I'm trying to set up Keycloak Gatekeeper as a reverse proxy in front of my service, but I don't know what the purpose is of the redirection-url
. I figured I could just put Gatekeeper in front of my service, without my service needing to know anything about the authn/z. This doesn't seem possible if it needs a callback endpoint.
I was able to deploy the Keycloak Server, Keycloak Gatekeeper, and a simple node service (all deployed locally in docker containers). With a bit of hacking to my hosts file, I was able to send a request to Gatekeeper, which properly authenticated me and redirected me back to my node service. However, my node service needed to add a /oauth/callback
endpoint, since Gatekeeper adds that suffix to whatever is specified in the redirection-url
.
Here is what my Gatekeeper config looks like:
discovery-url: http://keycloak-server:8080/auth/realms/master
client-id: proxy-node-server
client-secret: abcabcab-abca-abca-abca-abcabcabcabc
listen: ':3001'
enable-refresh-tokens: true
redirection-url: http://node-server:3000
encryption-key: <ENCRYPTION_KEY>
upstream-url: http://node-server:3000
resources:
- uri: /*
secure-cookie: false
I expect to be able to put Gatekeeper in front of a service that has no knowledge of authentication, authorization, OIDC, etc, but with the redirection-url
that doesn't seem possible.
Is there any way to get Gatekeeper to do authnz when needed and just act as a simple proxy when the user is properly authenticated? Or is there something I don't understand where this is not possible?
Gatekeeper help:
--redirection-url value redirection url for the oauth callback url, defaults to host header is absent [$PROXY_REDIRECTION_URL]
You will need to use redirection-url
, only when gatekeeper sits behind loadbalancer or another reverse proxy. That redirection-url
is required for Open ID Connect flow. When user is authenticated, then redirect-url
is not applied of course.