I am trying to secure my Angular web application deployed in EKS. I am trying to use the Keycloak gatekeeper for securing my app.
But when I do so, requests are hitting to the gatekeeper pod instead of giving me a login screen. I get an error as below:
1.6945349015849838e+09 error no session found in request, redirecting for authorization {"error": "authentication session not found"}
1.6945349015850434e+09 info client request {"latency": 0.000098136, "status": 307, "bytes": 95, "client_ip": "10.216.16.169:1792", "method": "GET", "path": "/"}
Below is my deployment configuration:
apiVersion: apps/v1
kind: Deployment
metadata:
name: cnap-ui-admin-dev
labels:
app: cnap-ui-admin-dev
tier: frontend
spec:
replicas: 1 # Number of replicas of back-end application to be deployed
selector:
matchLabels: # backend application pod labels should match these
app: cnap-ui-admin-dev
tier: frontend
template:
metadata:
labels: # Must macth 'Service' and 'Deployment' labels
app: cnap-ui-admin-dev
tier: frontend
spec:
containers:
- name: cnap-ui-admin
image: xxxx-ui:latest # docker image of backend applicatio
imagePullPolicy: Always
ports:
- containerPort: 4200
- name: gatekeeper
#image: carlosedp/keycloak-gatekeeper:latest
image: carlosedp/keycloak-gatekeeper:latest
args:
- --config=/etc/keycloak-gatekeeper.conf
ports:
- containerPort: 3000
name: service
volumeMounts:
- name: gatekeeper-config
mountPath: /etc/keycloak-gatekeeper.conf
subPath: keycloak-gatekeeper.conf
- name: gatekeeper-files
mountPath: /html
volumes:
- name : gatekeeper-config
configMap:
name: gatekeeper-config
- name : gatekeeper-files
configMap:
name: gatekeeper-files
The gatekeeper configuration goes as below.
apiVersion: v1
data:
keycloak-gatekeeper.conf: |
# is the url for retrieve the OpenID configuration - normally the <server>/auth/realms/<realm_name>
discovery-url: https://keycloak.xxx.com/realms/clientrealm
http-only-cookie: false
# skip tls verify
skip-openid-provider-tls-verify: true
# the client id for the 'client' application
client-id: login-app
checkLoginIframe: false
# the secret associated to the 'client' application
client-secret: xfPiqMfka5nhcSwkW1uAA2D42cazrY0a
# the interface definition you wish the proxy to listen, all interfaces is specified as ':<port>', unix sockets as unix://<REL_PATH>|</ABS PATH>
listen: :3000
# whether to enable refresh tokens
enable-refresh-tokens: true
enable-logging: true
# the location of a certificate you wish the proxy to use for TLS support
# tls-cert:
# the location of a private key for TLS
# tls-private-key:
# the redirection url, essentially the site url, note: /oauth/callback is added at the end
redirection-url: https://app.xxx.com
secure-cookie: false
enable-session-cookies: true
# the encryption key used to encode the session state
encryption-key: hwvvLHSuUtsxahm2NpAaLJqUGgt7sIjH
# the upstream endpoint which we should proxy request
upstream-url: http://127.0.0.1:4200/
forbidden-page: /html/access-forbidden.html
resources:
- uri: /*
groups:
I am following the article link for the blog. I am using version 20 of Keycloak. And I am avoiding any code change to the frontend application.