I am trying using keycloak + keycloak-gatekeeper for authorization in a personal api: api.mydomain.com. so far i have done:
MY-REALM in keycloak, the URL for keycloak is https://auth.mydomain.comconfidential client in the same realm with Authorization Enabled ON and Valid redirect URIS: https://api.mydomain.com/*client-id: <MY-API-CLIENT-ID>
client-secret: <SECRET>
discovery-url: https://auth.mydomain.com/auth/realms/<MY-REALM>
enable-default-deny: true
listen: 127.0.0.1:5000
upstream-url: http://127.0.0.1:5001
verbose: true
enable-logging: true
enable-security-filter: true
enable-json-logging: true
Right now if i access in a browser https://api.mydomain.com i am redirected to https://auth.mydomain.com asking for an user and password. i supply the user created in the point 3 and as expected redirected again to https://api.mydomain.com. so far so good.
The problem lies in the configuration of the Authorization part:
In keycloak -> Clients -> <MY-API-CLIENT-ID> -> Authorization -> Resources i edit the default policy to Deny every request in the resource /* but i can access every resource (URL) in https://api.mydomain.com just as before.
I have tried:
Of course i have tried every combination of the above in the Evaluate Tab on keycloak and effectively here the simulated policy show DENY.
So what i am doing wrong? By the way, after every request this is the log from keycloak-gatekeeper:
{"level":"debug","ts":1554936731.4022436,"caller":"keycloak-gatekeeper/middleware.go:337","msg":"access permitted to resource","access":"permitted","email":"[email protected]","expires":201.59779997,"resource":"/*"}
Any ideas will be deeply appreciated.
Gatekeeper doesn't use Keycloak -> Clients -> <MY-API-CLIENT-ID> -> Authorization -> Resources.
It has own configuration of resources, e.g.:
resources:
- uri: /admin/*
methods:
- GET
roles:
- openvpn:vpn-user
- openvpn:commons-prod-vpn
Doc: https://www.keycloak.org/docs/latest/securing_apps/index.html#configuration-options