louketo / louketo-proxy Goto Github PK

I want to allow tokens from different clients. How can I do that? I tried the following:

match-claims:
  aud: (.*?)

I am getting the log:

INFO[0000] the token must container the claim: aud, required: (.*?) 

After calling the endpoint with an token created by another client-id, I am getting:

ERRO[0040] access token failed verification              client_ip=w.x.y.z.  error=oidc: JWT claims invalid: invalid claims, 'aud' claim and 'client_id' do not match, aud=<otherClientId>, client_id=<configuredClientId>

He still claims, that the aud must be <configuredClientId>

@gambol99 First of all thanks for your great work on this project :)

In our test environment we have a keycloak installation which has a self signed certificate. The proxy fails to start when retrieving the discovery URL:

_time="2016-11-07T10:10:51Z" level=warning msg="failed to get provider configuration from discovery url: https://<keycloak-url>/auth/realms/<realm>, Get https://<keycloak-url>/auth/realms/<realm>/.well-known/openid-configuration: x509: certificate signed by unknown authority"

I would suggest to add a config option --skip-openid-provider-tls-verify to allow a self-signed certs for test environments!

If you want I can try and contribute

Would be nice to have a logout endpoint

Just an idea - forward signing proxy can do keycloak auth at the min, could configure it to also do auth with client certificates

Newest version of keycloak proxy doesn't allow the cookie to be sent over insecure connections. This is good as default behaviour but it would be good to be able to override this setting as when setting up things in dev it is annoying to need to set up TLS before setting up keycloak proxy

Would just make things more consistent if they matched

the auhorization url appears to truncate the state= so urls with query string aren't getting fully redirected i.e.

state=/api?dksdj&jdksjds => state=/api?

https://hub.docker.com/r/gambol99/keycloak-proxy/tags/

Hi, is there an opportunity to pass the keycloak-proxy programmatically by specifying an Authorization Bearer header in the HTTP request?

If there is a proxy/load balancer above the keycloak proxy, the keycloak proxy does not pass the original ip address on to the app.
see https://github.com/gambol99/keycloak-proxy/blob/master/handlers.go#L388
Should respect a potential x-forwarded-for coming from an upstream.

Could do with a section on building locally and contributing. Sure I am doing something wrong but after running:

go get
go install
go build
docker build .
docker run xxxxx

I get:

docker: Error response from daemon: Container command '/opt/keycloak-proxy' not found or does not exist..

Should return a 401

The command line options use IsSet to check if the option is set, the implementation doesn't check for environment variable setters and so the environment variables options aren't being set

urfave/cli#294

Hi,

Is there a docker image somewhere ?
I can see the Dockerfile in the repo, but couldn't find the image on the hub.

Thanks !

Currently the cookie-domain flag is set as a StringSlice. Therefore if you pass --cookie-domain foo.com on startup, dropping a cookie fails with:

net/http: invalid Cookie.Domain "[foo.com]"; dropping domain attribute

Using a config file works correctly.

with keycloak-proxy compiled from master, I got stuck in a infinite redirection cycle
(tested with keycloak 1.9.1.Final)

 keycloak-prooxy-mater \
    --discovery-url=https://auth.rvion.fr/auth/realms/master/.well-known/openid-configuration \
    --listen=:3000 \
    --client-id=unprotectedservice \
    --upstream-url=http://unprotectedservice:8080 \
    --redirection-url=http://keycloakproxy:3000 \
    --client-secret=secret \
    --resource="uri=/" \
    --verbose=true

when I access http://keycloakproxy:3000, I'm redirected to keycloak. Then, I login on keycloak, and I'm redirected back to http://keycloakproxy:3000/oauth/callback?xxx. But then, it enter in a redirection loop, and chrome shows me an error message

I see in the logs:

ERRO[0016] failed to get session, redirecting for authorization  error=authentication session not found
INFO[0016] incoming authorization request from client address: 37.161.218.27:41982  access_type= client_ip=37.161.218.27:41982
ERRO[0019] failed to get session, redirecting for authorization  error=authentication session not found
INFO[0019] incoming authorization request from client address: 37.161.218.27:41982  access_type= client_ip=37.161.218.27:41982
ERRO[0057] failed to get session, redirecting for authorization  error=authentication session not found
INFO[0057] incoming authorization request from client address: 37.161.218.27:41982  access_type= client_ip=37.161.218.27:41982
INFO[0058] issuing a new access token for user, email: [email protected]  duration=58.995194544s [email protected] expires=07 May 16 20:55 +0000 idle=0
ERRO[0058] failed to get session, redirecting for authorization  error=authentication session not found
INFO[0058] incoming authorization request from client address: 37.161.218.27:41982  access_type= client_ip=37.161.218.27:41982
INFO[0058] issuing a new access token for user, email: [email protected]  duration=59.588883831s [email protected] expires=07 May 16 20:55 +0000 idle=0
ERRO[0058] failed to get session, redirecting for authorization  error=authentication session not found
INFO[0058] incoming authorization request from client address: 37.161.218.27:41982  access_type= client_ip=37.161.218.27:41982
INFO[0058] issuing a new access token for user, email: [email protected]  duration=59.290884249s [email protected] expires=07 May 16 20:55 +0000 idle=0
ERRO[0058] failed to get session, redirecting for authorization  error=authentication session not found
INFO[0058] incoming authorization request from client address: 37.161.218.27:41982  access_type= client_ip=37.161.218.27:41982
INFO[0059] issuing a new access token for user, email: [email protected]  duration=59.92635992s [email protected] expires=07 May 16 20:55 +0000 idle=0
ERRO[0059] failed to get session, redirecting for authorization  error=authentication session not found
...

From the dockerfile looks like this runs as root currently. Could this be updated to not run as root?

Hey,
We've got a user who can't use docker, and is on windows
Could you therefore also have some cross compiles to different archs and have travis put them in the release artifacts?
I need something like:

GOOS=windows GOARCH=amd64 ./bin/godep go build -a -o bin/keycloak-proxy-amd64.exe
GOOS=windows GOARCH=386 ./bin/godep go build -a -o bin/keycloak-proxy-i386.exe

in my setup, ssl for both stuff.rvion.fr and keycloak-proxy.rvion are provided by cloudflare

when I run keycloak-proxy with

    --discovery-url=https://auth.rvion.fr/auth/realms/master/.well-known/openid-configuration \
    --listen=:8443 \
    --client-id=stuff \
    --upstream-url=https://stuff.rvion.fr/ \
    --redirection-url=https://keycloak-proxy.rvion.fr:8443/ \
    --client-secret=plop \
    --resource="uri=/" \
    --secure-cookie=false \
    --encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j \
    --enable-refresh-tokens=true \
    --verbose=true

and when I contact https://keycloak-proxy.rvion.fr:8443/,

cloudflare error page "ssl handshake fail" appears and refresh every ~0.5 seconds

keycloak-proxy log says:

nothing

when session expired without --enable-refresh-tokens, restarting the proxy with --enable-refresh-tokens don't refresh tokens and user has to delete cookies (or logout?).

indeed, after the restart with --enable-refresh-tokens, logs shows:

ERRO[0024] unable to find a refresh token for the client: [email protected]  [email protected] error=authentication session not found
INFO[0024] incoming authorization request from client address: 37.161.206.246:63591  access_type= client_ip=37.161.206.246:63591

until I manually remove cookies

Should take a look at the Oxy project as a replacement for the standard net.http.httputil reverse proxy. The project also comes with a few extra middleware worth perhaps looking at

At present maps and arrays when specified on the command line do not merge into any possible options from a config file. i.e you wanna add a quick --add-claims=, at present this would overwrite the ones in the config file ... Just need to append and merge maps

It would be great, if it would be possible to authenticate a upstream server with basic auth.

--upstream-username=foobar
--upstream-password=supersecret

I've tried --headers but it's failing:

--headers "authorization=Basic <redacted>"
[error] invalid tag 'authorization=Basic <redacted>=' should be key=pair

• I configured keycloak-proxy with the wrong config name: "upstream" instead of "upstream-url
• I ran the keycloak-proxy on a kubernetes cluster and it started up fine
• When I hit it with a request it crashes (crash look backoff)
• Nothing is logged

Few changes would be good:

• If mandatory configuration is missing the proxy shouldn't start and should log out an appropriate error
• The the proxy has issues when running it should log them out

(How about mentioning if it is production ready in the readme ?)

Hey,

First of all great work on the keycloak proxy. Looks pretty good!

A current use case we have is supporting JWE as we do not want to send plain JWTs to the clients in every case. Keycloak currently does not support this. What are your thoughts on configurable JWE support within the proxy. The scenario is basically to encrypt the tokens before being sent to the clients.

Hi,

I was just looking at the latest changes. The localhost origin requirement for the login handler caught my eye. What is the motivation behind it? Do you expect something else to terminate the client connection and proxy locally to the keycloak-proxy. Maybe it makes sense to be explained in more details in the docs?

Need to increase the coverage of units tests

Could this support listening and proxying to file based sockets?

Would be nice to have forwarding agent support .. i.e. the proxy loads it logs in, requesting an access token. A application/micro-service seated behind and can proxy through service with the proxy adding the authorization header into the outgoing requests .. We could that verify resource access on the other end.

Main issue with this is that nginx logs will include the full url including the query string, and don't want username and password to be logged.

Instead suggest having these as part of the body of the post request in the same way that the keycloak server does typically (x-www-form-urlencoded).

• provide an endpoint for to display the current sessions access token
• provide an endpoint to test if a session is expired

That can cause a infinite redirect loop back to itself.

Maybe there is a reason why it defaults back to itself?

/cc @chrisns

We can currently proxy forward to a unix socket, it's a minor change to permit listening on it

--forwarding-domains=foo.bar.com
signs requests to foo.bar.com

according to the documentation
--forwarding-domains=bar.com

should also sign requests to foo.bar.com but it doesn't

sadface.

Updated to v1.1.0 and now get following error in the logs:

[error] the cookie is set to secure but your redirection url is non-tls

However this is deployed in front of an API so there is no redirection URL set

Enable the proxy to support UMA

Hi, I get an error which I think is due to MustRegisterorGet being deprecated :
prometheus/client_golang@v0.8.0...master#diff-6223e8ae8180a02a4024a006b8e5f2f8

go get -u github.com/gambol99/keycloak-proxy
# github.com/gambol99/keycloak-proxy
src/github.com/gambol99/keycloak-proxy/middleware.go:71: undefined: prometheus.MustRegisterOrGet

I'd try and fix it but I have never written any Go before!

how about doing something like described here: http://www.atatus.com/blog/golang-auto-build-versioning/ to ease reporting ?

while reading #80, I had an idea about extending ressource access declarations

As of now, access policy is declared with a coma separated list of roles names, (, meaning OR)

--resource='uri:/logs/project1|roles=project1,project2'

what about replacing , with [+, *, (, )]

--resource='uri:/logs/project1|roles=r1+r2*r3+r4'                # r1 OR (r2 and r3) OR r4
--resource='uri:/logs/project1|roles=r1+r2*(r3+r4+(r5*r6))'    

where (+ and * come from logic notation)

• + being OR
• * being AND
• ( and ) allow to nest expressions.

the behaviour is simple and is fully descibed, and it seems powerfull enough to support lots of usage cases.

note: I thought about + and * to avoid conflicts with | current usage and & meaning in URIs.
(as shown in the example given in #80, avoiding conflict with | and & is important so that

--resource='uri:/logs/%roles%|roles=test1+test2*(test3+test4)

correctly match

uri:/logs/test1
uri:/logs/test2*test3
uri:/logs/test2*test4

)

if you like the idea, how about also adding a NOT (!) operator so one can use roles to temporarilly ban people, etc.

--resource='uri:/logs/project1|roles=!banned

Please could there be a configuration setting that would prevent the proxy redirecting on no-auth and just return valid HTTP status code (401 Unauthorized and 403 Forbidden)?
Perhaps optionally combined with when the request Content-Type: application/json (or maybe even wildcarded to application/*?

This is particularly useful for APIs that javascript access since the browser won't permit the cross origin request to the keycloak service (without whitelisting all potential clients there), so it allows a javascript front end to better handle the status and direct the user to authenticate.

Its regarded as good practice to validate the issued token via openid userinfo endpoint before accepting it

as of now, ressource syntax read as

--resource='uri:/logs|roles=test1

how about unifying the format to something like

--resource='uri=/logs|roles=test1|name=rvion|after=2015-03-21T00:18:56Z'

documentation would be much easier, and you open gates to feature expansion in an easy way.
I can imagine the resourceflag becoming resources (with an s) along some documentation saying

ressources are defined like this:

checks can be

1. roles check

• provides %roles% to be used in following rulesets

example:
...

2.uri check

provides %url%
provides %last-segment% to following rulesets

👍 each ruleset would provide template for next ruleset, so implementation would be very easy, with no dependency resolution to do. if you want to use %role% in uri, or in whatever else, you just have to write your resource with ruleset in the correct order for keycloak-proxy to resolve them.

👍 it becomes very easy to write things like

--resources="roles=user"

when you only want to take roles into account.

no more

--resources="uri:/|roles=user""

when uri doesn't matter.

👍 yaml implementation should be very straighforward too as there is a direct encoding.

 "resource_access": {},
  "name": "Rohith Jayawardene",
  "preferred_username": "rohith.jayawardene",
  "given_name": "Rohith",
  "family_name": "Jayawardene",
  "email": "[email protected]"

These are passed in the JWT token as above

I am wanting to use keycloak-proxy with grafana proxy auth module.

I have run into an issue where grafana detects the Authorization header and attempts to verify it as a grafana api key, and therefore throws an error.

One option could be to get grafana to disable api key checking, but I thought it may be simple to do it in here ?

Would be nice to permit tokenizing the url for role extraction .. i.e. instead of using

--resource='uri:/logs/project1|roles=project1'
--resource='uri:/logs/project2|roles=project2'

Its preferable to use

--resource='uri:/logs/%role%'

i've been meaning to do this for a well but adding proxy protocol is a desirable