of my service, but I don't know what the purpose is of the redirection-url. I figured I could just put Gatekeeper in front of my service, without my service needing to know anything about the authn/z. This doesn't seem possible if it needs a callback endpoint.

I was able to deploy the Keycloak Server, Keycloak Gatekeeper, and a simple node service (all deployed locally in docker containers). With a bit of hacking to my hosts file, I was able to send a request to Gatekeeper, which properly authenticated me and redirected me back to my node service. However, my node service needed to add a /oauth/callback endpoint, since Gatekeeper adds that suffix to whatever is specified in the redirection-url.

Here is what my Gatekeeper config looks like:

discovery-url: http://keycloak-server:8080/auth/realms/master
client-id: proxy-node-server
client-secret: abcabcab-abca-abca-abca-abcabcabcabc
listen: ':3001'
enable-refresh-tokens: true
redirection-url: http://node-server:3000
encryption-key: <ENCRYPTION_KEY>
upstream-url: http://node-server:3000
resources:
- uri: /*
secure-cookie: false

I expect to be able to put Gatekeeper in front of a service that has no knowledge of authentication, authorization, OIDC, etc, but with the redirection-url that doesn't seem possible.

Is there any way to get Gatekeeper to do authnz when needed and just act as a simple proxy when the user is properly authenticated? Or is there something I don't understand where this is not possible?


Solution

  • Gatekeeper help:

    --redirection-url      value redirection url for the oauth callback url, defaults to host header is absent [$PROXY_REDIRECTION_URL]
    

    You will need to use redirection-url, only when gatekeeper sits behind loadbalancer or another reverse proxy. That redirection-url is required for Open ID Connect flow. When user is authenticated, then redirect-url is not applied of course.