DEVHIDE
Login Or Sign up

Keycloak gatekeepr behind nginx ingress reverse proxy

1.8k Views Asked by At

Objective: Keycloak gatekeeper deployment when nginx ingress has active rewrite-target feature.

Ingress rewrites target according to:

  • rewrite.bar.com/something/ rewrites to rewrite.bar.com/
  • rewrite.bar.com/something/new rewrites to rewrite.bar.com/new

And adds following header:

X-Forwarded-Prefix: /something

Keycloak gatekeeper configuration:

#deployment.yaml:
...
- name: keycloak-gatekeeper
  image: quay.io/keycloak/keycloak-gatekeeper:9.0.2
  imagePullPolicy: IfNotPresent
  args:
    - --listen=0.0.0.0:3000
    - --discovery-url=https://auth.server.com/auth/realms/realm
    - --client-id={client_id}
    - --client-secret={client_secret}
    - --redirection-url=https://rewrite.bar.com/something/
    - --upstream-url=http://127.0.0.1:8080
    - --skip-upstream-tls-verify=false
    - --skip-openid-provider-tls-verify=false
    - --enable-default-deny=true

Issue:
Gatekeeper redirects unauthorized requests to https://rewrite.bar.com/oauth/authorize?state=00191... but the endpoint is at https://rewrite.bar.com/something/oauth/authorize. Gatekeeper ignores X-Forwarded-Prefix header. When path is manually corrected in the browser by adding something/ to the path, everything works. There is correct redirection to authentication server and callback also works.

When gatekeeper configuration is augmented by setting base uri in deployment:

    ...
    - --redirection-url=https://rewrite.bar.com/something/
    - --base-uri=/something
    ...

unauthorized requests are redirected correctly to https://rewrite.bar.com/something/oauth/authorize which is rewritten by ingress to https://rewrite.bar.com/oauth/authorize which does not match unprotected authorization endpoint in gatekeeper (something/oauth/authorize). It results in constant redirection.

Question: Is there any way to configure a gateway in a way that it adds /something to redirection requests but does not expect it (proxy-base-url)?

keycloak-gatekeeper
Original Q&A
1

There are 1 best solutions below

0
On

You can use the proxy-redirect annotation to accomplish this: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#proxy-redirect

It will change the location header to what you want.

nginx.ingress.kubernetes.io/proxy-redirect-from: /oauth
nginx.ingress.kubernetes.io/proxy-redirect-to: /something/oauth

Related Questions in KEYCLOAK-GATEKEEPER

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.