diff --git a/404.html b/404.html index 1928daeb..cea00e35 100644 --- a/404.html +++ b/404.html @@ -1,2 +1,2 @@ 404 Page not found -

Error

Woops. Looks like this page doesn't exist ¯\_(ツ)_/¯.

Go to homepage

Page not found!

\ No newline at end of file +

Error

Woops. Looks like this page doesn't exist ¯\_(ツ)_/¯.

Go to homepage

Page not found!

\ No newline at end of file diff --git a/categories/index.html b/categories/index.html index bfe6acda..a7c372ed 100644 --- a/categories/index.html +++ b/categories/index.html @@ -1,7 +1,7 @@ Categories - Gatekeeper -

category :: -Categories

    \ No newline at end of file +Categories
    \ No newline at end of file diff --git a/configuration/index.html b/configuration/index.html index 309aa790..ce5d3124 100644 --- a/configuration/index.html +++ b/configuration/index.html @@ -1,7 +1,7 @@ Configuration Reference - Gatekeeper -

    Configuration Reference

    CONFIGDESCRIPTIONDEFAULTENV
    –config valuepath the a configuration filePROXY_CONFIG_FILE
    –listen valueDefines the binding interface for main listener, e.g. {address}:{port}. This is required and there is no default valuePROXY_LISTEN
    –listen-http valueinterface we should be listening to for HTTP trafficPROXY_LISTEN_HTTP
    –listen-admin valuedefines the interface to bind admin-only endpoint (live-status, debug, prometheus…). If not defined, this defaults to the main listener defined by ListenPROXY_LISTEN_ADMIN
    –listen-admin-scheme valuescheme to serve admin-only endpoint (http or https).PROXY_LISTEN_ADMIN_SCHEME
    –discovery-url valuediscovery url to retrieve the openid configurationPROXY_DISCOVERY_URL
    –client-id valueclient id used to authenticate to the oauth servicePROXY_CLIENT_ID
    –client-secret valueclient secret used to authenticate to the oauth servicePROXY_CLIENT_SECRET
    –redirection-url valueredirection url for the oauth callback url, defaults to host header if absentPROXY_REDIRECTION_URL
    –post-logout-redirect-uri valueurl to which client is redirected after successful logoutPROXY_POST_LOGOUT_REDIRECT_URI
    –post-login-redirect-path valuepost-login-redirect-path" usage:“path to which client is redirected after successful login, in case user access /PROXY_POST_LOGIN_REDIRECT_PATH
    –revocation-url valueurl for the revocation endpoint to revoke refresh tokenPROXY_REVOCATION_URL
    –skip-openid-provider-tls-verifyskip the verification of any TLS communication with the openid providerfalsePROXY_SKIP_OPENID_PROVIDER_TLSVERIFY
    –openid-provider-proxy valueproxy for communication with the openid providerPROXY_OPENID_PROVIDER_PROXY
    –openid-provider-timeout valuetimeout for openid configuration on .well-known/openid-configuration30sPROXY_OPENID_PROVIDER_TIMEOUT
    –openid-provider-retry-count valuenumber of retries for retrieving openid configuration3PROXY_OPENID_PROVIDER_RETRY_COUNT
    –openid-provider-headers valuehttp headers sent to idp provider
    –base-uri valuecommon prefix for all URIsPROXY_BASE_URI
    –oauth-uri valuethe uri for proxy oauth endpoints/oauthPROXY_OAUTH_URI
    –scopes valuelist of scopes requested when authenticating the user
    –upstream-url valueurl for the upstream endpoint you wish to proxyPROXY_UPSTREAM_URL
    –upstream-ca valuethe path to a file container a CA certificate to validate the upstream tls endpointPROXY_UPSTREAM_CA
    –resources valuelist of resources ‘uri=/admin*|methods=GET,PUT|roles=role1,role2’
    –headers valuecustom headers to the upstream request, key=value
    –preserve-hostpreserve the host header of the proxied request in the upstream requestfalsePROXY_PRESERVE_HOST
    –request-id-header valuethe http header name for request idX-Request-IDPROXY_REQUEST_ID_HEADER
    –response-headers valuecustom headers to added to the http response key=valuePROXY_RESPONSE_HEADERS
    –custom-http-methodslist of additional non-standard http methods
    –enable-self-signed-tlscreate self signed certificates for the proxyfalsePROXY_ENABLE_SELF_SIGNED_TLS
    –self-signed-tls-hostnames valuea list of hostnames to place on the self-signed certificate
    –self-signed-tls-expiration valuethe expiration of the certificate before rotation3h0m0sPROXY_SELF_SIGNED_TLS_EXPIRATION
    –enable-request-idindicates we should add a request id if none foundfalsePROXY_ENABLE_REQUEST_ID
    –enable-logout-redirectindicates we should redirect to the identity provider for logging outfalsePROXY_ENABLE_LOGOUT_REDIRECT
    –enable-default-denyenables a default denial on all requests, requests with valid token are permitted, you have to explicitly say what is permittedtruePROXY_ENABLE_DEFAULT_DENY
    –enable-default-deny-strictenables a default denial on all requests, requests with valid token are denied, you have to explicitly say what is permitted (recommended)falsePROXY_ENABLE_DEFAULT_DENY_STRICT
    –enable-encrypted-tokenenable encryption for the access tokensfalsePROXY_ENABLE_ENCRYPTED_TOKEN
    –force-encrypted-cookieforce encryption for the access tokens in cookiesfalsePROXY_FORCE_ENCRYPTED_COOKIE
    –enable-loggingenable http logging of the requestsfalsePROXY_ENABLE_LOGGING
    –enable-json-loggingswitch on json logging rather than textfalsePROXY_ENABLE_JSON_LOGGING
    –enable-forwardingenables the forwarding proxy mode, signing outbound requestfalsePROXY_ENABLE_FORWARDING
    –enable-security-filterenables the security filter handlerfalsePROXY_ENABLE_SECURITY_FILTER
    –enable-refresh-tokensenables the handling of the refresh tokensfalsePROXY_ENABLE_REFRESH_TOKEN
    –enable-session-cookiesaccess and refresh tokens are session only i.e. removed browser closetruePROXY_ENABLE_SESSION_COOKIES
    –enable-login-handlerenables the handling of the refresh tokensfalsePROXY_ENABLE_LOGIN_HANDLER
    –enable-token-headerenables the token authentication header X-Auth-Token to upstreamtruePROXY_ENABLE_TOKEN_HEADER
    –enable-authorization-headeradds the authorization header to the proxy requesttruePROXY_ENABLE_AUTHORIZATION_HEADER
    –enable-authorization-cookiesadds the authorization cookies to the uptream proxy requesttruePROXY_ENABLE_AUTHORIZATION_COOKIES
    –enable-https-redirectionenable the http to https redirection on the http servicefalsePROXY_ENABLE_HTTPS_REDIRECT
    –enable-profilingswitching on the golang profiling via pprof on /debug/pprof, /debug/pprof/heap etcfalsePROXY_ENABLE_PROFILING
    –enable-metricsenable the prometheus metrics collector on /oauth/metricsfalsePROXY_ENABLE_METRICS
    –filter-browser-xssenable the adds the X-XSS-Protection header with mode=blockfalsePROXY_ENABLE_BROWSER_XSS_FILTER
    –filter-content-nosniffadds the X-Content-Type-Options header with the value nosnifffalsePROXY_ENABLE_CONTENT_NO_SNIFF
    –filter-frame-denyenable to the frame deny headerfalsePROXY_ENABLE_FRAME_DENY
    –content-security-policy valuespecify the content security policyPROXY_CONTENT_SECURITY_POLICY
    –localhost-metricsenforces the metrics page can only been requested from 127.0.0.1falsePROXY_LOCALHOST_METRICS
    –enable-compressionenable gzip compression for responsefalsePROXY_ENABLE_COMPRESSION
    –enable-pkceenable pkce for auth code flow, only S256 code challenge supportedfalsePROXY_ENABLE_PKCE
    –enable-idp-session-checkduring token validation it also checks if user session is still present, useful for multi app logouttruePROXY_ENABLE_IDP_SESSION_CHECK
    –enable-umaenable UMA authorization, please don’t use in production as it is new feature, we would like to receive feedback firstfalsePROXY_ENABLE_UMA
    –enable-opaenable authorization with external Open policy agentfalsePROXY_ENABLE_OPA
    –opa-timeouttimeout for connection to OPA10sPROXY_OPA_TIMEOUT
    –opa-authz-uriOPA endpoint address with pathPROXY_OPA_AUTHZ_URI
    –pat-retry-countnumber of retries to get PAT5PROXY_PAT_RETRY_COUNT
    –pat-retry-intervalinterval between retries to get PAT2sPROXY_PAT_RETRY_INTERVAL
    –access-token-duration valuefallback cookie duration for the access token when using refresh tokens720h0m0sPROXY_ACCESS_TOKEN_DURATION
    –cookie-domain valuedomain the access cookie is available to, defaults host headerPROXY_COOKIE_DOMAIN
    –cookie-access-name valuename of the cookie use to hold the access tokenkc-accessPROXY_COOKIE_ACCESS_NAME
    –cookie-refresh-name valuename of the cookie used to hold the encrypted refresh tokenkc-statePROXY_COOKIE_REFRESH_NAME
    –cookie-oauth-state-name valuename of the cookie used to hold the Oauth request stateOAuth_Token_Request_StateCOOKIE_OAUTH_STATE_NAME
    –cookie-request-uri-name valuename of the cookie used to hold the request urirequest_uriCOOKIE_REQUEST_URI_NAME
    –cookie-pkce-name valuename of the cookie used to hold PKCE code verifierpkceCOOKIE_PKCE_NAME
    –secure-cookieenforces the cookie to be securetruePROXY_SECURE_COOKIE
    –http-only-cookieenforces the cookie is in http only modetruePROXY_HTTP_ONLY_COOKIE
    –same-site-cookie valueenforces cookies to be send only to same site requests according to the policy (can be | Strict|Lax|None)LaxPROXY_SAME_SITE_COOKIE
    –enable-id-token-cookieenable id token cookiefalsePROXY_ENABLE_IDTOKEN_COOKIE
    –match-claims valuekeypair values for matching access token claims e.g. aud=myapp, iss=http://example.*
    –add-claims valueextra claims from the token and inject into headers, e.g given_name -> X-Auth-Given-Name
    –enable-uma-method-scopeenables passing request method as ‘method:GET’ scope to keycloak for authorizationfalsePROXY_ENABLE_UMA_METHOD_SCOPE
    –tls-min-versionspecify server minimal TLS version one of tlsv1.0,tlsv1.1,tlsv1.2,tlsv1.3TLS_MIN_VERSION
    –tls-cert valuepath to ths TLS certificatePROXY_TLS_CERTIFICATE
    –tls-private-key valuepath to the private key for TLSPROXY_TLS_PRIVATE_KEY
    –tls-ca-certificate valuepath to the ca certificate used for signing requestsPROXY_TLS_CA_CERTIFICATE
    –tls-ca-key valuepath the ca private key, used by the forward signing proxyPROXY_TLS_CA_PRIVATE_KEY
    –tls-client-certificate valuepath to the client certificate for outbound connections in reverse and forwarding proxy modesPROXY_TLS_CLIENT_CERTIFICATE
    –skip-upstream-tls-verifyskip the verification of any upstream TLStruePROXY_SKIP_UPSTREAM_TLS_VERIFY
    –tls-admin-cert valuepath to ths TLS certificatePROXY_TLS_ADMIN_CERTIFICATE
    –tls-admin-private-key valuepath to the private key for TLSPROXY_TLS_ADMIN_PRIVATE_KEY
    –tls-admin-ca-certificate valuepath to the ca certificate used for signing requestsPROXY_TLS_ADMIN_CA_CERTIFICATE
    –tls-admin-client-certificate valuepath to the client certificate for outbound connections in reverse and forwarding proxy modesPROXY_TLS_ADMIN_CLIENT_CERTIFICATE
    –cors-origins valueorigins to add to the CORE origins control (Access-Control-Allow-Origin)
    –cors-methods valuemethods permitted in the access control (Access-Control-Allow-Methods)
    –cors-headers valueset of headers to add to the CORS access control (Access-Control-Allow-Headers)
    –cors-exposed-headers valueexpose cors headers access control (Access-Control-Expose-Headers)
    –cors-credentialscredentials access control header (Access-Control-Allow-Credentials)falsePROXY_CORS_CREDENTIALS
    –cors-max-age valuemax age applied to cors headers (Access-Control-Max-Age)0sPROXY_CORS_MAX_AGE
    –hostnames valuelist of hostnames the service will respond to
    –store-url valueurl for the storage subsystem, e.g redis://user:secret@localhost:6379/0?protocol=3, only supported is redis usig redis uri specPROXY_STORE_URL
    –encryption-key valueencryption key used to encryption the session statePROXY_ENCRYPTION_KEY
    –enable-hmacenable creating hmac for forwarded requests and verification on incoming requestsfalsePROXY_ENABLE_HMAC
    –no-proxy valuedo not proxy requests to upstream, useful for forward-auth usage (with nginx, traefik)PROXY_NO_PROXY
    –no-redirectsdo not have back redirects when no authentication is present, 401 themfalsePROXY_NO_REDIRECTS
    –skip-token-verificationTESTING ONLY; bypass token verification, only expiration and roles enforcedfalsePROXY_SKIP_TOKEN_VERIFICATION
    –skip-access-token-issuer-checkaccording RFC issuer should not be checked on access token, this will be default true in futuretruePROXY_SKIP_ACCESS_TOKEN_ISSUER_CHECK
    –skip-access-token-clientid-checkaccording RFC client id should not be checked on access token, this will be default true in futuretruePROXY_SKIP_ACCESS_TOKEN_CLIENT_ID_CHECK
    –skip-authorization-header-identityskip authorization header identity, means that we won’t be extracting token from authorization header, only from cookie or fail if even no cookie present (e.g. if authorization header is used only by application behind gatekeeper)"`falsePROXY_SKIP_AUTHORIZATION_HEADER_IDENTITY
    –upstream-keepalivesenables or disables the keepalive connections for upstream endpointtruePROXY_UPSTREAM_KEEPALIVES
    –upstream-timeout valuemaximum amount of time a dial will wait for a connect to complete10sPROXY_UPSTREAM_TIMEOUT
    –upstream-keepalive-timeout valuespecifies the keep-alive period for an active network connection10sPROXY_UPSTREAM_KEEPALIVE_TIMEOUT
    –upstream-tls-handshake-timeout valuethe timeout placed on the tls handshake for upstream10sPROXY_UPSTREAM_TLS_HANDSHAKE_TIMEOUT
    –upstream-response-header-timeout valuethe timeout placed on the response header for upstream10sPROXY_UPSTREAM_RESPONSE_HEADER_TIMEOUT
    –upstream-expect-continue-timeout valuethe timeout placed on the expect continue for upstream10sPROXY_UPSTREAM_EXPECT_CONTINUE_TIMEOUT
    –verboseswitch on debug / verbose loggingfalsePROXY_VERBOSE
    –enabled-proxy-protocolenable proxy protocolfalsePROXY_ENABLE_PROXY_PROTOCOL
    –max-idle-connections valuemax idle upstream / keycloak connections to keep alive, ready for reuse0PROXY_MAX_IDLE_CONNS
    –max-idle-connections-per-host valuelimits the number of idle connections maintained per host0PROXY_MAX_IDLE_CONNS_PER_HOST
    –server-read-timeout valuethe server read timeout on the http server10sPROXY_SERVER_READ_TIMEOUT
    –server-write-timeout valuethe server write timeout on the http server10sPROXY_SERVER_WRITE_TIMEOUT
    –server-idle-timeout valuethe server idle timeout on the http server2m0sPROXY_SERVER_IDLE_TIMEOUT
    –use-letsencryptuse letsencrypt for certificatesfalsePROXY_USE_LETS_ENCRYPT
    –letsencrypt-cache-dir valuepath where cached letsencrypt certificates are stored./cache/PROXY_LETS_ENCRYPT_CACHE_DIR
    –sign-in-page valuepath to custom template displayed for signinPROXY_SIGN_IN_PAGE
    –forbidden-page valuepath to custom template used for access forbiddenPROXY_FORBIDDEN_PAGE
    –error-page valuepath to custom template displayed for http.StatusBadRequestPROXY_ERROR_PAGE
    –tags valuekeypairs passed to the templates at render,e.g title=Page
    –forwarding-grant-type valuegrant-type to use when logging into the openid provider, can be one of password, client_credentialspasswordPROXY_FORWARDING_GRANT_TYPE
    –forwarding-username valueusername to use when logging into the openid providerPROXY_FORWARDING_USERNAME
    –forwarding-password valuepassword to use when logging into the openid providerPROXY_FORWARDING_PASSWORD
    –forwarding-domains valuelist of domains which should be signed; everything else is relayed unsigned
    –disable-all-loggingdisables all logging to stdout and stderrfalsePROXY_DISABLE_ALL_LOGGING
    –help, -hshow help
    –version, -vprint the version
    \ No newline at end of file +> Configuration Reference

    Configuration Reference

    CONFIGDESCRIPTIONDEFAULTENV
    –config valuepath the a configuration filePROXY_CONFIG_FILE
    –listen valueDefines the binding interface for main listener, e.g. {address}:{port}. This is required and there is no default valuePROXY_LISTEN
    –listen-http valueinterface we should be listening to for HTTP trafficPROXY_LISTEN_HTTP
    –listen-admin valuedefines the interface to bind admin-only endpoint (live-status, debug, prometheus…). If not defined, this defaults to the main listener defined by ListenPROXY_LISTEN_ADMIN
    –listen-admin-scheme valuescheme to serve admin-only endpoint (http or https).PROXY_LISTEN_ADMIN_SCHEME
    –discovery-url valuediscovery url to retrieve the openid configurationPROXY_DISCOVERY_URL
    –client-id valueclient id used to authenticate to the oauth servicePROXY_CLIENT_ID
    –client-secret valueclient secret used to authenticate to the oauth servicePROXY_CLIENT_SECRET
    –redirection-url valueredirection url for the oauth callback url, defaults to host header if absentPROXY_REDIRECTION_URL
    –post-logout-redirect-uri valueurl to which client is redirected after successful logoutPROXY_POST_LOGOUT_REDIRECT_URI
    –post-login-redirect-path valuepost-login-redirect-path" usage:“path to which client is redirected after successful login, in case user access /PROXY_POST_LOGIN_REDIRECT_PATH
    –revocation-url valueurl for the revocation endpoint to revoke refresh tokenPROXY_REVOCATION_URL
    –skip-openid-provider-tls-verifyskip the verification of any TLS communication with the openid providerfalsePROXY_SKIP_OPENID_PROVIDER_TLSVERIFY
    –openid-provider-proxy valueproxy for communication with the openid providerPROXY_OPENID_PROVIDER_PROXY
    –openid-provider-timeout valuetimeout for openid configuration on .well-known/openid-configuration30sPROXY_OPENID_PROVIDER_TIMEOUT
    –openid-provider-retry-count valuenumber of retries for retrieving openid configuration3PROXY_OPENID_PROVIDER_RETRY_COUNT
    –openid-provider-headers valuehttp headers sent to idp provider
    –base-uri valuecommon prefix for all URIsPROXY_BASE_URI
    –oauth-uri valuethe uri for proxy oauth endpoints/oauthPROXY_OAUTH_URI
    –scopes valuelist of scopes requested when authenticating the user
    –upstream-url valueurl for the upstream endpoint you wish to proxyPROXY_UPSTREAM_URL
    –upstream-ca valuethe path to a file container a CA certificate to validate the upstream tls endpointPROXY_UPSTREAM_CA
    –resources valuelist of resources ‘uri=/admin*|methods=GET,PUT|roles=role1,role2’
    –headers valuecustom headers to the upstream request, key=value
    –preserve-hostpreserve the host header of the proxied request in the upstream requestfalsePROXY_PRESERVE_HOST
    –request-id-header valuethe http header name for request idX-Request-IDPROXY_REQUEST_ID_HEADER
    –response-headers valuecustom headers to added to the http response key=valuePROXY_RESPONSE_HEADERS
    –custom-http-methodslist of additional non-standard http methods
    –enable-self-signed-tlscreate self signed certificates for the proxyfalsePROXY_ENABLE_SELF_SIGNED_TLS
    –self-signed-tls-hostnames valuea list of hostnames to place on the self-signed certificate
    –self-signed-tls-expiration valuethe expiration of the certificate before rotation3h0m0sPROXY_SELF_SIGNED_TLS_EXPIRATION
    –enable-request-idindicates we should add a request id if none foundfalsePROXY_ENABLE_REQUEST_ID
    –enable-logout-redirectindicates we should redirect to the identity provider for logging outfalsePROXY_ENABLE_LOGOUT_REDIRECT
    –enable-default-denyenables a default denial on all requests, requests with valid token are permitted, you have to explicitly say what is permittedtruePROXY_ENABLE_DEFAULT_DENY
    –enable-default-deny-strictenables a default denial on all requests, requests with valid token are denied, you have to explicitly say what is permitted (recommended)falsePROXY_ENABLE_DEFAULT_DENY_STRICT
    –enable-encrypted-tokenenable encryption for the access tokensfalsePROXY_ENABLE_ENCRYPTED_TOKEN
    –force-encrypted-cookieforce encryption for the access tokens in cookiesfalsePROXY_FORCE_ENCRYPTED_COOKIE
    –enable-loggingenable http logging of the requestsfalsePROXY_ENABLE_LOGGING
    –enable-json-loggingswitch on json logging rather than textfalsePROXY_ENABLE_JSON_LOGGING
    –enable-forwardingenables the forwarding proxy mode, signing outbound requestfalsePROXY_ENABLE_FORWARDING
    –enable-security-filterenables the security filter handlerfalsePROXY_ENABLE_SECURITY_FILTER
    –enable-refresh-tokensenables the handling of the refresh tokensfalsePROXY_ENABLE_REFRESH_TOKEN
    –enable-session-cookiesaccess and refresh tokens are session only i.e. removed browser closetruePROXY_ENABLE_SESSION_COOKIES
    –enable-login-handlerenables the handling of the refresh tokensfalsePROXY_ENABLE_LOGIN_HANDLER
    –enable-token-headerenables the token authentication header X-Auth-Token to upstreamtruePROXY_ENABLE_TOKEN_HEADER
    –enable-authorization-headeradds the authorization header to the proxy requesttruePROXY_ENABLE_AUTHORIZATION_HEADER
    –enable-authorization-cookiesadds the authorization cookies to the uptream proxy requesttruePROXY_ENABLE_AUTHORIZATION_COOKIES
    –enable-https-redirectionenable the http to https redirection on the http servicefalsePROXY_ENABLE_HTTPS_REDIRECT
    –enable-profilingswitching on the golang profiling via pprof on /debug/pprof, /debug/pprof/heap etcfalsePROXY_ENABLE_PROFILING
    –enable-metricsenable the prometheus metrics collector on /oauth/metricsfalsePROXY_ENABLE_METRICS
    –filter-browser-xssenable the adds the X-XSS-Protection header with mode=blockfalsePROXY_ENABLE_BROWSER_XSS_FILTER
    –filter-content-nosniffadds the X-Content-Type-Options header with the value nosnifffalsePROXY_ENABLE_CONTENT_NO_SNIFF
    –filter-frame-denyenable to the frame deny headerfalsePROXY_ENABLE_FRAME_DENY
    –content-security-policy valuespecify the content security policyPROXY_CONTENT_SECURITY_POLICY
    –localhost-metricsenforces the metrics page can only been requested from 127.0.0.1falsePROXY_LOCALHOST_METRICS
    –enable-compressionenable gzip compression for responsefalsePROXY_ENABLE_COMPRESSION
    –enable-pkceenable pkce for auth code flow, only S256 code challenge supportedfalsePROXY_ENABLE_PKCE
    –enable-idp-session-checkduring token validation it also checks if user session is still present, useful for multi app logouttruePROXY_ENABLE_IDP_SESSION_CHECK
    –enable-umaenable UMA authorization, please don’t use in production as it is new feature, we would like to receive feedback firstfalsePROXY_ENABLE_UMA
    –enable-opaenable authorization with external Open policy agentfalsePROXY_ENABLE_OPA
    –opa-timeouttimeout for connection to OPA10sPROXY_OPA_TIMEOUT
    –opa-authz-uriOPA endpoint address with pathPROXY_OPA_AUTHZ_URI
    –pat-retry-countnumber of retries to get PAT5PROXY_PAT_RETRY_COUNT
    –pat-retry-intervalinterval between retries to get PAT2sPROXY_PAT_RETRY_INTERVAL
    –access-token-duration valuefallback cookie duration for the access token when using refresh tokens720h0m0sPROXY_ACCESS_TOKEN_DURATION
    –cookie-domain valuedomain the access cookie is available to, defaults host headerPROXY_COOKIE_DOMAIN
    –cookie-access-name valuename of the cookie use to hold the access tokenkc-accessPROXY_COOKIE_ACCESS_NAME
    –cookie-refresh-name valuename of the cookie used to hold the encrypted refresh tokenkc-statePROXY_COOKIE_REFRESH_NAME
    –cookie-oauth-state-name valuename of the cookie used to hold the Oauth request stateOAuth_Token_Request_StateCOOKIE_OAUTH_STATE_NAME
    –cookie-request-uri-name valuename of the cookie used to hold the request urirequest_uriCOOKIE_REQUEST_URI_NAME
    –cookie-pkce-name valuename of the cookie used to hold PKCE code verifierpkceCOOKIE_PKCE_NAME
    –secure-cookieenforces the cookie to be securetruePROXY_SECURE_COOKIE
    –http-only-cookieenforces the cookie is in http only modetruePROXY_HTTP_ONLY_COOKIE
    –same-site-cookie valueenforces cookies to be send only to same site requests according to the policy (can be | Strict|Lax|None)LaxPROXY_SAME_SITE_COOKIE
    –enable-id-token-cookieenable id token cookiefalsePROXY_ENABLE_IDTOKEN_COOKIE
    –match-claims valuekeypair values for matching access token claims e.g. aud=myapp, iss=http://example.*
    –add-claims valueextra claims from the token and inject into headers, e.g given_name -> X-Auth-Given-Name
    –enable-uma-method-scopeenables passing request method as ‘method:GET’ scope to keycloak for authorizationfalsePROXY_ENABLE_UMA_METHOD_SCOPE
    –tls-min-versionspecify server minimal TLS version one of tlsv1.0,tlsv1.1,tlsv1.2,tlsv1.3TLS_MIN_VERSION
    –tls-cert valuepath to ths TLS certificatePROXY_TLS_CERTIFICATE
    –tls-private-key valuepath to the private key for TLSPROXY_TLS_PRIVATE_KEY
    –tls-ca-certificate valuepath to the ca certificate used for signing requestsPROXY_TLS_CA_CERTIFICATE
    –tls-ca-key valuepath the ca private key, used by the forward signing proxyPROXY_TLS_CA_PRIVATE_KEY
    –tls-client-certificate valuepath to the client certificate for outbound connections in reverse and forwarding proxy modesPROXY_TLS_CLIENT_CERTIFICATE
    –skip-upstream-tls-verifyskip the verification of any upstream TLStruePROXY_SKIP_UPSTREAM_TLS_VERIFY
    –tls-admin-cert valuepath to ths TLS certificatePROXY_TLS_ADMIN_CERTIFICATE
    –tls-admin-private-key valuepath to the private key for TLSPROXY_TLS_ADMIN_PRIVATE_KEY
    –tls-admin-ca-certificate valuepath to the ca certificate used for signing requestsPROXY_TLS_ADMIN_CA_CERTIFICATE
    –tls-admin-client-certificate valuepath to the client certificate for outbound connections in reverse and forwarding proxy modesPROXY_TLS_ADMIN_CLIENT_CERTIFICATE
    –cors-origins valueorigins to add to the CORE origins control (Access-Control-Allow-Origin)
    –cors-methods valuemethods permitted in the access control (Access-Control-Allow-Methods)
    –cors-headers valueset of headers to add to the CORS access control (Access-Control-Allow-Headers)
    –cors-exposed-headers valueexpose cors headers access control (Access-Control-Expose-Headers)
    –cors-credentialscredentials access control header (Access-Control-Allow-Credentials)falsePROXY_CORS_CREDENTIALS
    –cors-max-age valuemax age applied to cors headers (Access-Control-Max-Age)0sPROXY_CORS_MAX_AGE
    –hostnames valuelist of hostnames the service will respond to
    –store-url valueurl for the storage subsystem, e.g redis://user:secret@localhost:6379/0?protocol=3, only supported is redis usig redis uri specPROXY_STORE_URL
    –encryption-key valueencryption key used to encryption the session statePROXY_ENCRYPTION_KEY
    –enable-hmacenable creating hmac for forwarded requests and verification on incoming requestsfalsePROXY_ENABLE_HMAC
    –no-proxy valuedo not proxy requests to upstream, useful for forward-auth usage (with nginx, traefik)PROXY_NO_PROXY
    –no-redirectsdo not have back redirects when no authentication is present, 401 themfalsePROXY_NO_REDIRECTS
    –skip-token-verificationTESTING ONLY; bypass token verification, only expiration and roles enforcedfalsePROXY_SKIP_TOKEN_VERIFICATION
    –skip-access-token-issuer-checkaccording RFC issuer should not be checked on access token, this will be default true in futuretruePROXY_SKIP_ACCESS_TOKEN_ISSUER_CHECK
    –skip-access-token-clientid-checkaccording RFC client id should not be checked on access token, this will be default true in futuretruePROXY_SKIP_ACCESS_TOKEN_CLIENT_ID_CHECK
    –skip-authorization-header-identityskip authorization header identity, means that we won’t be extracting token from authorization header, only from cookie or fail if even no cookie present (e.g. if authorization header is used only by application behind gatekeeper)"`falsePROXY_SKIP_AUTHORIZATION_HEADER_IDENTITY
    –upstream-keepalivesenables or disables the keepalive connections for upstream endpointtruePROXY_UPSTREAM_KEEPALIVES
    –upstream-timeout valuemaximum amount of time a dial will wait for a connect to complete10sPROXY_UPSTREAM_TIMEOUT
    –upstream-keepalive-timeout valuespecifies the keep-alive period for an active network connection10sPROXY_UPSTREAM_KEEPALIVE_TIMEOUT
    –upstream-tls-handshake-timeout valuethe timeout placed on the tls handshake for upstream10sPROXY_UPSTREAM_TLS_HANDSHAKE_TIMEOUT
    –upstream-response-header-timeout valuethe timeout placed on the response header for upstream10sPROXY_UPSTREAM_RESPONSE_HEADER_TIMEOUT
    –upstream-expect-continue-timeout valuethe timeout placed on the expect continue for upstream10sPROXY_UPSTREAM_EXPECT_CONTINUE_TIMEOUT
    –verboseswitch on debug / verbose loggingfalsePROXY_VERBOSE
    –enabled-proxy-protocolenable proxy protocolfalsePROXY_ENABLE_PROXY_PROTOCOL
    –max-idle-connections valuemax idle upstream / keycloak connections to keep alive, ready for reuse0PROXY_MAX_IDLE_CONNS
    –max-idle-connections-per-host valuelimits the number of idle connections maintained per host0PROXY_MAX_IDLE_CONNS_PER_HOST
    –server-read-timeout valuethe server read timeout on the http server10sPROXY_SERVER_READ_TIMEOUT
    –server-write-timeout valuethe server write timeout on the http server10sPROXY_SERVER_WRITE_TIMEOUT
    –server-idle-timeout valuethe server idle timeout on the http server2m0sPROXY_SERVER_IDLE_TIMEOUT
    –use-letsencryptuse letsencrypt for certificatesfalsePROXY_USE_LETS_ENCRYPT
    –letsencrypt-cache-dir valuepath where cached letsencrypt certificates are stored./cache/PROXY_LETS_ENCRYPT_CACHE_DIR
    –sign-in-page valuepath to custom template displayed for signinPROXY_SIGN_IN_PAGE
    –forbidden-page valuepath to custom template used for access forbiddenPROXY_FORBIDDEN_PAGE
    –error-page valuepath to custom template displayed for http.StatusBadRequestPROXY_ERROR_PAGE
    –tags valuekeypairs passed to the templates at render,e.g title=Page
    –forwarding-grant-type valuegrant-type to use when logging into the openid provider, can be one of password, client_credentialspasswordPROXY_FORWARDING_GRANT_TYPE
    –forwarding-username valueusername to use when logging into the openid providerPROXY_FORWARDING_USERNAME
    –forwarding-password valuepassword to use when logging into the openid providerPROXY_FORWARDING_PASSWORD
    –forwarding-domains valuelist of domains which should be signed; everything else is relayed unsigned
    –disable-all-loggingdisables all logging to stdout and stderrfalsePROXY_DISABLE_ALL_LOGGING
    –help, -hshow help
    –version, -vprint the version
    \ No newline at end of file diff --git a/index.html b/index.html index adbaa0c2..4ee97cc4 100644 --- a/index.html +++ b/index.html @@ -1,6 +1,6 @@ - Gatekeeper -
    navigation

    gatekeeper

    gatekeeper is the simple authentication and authorization proxy that gets your app off the ground!

    gatekeeper was previously known as louketo and keycloak-gatekeeper.

    Goals

    • To have just enough auth features (both authentication and authorization) to get your app off the ground
    • To be well documented and easy to get started with
    • To remain true to the roots of this project
      • gatekeeper will be interoperable with keycloak out of the box,

    Announcements!

    gatekeeper is reborn with from the ashes of louketo under the new organization -gogatekeeper.

    Watch this space!

    \ No newline at end of file +gogatekeeper.

    Watch this space!

    \ No newline at end of file diff --git a/index.json b/index.json index bfedd199..95b4d56f 100644 --- a/index.json +++ b/index.json @@ -1 +1 @@ -[{"uri":"https://gogatekeeper.github.io/gatekeeper/userguide/","title":"User Guide","tags":[],"description":"","content":"Gatekeeper Gatekeeper is a proxy which integrates with OpenID Connect (OIDC) Providers, it supports both access tokens in a browser cookie or bearer tokens.\nThis documentation details how to build and configure Gatekeeper followed by details of how to use each of its features.\nFor further information, see the included help file which includes a full list of commands and switches. View the file by entering the following at the command line (modify the location to match where you install Gatekeeper Proxy):\n$ bin/gatekeeper help You can view all settings also in this table Settings\nRequirements Go 1.19 or higher Configuration options Configuration can come from a YAML/JSON file or by using command line options. Here is a list of options.\n# is the URL for retrieve the OpenID configuration discovery-url: \u0026lt;DISCOVERY URL\u0026gt; # Indicates we should deny by default all requests and explicitly specify what is permitted, default true # this is equivalent of --resource=/*|methods enable-default-deny: true # the client id for the \u0026#39;client\u0026#39; application client-id: \u0026lt;CLIENT_ID\u0026gt; # the secret associated to the \u0026#39;client\u0026#39; application client-secret: \u0026lt;CLIENT_SECRET\u0026gt; # the interface definition you wish the proxy to listen, all interfaces is specified as \u0026#39;:\u0026lt;port\u0026gt;\u0026#39;, unix sockets as unix://\u0026lt;REL_PATH\u0026gt;|\u0026lt;/ABS PATH\u0026gt; listen: :3000 # port on which metrics and health endpoints will be available, if not specified it will be on above specified port listen-admin: :4000 # whether to enable refresh tokens enable-refresh-tokens: true # you can set up custom templates for forbidden/error/sign-in pages, gatekeeper # also provides these already builtin (but they are not set by default) forbidden-page: templates/forbidden.html.tmpl error-page: templates/error.html.tmpl sign-in-page: sign_in.html.tmpl # the location of a certificate you wish the proxy to use for TLS support tls-cert: # the location of a private key for TLS tls-private-key: # TLS options related to admin listener tls-admin-cert: tls-admin-private-key: tls-admin-ca-certificate: tls-admin-client-certificate: # the redirection URL, essentially the site URL, note: /oauth/callback is added at the end redirection-url: http://127.0.0.1:3000 # the encryption key used to encode the session state encryption-key: \u0026lt;ENCRYPTION_KEY\u0026gt; # the upstream endpoint which we should proxy request upstream-url: http://127.0.0.1:80 # Returns HTTP 401 when no authentication is present, used with forward proxies or API protection with client credentials grant. no-redirects: false # additional scopes to add to the default (openid+email+profile) scopes: - vpn-user # a collection of resource i.e. URLs that you wish to protect, this are simple gatekeeper authorization rules, # to get more complex authorization you can look at external authorization section in our documentation resources: - uri: /admin/test # the methods on this URL that should be protected, uri is required when defining resource methods: - GET # a list of roles the user must have in order to access URLs under the above # If all you want is authentication ONLY, simply remove the roles array - the user must be authenticated but # no roles are required roles: - openvpn:vpn-user - openvpn:prod-vpn - test - uri: /admin/* methods: - GET roles: - openvpn:vpn-user - openvpn:commons-prod-vpn Options issued at the command line have a higher priority and will override or merge with options referenced in a config file. Examples of each style are shown in the following sections.\nExample of usage and configuration with Keycloak Assuming you have some web service you wish protected by Keycloak:\nCreate the client using the Keycloak GUI or CLI; the client protocol is \u0026lsquo;openid-connect\u0026rsquo;, access-type: confidential.\nAdd a Valid Redirect URI of http://127.0.0.1:3000/oauth/callback.\nGrab the client id and client secret.\nCreate the roles under the client or existing clients for authorization purposes.\nHere is an example configuration file.\nclient-id: \u0026lt;CLIENT_ID\u0026gt; client-secret: \u0026lt;CLIENT_SECRET\u0026gt; # require for access_type: confidential # Note the redirection-url is optional, it will default to the the URL scheme and host, # only in case of forward auth it will use X-Forwarded-Proto / X-Forwarded-Host, please see forward-auth section discovery-url: https://keycloak.example.com/realms/\u0026lt;REALM_NAME\u0026gt; # Indicates we should deny by default all requests and explicitly specify what is permitted, default true, # you cannot specify enable-default-deny:true together with defining resource=uri=/* enable-default-deny: true encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j listen: :3000 redirection-url: http://127.0.0.1:3000 upstream-url: http://127.0.0.1:80 # a collection of resource i.e. URLs that you wish to protect, this are simple gatekeeper authorization rules, # to get more complex authorization you can look at external authorization section in our documentation resources: - uri: /admin* methods: - GET roles: # this will match realm role from token - examplerealmrole # you can see here, that roles below will match client roles from token # it will look for client1\u0026#39;s client role test1 and client2\u0026#39;s client role test2 - client1:test1 - client2:test2 require-any-role: true groups: - admins - users - uri: /backend* roles: - client:test1 - uri: /public/* # Allow access to the resource above white-listed: true - uri: /favicon # Allow access to the resource above white-listed: true - uri: /css/* # Allow access to the resource above white-listed: true - uri: /img/* # Allow access to the resource above white-listed: true # Adds custom headers headers: myheader1: value_1 myheader2: value_2 Anything defined in a configuration file can also be configured using command line options, such as in this example.\nbin/gatekeeper \\ --discovery-url=https://keycloak.example.com/realms/\u0026lt;REALM_NAME\u0026gt; \\ --client-id=\u0026lt;CLIENT_ID\u0026gt; \\ --client-secret=\u0026lt;SECRET\u0026gt; \\ --listen=127.0.0.1:3000 \\ # unix sockets format unix://path --redirection-url=http://127.0.0.1:3000 \\ --enable-refresh-tokens=true \\ --encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j \\ --upstream-url=http://127.0.0.1:80 \\ --enable-default-deny=true \\ --resources=\u0026#34;uri=/admin*|roles=test1,test2\u0026#34; \\ --resources=\u0026#34;uri=/backend*|roles=test1\u0026#34; \\ --resources=\u0026#34;uri=/css/*|white-listed=true\u0026#34; \\ --resources=\u0026#34;uri=/img/*|white-listed=true\u0026#34; \\ --resources=\u0026#34;uri=/public/*|white-listed=true\u0026#34; \\ --headers=\u0026#34;myheader1=value1\u0026#34; \\ --headers=\u0026#34;myheader2=value2\u0026#34; Roles By default, the roles defined on a resource perform a logical AND so all roles specified must be present in the claims, this behavior can be altered by the require-any-role option, however, so as long as one role is present the permission is granted.\nYou can match on realm roles or client roles:\nresources: - uri: /admin* methods: - GET roles: # this will match realm role from token - examplerealmrole # you can see here, that roles below will match client roles from token # it will look for client1\u0026#39;s client role test1 and client2\u0026#39;s client role test2 - client1:test1 - client2:test2 If you have roles listed in some custom claim, please see custom claim matching\nAuthentication flows You can use gatekeeper to protect APIs, frontend server applications, frontend client applications. Frontend server-side applications can be protected by Authorization Code Flow (also with PKCE), during which several redirection steps take place. For protecting APIs you can use Client Credentials Grant to avoid redirections steps involved in authorization code flow you have to use --no-redirects=true. For frontend applications you can use Authorization Code Flow (also with PKCE) with encrypted refresh token cookies enabled, in this case however you have to handle redirections at login/logout and you must make cookies available to js (less secure, altough at least they are encrypted).\nDefault Deny --enable-default-deny - option blocks all requests without valid token on all basic HTTP methods, (DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE). WARNING: There are no additional requirements on the token, it isn\u0026rsquo;t checked for some claims or roles, groups etc\u0026hellip;(this is by default true)\n--enable-default-deny-strict (recommended) - option blocks all requests (including valid token) unless specific path with requirements specified in resources (this option is by default false)\nOpenID Provider Communication By default the communication with the OpenID provider is direct. If you wish, you can specify a forwarding proxy server in your configuration file:\nopenid-provider-proxy: http://proxy.example.com:8080 HTTP routing By default, all requests will be proxied on to the upstream, if you wish to ensure all requests are authenticated you can use this:\n--resources=uri=/* # note, unless specified the method is assumed to be \u0026#39;any|ANY\u0026#39; The HTTP routing rules follow the guidelines from chi. The ordering of the resources does not matter, the router will handle that for you.\nCookies size All browsers have limitations on cookies number and cookie size. This usually does not adhere to any standard. E.g. Chrome has limitation of 4096 bytes on all cookies per domain. This might cause you troubles e.g. Chrome responding with 431 Request Header Fields are Too Large. To overcome this limitations gatekeeper offers several options:\n--enable-id-token-cookie - is set by default false, in case you don\u0026rsquo;t need id token, leave it/turn it off --store-url - this will enable storing of refresh token in redis store, instead of cookies, which saves you some bytes, also has some additional effect of raising security on client side as refresh token won\u0026rsquo;t be exposed on client side\nSession-only cookies By default, the access and refresh cookies are session-only and disposed of on browser close; you can disable this feature using the --enable-session-cookies option.\nCookie Names There are two parameters which you can use to set up cookie names for access token and refresh token.\n--cookie-access-name=myAccessTokenCookie --cookie-refresh-name=myRefreshTokenCookie TCP proxy with HTTP CONNECT You can protect your TCP services with gogatekeeper by adding CONNECT HTTP method to list of custom-http-methods. On client side you will need to pass of course token in Authorization header (righ now there are few clients which could make HTTP connect with Bearer token and then forward tcp, e.g. gost proxy - but only in static way, some IDE provide HTTP CONNECT functionality for db connectors but only with Basic authentication, we would like to add this functionality to gatekeeper in future). This setup will authenticate connection at start and will create tunnel to your backend service. Please use with care and ensure that it allows connection only to intended services, otherwise it can be missused for various attacks.\nThis example allows users with valid token to connect to backend postgres service:\n\u0026#34;--discovery-url=http://127.0.0.1:8081/realms/test/.well-known/openid-configuration\u0026#34;, \u0026#34;--client-id=test-client\u0026#34;, \u0026#34;--client-secret=6447d0c0-d510-42a7-b654-6e3a16b2d7e2\u0026#34;, \u0026#34;--upstream-url=http://127.0.0.1:5432\u0026#34;, \u0026#34;--listen=0.0.0.0:5000\u0026#34;, \u0026#34;--no-redirects=true\u0026#34;, \u0026#34;--enable-authorization-header=true\u0026#34;, \u0026#34;--custom-http-methods=CONNECT\u0026#34;, \u0026#34;--enable-default-deny=true\u0026#34;, \u0026#34;--enable-logging=true\u0026#34;, \u0026#34;--enable-compression=true\u0026#34;, \u0026#34;--enable-json-logging=true\u0026#34;, \u0026#34;--verbose=true\u0026#34;, \u0026#34;--skip-token-verification=false\u0026#34;, \u0026#34;--upstream-keepalive-timeout=30s\u0026#34;, \u0026#34;--scopes=openid\u0026#34;, \u0026#34;--skip-access-token-clientid-check=true\u0026#34; Configuration for gost proxy, to forward your tcp client connection with HTTP CONNECT, please be aware that you need to input there your token (there is only example token in this config):\ncat \u0026gt; config.yaml \u0026lt;\u0026lt;EOF services: - name: service-0 addr: \u0026#34;:8000\u0026#34; handler: type: tcp chain: chain-0 listener: type: tcp chains: - name: chain-0 hops: - name: hop-0 nodes: - name: localhost addr: :5000 connector: type: http metadata: header: Authorization: \u0026#34;Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJndWZUNUxaOWROWE5QSHV1d2U3T3AwWnI3b0VqdjhqVzdzbF8xUU1jaUkwIn0.eyJleHAiOjE2ODY1NzI1MDEsImlhdCI6MTY4NjU3MjIwMSwianRpIjoiY2UyZmRkMjAtNTc1YS00ZjIyLThkYTktOWQxYjM0ZTE3YjE3IiwiaXNzIjoiaHR0cDov LzEyNy4wLjAuMTo4MDgxL3JlYWxtcy90ZXN0IiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImE2NzgyMzg4LTNjOTMtNDA4Ny1iNDk5LTI5MmViYTU2ZDYwNiIsInR5cCI6IkJlYXJlciIsImF6cCI6InRlc3QtY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6ImRhODlmMDU4LTAyOGItNGJlNS05ZmQ4LTg5MjBmOTRkZTEwNiIsImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0 sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwidXNlciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwic2lkIjoiZGE4OWYwNTgtMDI4Yi00YmU1LT lmZDgtODkyMGY5NGRlMTA2IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJUZXN0IFRlc3QiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJteXVzZXIiLCJnaXZlbl9uYW1lIjoiVGVzdCIsImZhbWlseV9uYW1lIjoiVGVzdCIsImVtYWlsIjoic29tZWJvZHlAc29tZXdoZXJlLmNvbSJ9.D-qDEDBumfIsVRJY6ONaXAY6fZWKZhrTG9-qtaSxYZIq7TLfApKh ZCdLTkNzZPDSuL7FugJ7AGnwnmbRos9hOV25UgqAZ9biO2eo04olwXXsn7q0cboVqQXMlFc4kNCWQJov9JqhG_f21T25gdQH7eMlSu1QvnKvvTRQNEHpG9fvL86D16GETPnVExRoH81fe0zHMQPk7u_eZcOlNxg5HDFacNSUpnpgoH37Fhzt0FHj5mN_nfknty5KLCO6Zs_kmdvlgVkPzceZqp2Chmq4rmlp9OPMslTEwBlRn1qTRZPpJXCxoLuMMNMeVvrXXKvFXuI uQ7vZFOE8xNVogm7cxQ\u0026#34; dialer: type: tcp EOF start gost proxy:\ngost -C config.yaml Connect with psql client:\npsql -U postgres -h localhost -p 8000 Websocket proxy You can protect also websocket servers with gatekeeper proxy. You must use standard upgrade headers to proxy to your websocket backend. There are additional considerations you need to take into account when protecting websocket backend. Browsers doesn\u0026rsquo;t have built-in protection against CORS for websocket protocol like they have for HTTP. That means you need to consider enabling additional methods for verifying that browsers connect only to your backend and receives response only from your backend. For this we recommend to turn-on --enable-encrypted-token and --encryption-key options and also verify Origin header with headers matching, please refer to Headers matching.\nHMAC Signature, signing and verification For raising your security you can verify/sign HMAC for your requests. Signing can be done when using --enable-hmac with forward signing feature below. Verification is done when using gatekeeper as authentication/authorization proxy. Gatekeeper in forward-signing mode creates signature, this is also signature which gatekeeper expects when used as auth/authz proxy, you can create this signature on your own, assuming you have proper secret. Signature is passed in X-HMAC-SHA256 header. Signature is created by signing several fields:\nstringToSign := fmt.Sprintf( \u0026#34;%s\\n%s%s\\n%s;%s;%s\u0026#34;, req.Method, req.URL.Path, req.URL.RawQuery, req.Header.Get(constant.AuthorizationHeader), req.Host, sha256.Sum256(body), ) Forward-signing proxy Forward-signing provides a mechanism for authentication and authorization between services using tokens issued from the IdP. When operating in this mode the proxy will automatically acquire an access token (handling the refreshing or logins on your behalf) and tag outbound requests with an Authorization header. You can control which domains are tagged with the --forwarding-domains option. Note, this option uses a contains comparison on domains. So, if you wanted to match all domains under *.svc.cluster.local you can use: --forwarding-domain=svc.cluster.local.\nYou can choose between two types of OAuth authentications: password grant type (default) or client_credentials grant type.\nExample setup password grant:\nYou have a collection of micro-services which are permitted to speak to one another; you have already set up the credentials, roles, and clients in Keycloak, providing granular role controls over issue tokens.\n- name: gatekeeper image: quay.io/gogatekeeper/gatekeeper:2.9.1 args: - --enable-forwarding=true - --forwarding-username=projecta - --forwarding-password=some_password - --forwarding-domains=projecta.svc.cluster.local - --forwarding-domains=projectb.svc.cluster.local - --client-id=xxxxxx - --client-secret=xxxx - --discovery-url=http://keycloak:8080/realms/master - --tls-ca-certificate=/etc/secrets/ca.pem - --tls-ca-key=/etc/secrets/ca-key.pem # Note: if you don\u0026#39;t specify any forwarding domains, all domains will be signed; Also the code checks is the # domain \u0026#39;contains\u0026#39; the value (it\u0026#39;s not a regex) so if you wanted to sign all requests to svc.cluster.local, just use # svc.cluster.local volumeMounts: - name: keycloak-socket mountPoint: /var/run/keycloak - name: projecta image: some_images Example setup client credentials grant:\n- name: gatekeeper image: quay.io/gogatekeeper/gatekeeper:2.9.1 args: - --enable-forwarding=true - --forwarding-domains=projecta.svc.cluster.local - --forwarding-domains=projectb.svc.cluster.local - --client-id=xxxxxx - --client-secret=xxxx - --discovery-url=http://keycloak:8080/realms/master - --tls-ca-certificate=/etc/secrets/ca.pem - --tls-ca-key=/etc/secrets/ca-key.pem - --forwarding-grant-type=client_credentials # Note: if you don\u0026#39;t specify any forwarding domains, all domains will be signed; Also the code checks is the # domain \u0026#39;contains\u0026#39; the value (it\u0026#39;s not a regex) so if you wanted to sign all requests to svc.cluster.local, just use # svc.cluster.local volumeMounts: - name: keycloak-socket mountPoint: /var/run/keycloak - name: projecta image: some_images Test the forward proxy:\ncurl -k --proxy http://127.0.0.1:3000 https://test.projesta.svc.cluster.local On the receiver side, you could set up the Gatekeeper Proxy --no-redirects=true and permit this to verify and handle admission for you. Alternatively, the access token can found as a bearer token in the request.\nForwarding signed HTTPS connections Handling HTTPS requires a man-in-the-middle sort of TLS connection. By default, if no --tls-ca-certificate and --tls-ca-key are provided the proxy will use the default certificate. If you wish to verify the trust, you’ll need to generate a CA, for example.\n$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ca.key -out ca.pem $ bin/gatekeeper \\ --enable-forwarding \\ --forwarding-username=USERNAME \\ --forwarding-password=PASSWORD \\ --client-id=CLIENT_ID \\ --client-secret=SECRET \\ --discovery-url=https://keycloak.example.com/realms/test \\ --tls-ca-certificate=ca.pem \\ --tls-ca-key=ca-key.pem Forwarding with UMA token When --enable-uma is set in forwarding mode, proxy signs request with RPT token\nHTTPS redirect The proxy supports an HTTP listener, so the only real requirement here is to perform an HTTP → HTTPS redirect. You can enable the option like this:\n--listen-http=127.0.0.1:80 --enable-security-filter=true # is required for the https redirect --enable-https-redirection Let’s Encrypt configuration Here is an example of the required configuration for Let’s Encrypt support:\nlisten: 0.0.0.0:443 enable-https-redirection: true enable-security-filter: true use-letsencrypt: true letsencrypt-cache-dir: ./cache/ redirection-url: https://domain.tld:443/ hostnames: - domain.tld Listening on port 443 is mandatory.\nAccess token encryption By default, the session token is placed into a cookie in plaintext. If you prefer to encrypt the session cookie, use the --enable-encrypted-token and --encryption-key options. Note that the access token forwarded in the X-Auth-Token header to upstream is unaffected.\nBearer token passthrough If your Bearer token is intended for your upstream application and not for gatekeeper you can use option --skip-authorization-header-identity. Please be aware that token is still required to be in cookies.\nUpstream headers On protected resources, the upstream endpoint will receive a number of headers added by the proxy, along with custom claims, like this:\nX-Auth-Email X-Auth-ExpiresIn X-Auth-Groups X-Auth-Roles X-Auth-Subject X-Auth-Token X-Auth-Userid X-Auth-Username To control the Authorization header use the enable-authorization-header YAML configuration or the --enable-authorization-header command line option. By default, this option is set to true.\nCustom claim headers You can inject additional claims from the access token into the upstream headers with the --add-claims option. For example, a token from a Keycloak provider might include the following claims:\n\u0026#34;resource_access\u0026#34;: {}, \u0026#34;name\u0026#34;: \u0026#34;Beloved User\u0026#34;, \u0026#34;preferred_username\u0026#34;: \u0026#34;beloved.user\u0026#34;, \u0026#34;given_name\u0026#34;: \u0026#34;Beloved\u0026#34;, \u0026#34;family_name\u0026#34;: \u0026#34;User\u0026#34;, \u0026#34;email\u0026#34;: \u0026#34;beloved@example.com\u0026#34; In order to request you receive the given_name, family_name, and name in the authentication header, we would add --add-claims=given_name and --add-claims=family_name and so on, or we can do it in the configuration file, like this:\nadd-claims: - given_name - family_name - name This would add the additional headers to the authenticated request along with standard ones.\nX-Auth-Family-Name: User X-Auth-Given-Name: Beloved X-Auth-Name: Beloved User Custom headers You can inject custom headers using the --headers=\u0026quot;name=value\u0026quot; option or the configuration file:\nheaders: name: value OpenID provider headers In some cases you might need to send headers to your OpenId provider discovery endpoint (e.g. you have your endpoint protected by basic auth). For this use cases there is --openid-provider-headers option:\nopenid-provider-headers: - X-SEND: \u0026#34;MYVALUE\u0026#34; - X-OTHER-SEND: \u0026#34;NEXT VALUE\u0026#34; --openid-provider-headers=\u0026#34;myheader1=value1\u0026#34; \\ --openid-provider-headers=\u0026#34;myheader2=value2\u0026#34; Encryption key In order to remain stateless and not have to rely on a central cache to persist the refresh_tokens, the refresh token is encrypted and added as a cookie using crypto/aes. The key must be the same if you are running behind a load balancer. The key length should be either 16 or 32 bytes, depending or whether you want AES-128 or AES-256.\nClaim matching The proxy supports adding a variable list of claim matches against the presented tokens for additional access control. You can match the \u0026lsquo;iss\u0026rsquo; or \u0026lsquo;aud\u0026rsquo; to the token or custom attributes; each of the matches are regexes. For example, --match-claims 'aud=sso.*' or --claim iss=https://.*' or via the configuration file, like this:\nmatch-claims: aud: openvpn iss: https://keycloak.example.com/realms/commons or via the CLI, like this:\n--match-claims=auth=openvpn --match-claims=iss=http://keycloak.example.com/realms/commons You can limit the email domain permitted; for example, if you want to limit to only users on the example.com domain:\nmatch-claims: email: ^.*@example.com$ The adapter supports matching on multi-value strings claims. The match will succeed if one of the values matches, for example:\nmatch-claims: perms: perm1 will successfully match\n{ \u0026#34;iss\u0026#34;: \u0026#34;https://sso.example.com\u0026#34;, \u0026#34;sub\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;perms\u0026#34;: [\u0026#34;perm1\u0026#34;, \u0026#34;perm2\u0026#34;] } Group claims You can match on the group claims within a token via the groups parameter available within the resource. While roles are implicitly required, such as roles=admin,user where the user MUST have roles \u0026lsquo;admin\u0026rsquo; AND \u0026lsquo;user\u0026rsquo;, groups are applied with an OR operation, so groups=users,testers requires that the user MUST be within either \u0026lsquo;users\u0026rsquo; OR \u0026rsquo;testers\u0026rsquo;. The claim name is hard-coded to groups, so a JWT token would look like this:\n{ \u0026#34;iss\u0026#34;: \u0026#34;https://sso.example.com\u0026#34;, \u0026#34;sub\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;aud\u0026#34;: \u0026#34;test\u0026#34;, \u0026#34;exp\u0026#34;: 1515269245, \u0026#34;iat\u0026#34;: 1515182845, \u0026#34;email\u0026#34;: \u0026#34;beloved@example.com\u0026#34;, \u0026#34;groups\u0026#34;: [ \u0026#34;group_one\u0026#34;, \u0026#34;group_two\u0026#34; ], \u0026#34;name\u0026#34;: \u0026#34;Beloved\u0026#34; } Headers matching You can match on the request headers via the headers parameter available within the resource. Headers are implicitly required, such as headers=x-some-header:somevalue,x-other-header:othervalue where the request MUST have headers \u0026lsquo;x-some-header\u0026rsquo; with value \u0026lsquo;somevalue\u0026rsquo; AND \u0026lsquo;x-other-header\u0026rsquo;, with value \u0026lsquo;othervalue\u0026rsquo;.\nForward-auth Traefik, nginx ingress and other gateways usually have feature called forward-auth. This enables them to forward request to external auth/authz service which returns 2xx in case auth/authz was successful and otherwise some higher code (usually 401/403) or redirects them for authentication to keycloak server. You can use gatekeeper as this external auth/authz service by using headers matching feature as describe above and enabling --no-proxy option (this option will not forward request to upstream).\nExample:\ntraefik forward-auth configuration when you don\u0026rsquo;t want to redirect user to authentication server by gatekeeper (useful for e.g. API authentication or when you are using redirect to keycloak server on front proxy)\napiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: labels: app.kubernetes.io/name: dashboard-apis-oauth app.kubernetes.io/part-of: dashboard name: dashboard-apis-oauth namespace: censored spec: forwardAuth: address: http://gatekeeper-dns-name:4180 gatekeeper configuration\n- args: - --client-id=dashboard - --no-redirects=true # this option will ensure there will be no redirects - --no-proxy=true # this option will ensure that request will be not forwarded to upstream - --listen=0.0.0.0:4180 - --discovery-url=https://keycloak-dns-name/realms/censored - --enable-default-deny=true # this option will ensure protection of all paths /*, according our traefik config, traefik will send it to / - --resources=headers=x-some-header:somevalue,x-other-header:othervalue traefik forward-auth configuration when you WANT to redirect user to authentication server by gatekeeper (useful for e.g. frontend application authentication). Please be aware that in this mode you need to forward headers X-Forwarded-Host, X-Forwarded-Uri, X-Forwarded-Proto, from front proxy to gatekeeper. You can find more complete example here.\nNOTE: Please very important is to forward prefix (means all paths with prefix) /oauth directly to gatekeeper service as you can see in manifest, otherwise you will see redirect loop.\nIMPORTANT: Please ensure that you are receiving headers only from trusted proxy and gatekeeper is not exposed directly to internet, otherwise attacker might misuse this!\napiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: labels: app.kubernetes.io/name: dashboard-apis-oauth app.kubernetes.io/part-of: dashboard name: dashboard-apis-oauth namespace: censored spec: forwardAuth: address: http://gatekeeper-dns-name:4180 gatekeeper configuration:\n- args: - --client-id=dashboard - --no-redirects=false # this option will ensure there WILL BE redirects to keycloak server - --no-proxy=true # this option will ensure that request will be not forwarded to upstream - --listen=0.0.0.0:4180 - --discovery-url=https://keycloak-dns-name/realms/censored - --enable-default-deny=true # this option will ensure protection of all paths /*, according our traefik config, traefik will send it to / - --resources=headers=x-some-header:somevalue,x-other-header:othervalue nginx forward-auth configuration, nginx is more strict than traefik and rejects redirects, so in this case redirection to authorization server can be done only on nginx, example:\nnginx.ingress.kubernetes.io/configuration-snippet: | auth_request /auth; nginx.ingress.kubernetes.io/server-snippet: | location ^~ /auth { internal; proxy_pass \u0026lt;gatekeeper-url\u0026gt;/$request_uri; proxy_pass_request_body off; proxy_set_header Content-Length \u0026#34;\u0026#34;; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Forwarded-URI $request_uri; proxy_busy_buffers_size 64k; proxy_buffers 8 32k; proxy_buffer_size 32k; } gatekeeper configuration, must be --no-proxy=true with --no-redirects=true\nCustom pages By default, Gatekeeper Proxy will immediately redirect you for authentication and hand back a 403 for access denied. Most users will probably want to present the user with a more friendly sign-in and access denied page. You can pass the command line options (or via config file) paths to the files with --sign-in-page=PATH. The sign-in page will have a \u0026lsquo;redirect\u0026rsquo; variable passed into the scope and holding the OAuth redirection URL. If you wish to pass additional variables into the templates, such as title, sitename and so on, you can use the --tags key=pair option, like this: --tags title=\u0026quot;This is my site\u0026quot; and the variable would be accessible from {{ .title }}.\n\u0026lt;html\u0026gt; \u0026lt;body\u0026gt; \u0026lt;a href=\u0026#34;{{ .redirect }}\u0026#34;\u0026gt;Sign-in\u0026lt;/a\u0026gt; \u0026lt;/body\u0026gt; \u0026lt;/html\u0026gt; Custom Error Page for Bad Request One use case for this is that: inside keycloak server have \u0026ldquo;required user actions\u0026rdquo; set to \u0026ldquo;Terms and Conditions\u0026rdquo;. That means, if it is the first time an user access app X, he will need to accept the T\u0026amp;C or decline. If he accepts the terms, he can login fine to app X. However, if he declines it, he gets an empty error page with \u0026ldquo;bad request\u0026rdquo;.\nYou can use built-in template or your custom:\n--error-page=templates/error.html.tmpl White-listed URL’s Depending on how the application URL’s are laid out, you might want protect the root / URL but have exceptions on a list of paths, for example /health. While this is best solved by adjusting the paths, you can add exceptions to the protected resources, like this:\nresources: - uri: /some_white_listed_url white-listed: true - uri: /* methods: - GET roles: - \u0026lt;CLIENT_APP_NAME\u0026gt;:\u0026lt;ROLE_NAME\u0026gt; - \u0026lt;CLIENT_APP_NAME\u0026gt;:\u0026lt;ROLE_NAME\u0026gt; Or on the command line\n--resources \u0026#34;uri=/some_white_listed_url|white-listed=true\u0026#34; --resources \u0026#34;uri=/*\u0026#34; # requires authentication on the rest --resources \u0026#34;uri=/admin*|roles=admin,superuser|methods=POST,DELETE\u0026#34; PKCE (Proof Key for Code Exchange) Gatekeeper supports PKCE with S256 code challenge method. It stores code verifier in cookie. You can set custom cookie name with --cookie-pkce-name.\nMutual TLS The proxy support enforcing mutual TLS for the clients by adding the --tls-ca-certificate command line option or configuration file option. All clients connecting must present a certificate that was signed by the CA being used.\nCertificate rotation The proxy will automatically rotate the server certificates if the files change on disk. Note, no downtime will occur as the change is made inline. Clients who connected before the certificate rotation will be unaffected and will continue as normal with all new connections presented with the new certificate.\nRefresh tokens If a request for an access token contains a refresh token and --enable-refresh-tokens is set to true, the proxy will automatically refresh the access token for you. The tokens themselves are kept either as an encrypted (--encryption-key=KEY) cookie (cookie name: kc-state). or a store (still requires encryption key).\nTo enable a local Redis store use redis://user:secret@localhost:6379/0?protocol=3. See redis-uri specification In both cases, the refresh token is encrypted before being placed into the store.\nPost Login Redirect Without this option if user comes to site protected by gatekeeper e.g. http://somesite/somepath, user will be redirected to login and after login back to http://somesite/path. If user comes to / before login he will be redirected back to /. Sometimes you want redirect user back not to / but some path. For this there is option --post-login-redirect-path=/fallback/path which enables you to define some path to which user will be redirected after login if user comes to root path /.\nLogout endpoint There are 2 possibilities how to logout:\nUsing gatekeeper own mechanism --enable-logout-redirect=false In this case calling /oauth/logout will use revocation endpoint which might be set by option --revocation-url or if not set it will be retrieved from keycloak OpenID discovery response https://keycloak.example.com/realms/REALM_NAME/protocol/openid-connect/revoke. By default it will try to retrieve token from authorization header or access token cookie and then token from refresh token cookie, if latter present it will be used for revocation, if not first will be used. If access token is passed to revocation endpoint it will only revoke that access token, so on next request with refresh token user will get new access token. If refresh token is passed to revocation endpoint it will revoke refresh token and all access tokens. Thus it is recommended to pass refresh tokens, this means for --no-redirects=false (code flow) you should enable refresh tokens --enable-refresh-tokens=true so that refresh cookie will be passed to endpoint. For --no-redirects=true you have to pass refresh token in authorization header.\nPost Logout Redirection - redirection url will be gathered from this places from highest priority to lowest:\n\u0026ndash;post-logout-redirect-uri option - recommended /oauth/logout?redirect=url - from redirect url query parameter, not recommended, kept only for convenience \u0026ndash;redirection-url option Using keycloak mechanism, valid only for keycloak 18+ --enable-logout-redirect=true Uses keycloak logout endpoint https://keycloak.example.com/realms/REALM_NAME/protocol/openid-connect/logout.\nPost Logout Redirection - you can specify url in --post-logout-redirect-uri option, this logout mechanism uses id token for logging out, in case of code flow this is gathered automatically from id token cookie. In case of --no-redirects=true you have to pass id token in authorization header.\nSession logout Many times there are cases when you have multiple applications (multiple keycloak clients for gatekeeper) and you would like to achieve that logout on one application causes logout also on other application. For this use case there is option --enable-idp-session-check=true together with --enable-logout-redirect=true.\nCross-origin resource sharing (CORS) You can add a CORS header via the --cors-[method] with these configuration options.\nAccess-Control-Allow-Origin\nAccess-Control-Allow-Methods\nAccess-Control-Allow-Headers\nAccess-Control-Expose-Headers\nAccess-Control-Allow-Credentials\nAccess-Control-Max-Age\nYou can add using the config file:\ncors-origins: - \u0026#39;*\u0026#39; cors-methods: - GET - POST or via the command line:\n--cors-origins [--cors-origins option] a set of origins to add to the CORS access control (Access-Control-Allow-Origin) --cors-methods [--cors-methods option] the method permitted in the access control (Access-Control-Allow-Methods) --cors-headers [--cors-headers option] a set of headers to add to the CORS access control (Access-Control-Allow-Headers) --cors-exposes-headers [--cors-exposes-headers option] set the expose cors headers access control (Access-Control-Expose-Headers) Upstream URL You can control the upstream endpoint via the --upstream-url option. Both HTTP and HTTPS are supported with TLS verification and keep-alive support configured via the --skip-upstream-tls-verify / --upstream-keepalives option. Note, the proxy can also upstream via a UNIX socket, --upstream-url unix://path/to/the/file.sock.\nEndpoints /oauth/authorize is authentication endpoint which will generate the OpenID redirect to the provider\n/oauth/callback is provider OpenID callback endpoint\n/oauth/expired is a helper endpoint to check if a access token has expired, 200 for ok and, 401 for no token and 401 for expired\n/oauth/health is the health checking endpoint for the proxy, you can also grab version from headers\n/oauth/login provides a relay endpoint to login via grant_type=password, for example, POST /oauth/login form values are username=USERNAME\u0026amp;password=PASSWORD (must be enabled)\n/oauth/logout provides a convenient endpoint to log the user out, it will always attempt to perform a back channel log out of offline tokens\n/oauth/token is a helper endpoint which will display the current access token for you\n/oauth/metrics is a Prometheus metrics handler\n/oauth/discovery provides endpoint with basic urls gatekeeper provides\nExternal Authorization Open Policy Agent (OPA) authorization In version 1.8.8 we are introducing external authorization with OPA (applicable to auth code flow --no-redirects=false as well as for --no-redirects=true). Gatekeeper sends request with this structure to OPA for authorization:\n{ \u0026#34;input\u0026#34;: { \u0026#34;body\u0026#34;: \u0026#34;{\\\u0026#34;name\\\u0026#34;: \\\u0026#34;test\\\u0026#34;}\u0026#34; // body is sent as string so you will have to unmarshal it in case of json/yaml in OPA \u0026#34;headers\u0026#34;: { \u0026#34;X-SOME\u0026#34;: [\u0026#34;some value\u0026#34;, \u0026#34;other value\u0026#34;], }, \u0026#34;host\u0026#34;: \u0026#34;some.com\u0026#34;, \u0026#34;protocol\u0026#34;: \u0026#34;HTTP/1.1\u0026#34;, \u0026#34;path\u0026#34;: \u0026#34;/test\u0026#34;, \u0026#34;remote_addr\u0026#34;: \u0026#34;192.168.1.90\u0026#34;, \u0026#34;method\u0026#34;: \u0026#34;POST\u0026#34;, \u0026#34;user_agent\u0026#34;: \u0026#34;Firefox\u0026#34;, } } Example gatekeeper configuration:\nenable-opa: true enable-default-deny: true opa-timeout: \u0026#34;60s\u0026#34; opa-authz-uri: \u0026#34;http://127.0.0.1/v1/data/authz/allow\u0026#34; Example OPA policy, with upper gatekeeper configuration and request would result allowing request to upstream:\npackage authz default allow := false body := json.unmarshal(input.body) allow { body.name = \u0026#34;test\u0026#34; body.method = \u0026#34;POST\u0026#34; } Keycloak authorization (UMA) Gatekeeper has ability of external authorization with keycloak using --enable-uma option for browser flows and also api flows. You have to also either populate resources or use --enable-default-deny (see examples in previous sections). So you can mix both external authorization+static resource permissions, but we don\u0026rsquo;t recommend it to not overcomplicate setup. First is always external authorization then static resource authorization. As it is new feature please don\u0026rsquo;t use it in production, we would like first to receive feedback/testing by community. Right now we use external authorization options provided by Keycloak which are specified in UMA (user managed access specification UMA). To use this feature you MUST execute these actions in keycloak:\nenable authorization for client in keycloak (client which you will use in gatekeeper) in client authorization tab, you MUST have at least one protected resource protected resource MUST have User-Managed Access enabled protected resource MUST have at least one authorization scope protected resource MUST have proper permissions set Example Keycloak Authorization Guide.\nExample Browser Flow: --discovery-url=\u0026lt;DISCOVERY_URL\u0026gt; --openid-provider-timeout=120s --listen=0.0.0.0:3000 --client-id=\u0026lt;CLIENT_ID\u0026gt; --client-secret=\u0026lt;CLIENT_SECRET\u0026gt; --upstream-url=\u0026lt;UPSTREAM_URL\u0026gt; # code flow/browser flow --no-redirects=false # you have to set this or resources=/* to have enable-uma working --enable-default-deny=true # we are enabling UMA --enable-uma=true # we are also enabling using method scope, this is optional, # it will check resource in keycloak not just for accessed URL # but also for method scope e.g. method:GET, it will return # UMA token in cookie only for that URL+method scope, # if you don\u0026#39;t turn it on it will check just for URL # and will return UMA token in cookie # with all scopes --enable-uma-method-scope=true # UMA token is stored in cookie, you can setup custom name # by default cookie name is uma_token --cookie-uma-name=\u0026lt;CUSTOM_COOKIE_NAME\u0026gt; --skip-access-token-clientid-check=true --skip-access-token-issuer-check=true --openid-provider-retry-count=30 NOTE: You can have only one resource with same URL+method scope combination or URL (in case you don\u0026rsquo;t have method scope enabled), if you have more your access will be forbidden\nExample API Flow: we are recommending to use UMA forward signing for these purpose on client app side, otherwise you will have to get RPT token for client side manually. On client app side, forward signing setup (you app should have http proxy options set to this forward-signing proxy):\n--discovery-url=\u0026lt;DISCOVERY_URL\u0026gt; --openid-provider-timeout=120s --listen=0.0.0.0:3000 --client-id=\u0026lt;CLIENT_ID\u0026gt; --client-secret=\u0026lt;CLIENT_SECRET\u0026gt; --enable-uma=true --enable-uma-method-scope=true --enable-forwarding=true # you can use client credentials grant or direct access grant # see Forward-signing proxy section --forwarding-grant-type=client_credentials --skip-access-token-clientid-check=true --skip-access-token-issuer-check=true --openid-provider-retry-count=30 On server side, UMA in no-redirects mode:\n--discovery-url=\u0026lt;DISCOVERY_URL\u0026gt; --openid-provider-timeout=120s --listen=0.0.0.0:3000 --client-id=\u0026lt;CLIENT_ID\u0026gt; --client-secret=\u0026lt;CLIENT_SECRET\u0026gt; --upstream-url=\u0026lt;UPSTREAM_URL\u0026gt; # api flow --no-redirects=true # you have to set this or resources=/* to have enable-uma working --enable-default-deny=true # we are enabling UMA --enable-uma=true # we are also enabling using method scope, this is optional, # it will check resource in keycloak not just for accessed URL # but also for method scope e.g. method:GET, it will return # UMA token in cookie only for that URL+method scope, # if you don\u0026#39;t turn it on it will check just for URL # and will return UMA token in cookie # with all scopes --enable-uma-method-scope=true --skip-access-token-clientid-check=true --skip-access-token-issuer-check=true --openid-provider-retry-count=30 Request tracing Usually when there are multiple http services involved in serving user requests you need to use X-REQUEST-ID or some other header to track request flow through services. To make this possible with gatekeeper you can enable header logging by enabling --enable-logging and --verbose options. Also you can use request-id-header and enable-request-id options, which will generate unique uuid and will inject in header supplied in request-id-header option.\nMetrics Assuming --enable-metrics has been set, a Prometheus endpoint can be found on /oauth/metrics; at present the only metric being exposed is a counter per HTTP code.\nLimitations Keep in mind browser cookie limits if you use access or refresh tokens in the browser cookie. Gatekeeper Proxy divides the cookie automatically if your cookie is longer than 4093 bytes. The real size of the cookie depends on the content of the issued access token. Also, encryption might add additional bytes to the cookie size. If you have large cookies (\u0026gt;200 KB), you might reach browser cookie limits.\nAll cookies are part of the header request, so you might find a problem with the max headers size limits in your infrastructure (some load balancers have very low this value, such as 8 KB). Be sure that all network devices have sufficient header size limits. Otherwise, your users won’t be able to obtain an access token.\nKnown Issues There WAS a known issue with the Keycloak server 4.6.0.Final in which Gatekeeper Proxy is unable to find the client_id in the aud claim. This is due to the fact the client_id is not in the audience anymore. The workaround is to add the \u0026ldquo;Audience\u0026rdquo; protocol mapper to the client with the audience pointed to the client_id. For more information, see KEYCLOAK-8954.\nyou can now use --skip-access-token-clientid-check and --skip-access-token-issuer-check to overcome this limitations. These are now set by default to true so you should not by default see any these issues, but in case you would like to enable this checks you still have opportunity.\n"},{"uri":"https://gogatekeeper.github.io/gatekeeper/configuration/","title":"Configuration Reference","tags":[],"description":"","content":" CONFIG DESCRIPTION DEFAULT ENV \u0026ndash;config value path the a configuration file PROXY_CONFIG_FILE \u0026ndash;listen value Defines the binding interface for main listener, e.g. {address}:{port}. This is required and there is no default value PROXY_LISTEN \u0026ndash;listen-http value interface we should be listening to for HTTP traffic PROXY_LISTEN_HTTP \u0026ndash;listen-admin value defines the interface to bind admin-only endpoint (live-status, debug, prometheus\u0026hellip;). If not defined, this defaults to the main listener defined by Listen PROXY_LISTEN_ADMIN \u0026ndash;listen-admin-scheme value scheme to serve admin-only endpoint (http or https). PROXY_LISTEN_ADMIN_SCHEME \u0026ndash;discovery-url value discovery url to retrieve the openid configuration PROXY_DISCOVERY_URL \u0026ndash;client-id value client id used to authenticate to the oauth service PROXY_CLIENT_ID \u0026ndash;client-secret value client secret used to authenticate to the oauth service PROXY_CLIENT_SECRET \u0026ndash;redirection-url value redirection url for the oauth callback url, defaults to host header if absent PROXY_REDIRECTION_URL \u0026ndash;post-logout-redirect-uri value url to which client is redirected after successful logout PROXY_POST_LOGOUT_REDIRECT_URI \u0026ndash;post-login-redirect-path value post-login-redirect-path\u0026quot; usage:\u0026ldquo;path to which client is redirected after successful login, in case user access / PROXY_POST_LOGIN_REDIRECT_PATH \u0026ndash;revocation-url value url for the revocation endpoint to revoke refresh token PROXY_REVOCATION_URL \u0026ndash;skip-openid-provider-tls-verify skip the verification of any TLS communication with the openid provider false PROXY_SKIP_OPENID_PROVIDER_TLSVERIFY \u0026ndash;openid-provider-proxy value proxy for communication with the openid provider PROXY_OPENID_PROVIDER_PROXY \u0026ndash;openid-provider-timeout value timeout for openid configuration on .well-known/openid-configuration 30s PROXY_OPENID_PROVIDER_TIMEOUT \u0026ndash;openid-provider-retry-count value number of retries for retrieving openid configuration 3 PROXY_OPENID_PROVIDER_RETRY_COUNT \u0026ndash;openid-provider-headers value http headers sent to idp provider \u0026ndash;base-uri value common prefix for all URIs PROXY_BASE_URI \u0026ndash;oauth-uri value the uri for proxy oauth endpoints /oauth PROXY_OAUTH_URI \u0026ndash;scopes value list of scopes requested when authenticating the user \u0026ndash;upstream-url value url for the upstream endpoint you wish to proxy PROXY_UPSTREAM_URL \u0026ndash;upstream-ca value the path to a file container a CA certificate to validate the upstream tls endpoint PROXY_UPSTREAM_CA \u0026ndash;resources value list of resources \u0026lsquo;uri=/admin*|methods=GET,PUT|roles=role1,role2\u0026rsquo; \u0026ndash;headers value custom headers to the upstream request, key=value \u0026ndash;preserve-host preserve the host header of the proxied request in the upstream request false PROXY_PRESERVE_HOST \u0026ndash;request-id-header value the http header name for request id X-Request-ID PROXY_REQUEST_ID_HEADER \u0026ndash;response-headers value custom headers to added to the http response key=value PROXY_RESPONSE_HEADERS \u0026ndash;custom-http-methods list of additional non-standard http methods \u0026ndash;enable-self-signed-tls create self signed certificates for the proxy false PROXY_ENABLE_SELF_SIGNED_TLS \u0026ndash;self-signed-tls-hostnames value a list of hostnames to place on the self-signed certificate \u0026ndash;self-signed-tls-expiration value the expiration of the certificate before rotation 3h0m0s PROXY_SELF_SIGNED_TLS_EXPIRATION \u0026ndash;enable-request-id indicates we should add a request id if none found false PROXY_ENABLE_REQUEST_ID \u0026ndash;enable-logout-redirect indicates we should redirect to the identity provider for logging out false PROXY_ENABLE_LOGOUT_REDIRECT \u0026ndash;enable-default-deny enables a default denial on all requests, requests with valid token are permitted, you have to explicitly say what is permitted true PROXY_ENABLE_DEFAULT_DENY \u0026ndash;enable-default-deny-strict enables a default denial on all requests, requests with valid token are denied, you have to explicitly say what is permitted (recommended) false PROXY_ENABLE_DEFAULT_DENY_STRICT \u0026ndash;enable-encrypted-token enable encryption for the access tokens false PROXY_ENABLE_ENCRYPTED_TOKEN \u0026ndash;force-encrypted-cookie force encryption for the access tokens in cookies false PROXY_FORCE_ENCRYPTED_COOKIE \u0026ndash;enable-logging enable http logging of the requests false PROXY_ENABLE_LOGGING \u0026ndash;enable-json-logging switch on json logging rather than text false PROXY_ENABLE_JSON_LOGGING \u0026ndash;enable-forwarding enables the forwarding proxy mode, signing outbound request false PROXY_ENABLE_FORWARDING \u0026ndash;enable-security-filter enables the security filter handler false PROXY_ENABLE_SECURITY_FILTER \u0026ndash;enable-refresh-tokens enables the handling of the refresh tokens false PROXY_ENABLE_REFRESH_TOKEN \u0026ndash;enable-session-cookies access and refresh tokens are session only i.e. removed browser close true PROXY_ENABLE_SESSION_COOKIES \u0026ndash;enable-login-handler enables the handling of the refresh tokens false PROXY_ENABLE_LOGIN_HANDLER \u0026ndash;enable-token-header enables the token authentication header X-Auth-Token to upstream true PROXY_ENABLE_TOKEN_HEADER \u0026ndash;enable-authorization-header adds the authorization header to the proxy request true PROXY_ENABLE_AUTHORIZATION_HEADER \u0026ndash;enable-authorization-cookies adds the authorization cookies to the uptream proxy request true PROXY_ENABLE_AUTHORIZATION_COOKIES \u0026ndash;enable-https-redirection enable the http to https redirection on the http service false PROXY_ENABLE_HTTPS_REDIRECT \u0026ndash;enable-profiling switching on the golang profiling via pprof on /debug/pprof, /debug/pprof/heap etc false PROXY_ENABLE_PROFILING \u0026ndash;enable-metrics enable the prometheus metrics collector on /oauth/metrics false PROXY_ENABLE_METRICS \u0026ndash;filter-browser-xss enable the adds the X-XSS-Protection header with mode=block false PROXY_ENABLE_BROWSER_XSS_FILTER \u0026ndash;filter-content-nosniff adds the X-Content-Type-Options header with the value nosniff false PROXY_ENABLE_CONTENT_NO_SNIFF \u0026ndash;filter-frame-deny enable to the frame deny header false PROXY_ENABLE_FRAME_DENY \u0026ndash;content-security-policy value specify the content security policy PROXY_CONTENT_SECURITY_POLICY \u0026ndash;localhost-metrics enforces the metrics page can only been requested from 127.0.0.1 false PROXY_LOCALHOST_METRICS \u0026ndash;enable-compression enable gzip compression for response false PROXY_ENABLE_COMPRESSION \u0026ndash;enable-pkce enable pkce for auth code flow, only S256 code challenge supported false PROXY_ENABLE_PKCE \u0026ndash;enable-idp-session-check during token validation it also checks if user session is still present, useful for multi app logout true PROXY_ENABLE_IDP_SESSION_CHECK \u0026ndash;enable-uma enable UMA authorization, please don\u0026rsquo;t use in production as it is new feature, we would like to receive feedback first false PROXY_ENABLE_UMA \u0026ndash;enable-opa enable authorization with external Open policy agent false PROXY_ENABLE_OPA \u0026ndash;opa-timeout timeout for connection to OPA 10s PROXY_OPA_TIMEOUT \u0026ndash;opa-authz-uri OPA endpoint address with path PROXY_OPA_AUTHZ_URI \u0026ndash;pat-retry-count number of retries to get PAT 5 PROXY_PAT_RETRY_COUNT \u0026ndash;pat-retry-interval interval between retries to get PAT 2s PROXY_PAT_RETRY_INTERVAL \u0026ndash;access-token-duration value fallback cookie duration for the access token when using refresh tokens 720h0m0s PROXY_ACCESS_TOKEN_DURATION \u0026ndash;cookie-domain value domain the access cookie is available to, defaults host header PROXY_COOKIE_DOMAIN \u0026ndash;cookie-access-name value name of the cookie use to hold the access token kc-access PROXY_COOKIE_ACCESS_NAME \u0026ndash;cookie-refresh-name value name of the cookie used to hold the encrypted refresh token kc-state PROXY_COOKIE_REFRESH_NAME \u0026ndash;cookie-oauth-state-name value name of the cookie used to hold the Oauth request state OAuth_Token_Request_State COOKIE_OAUTH_STATE_NAME \u0026ndash;cookie-request-uri-name value name of the cookie used to hold the request uri request_uri COOKIE_REQUEST_URI_NAME \u0026ndash;cookie-pkce-name value name of the cookie used to hold PKCE code verifier pkce COOKIE_PKCE_NAME \u0026ndash;secure-cookie enforces the cookie to be secure true PROXY_SECURE_COOKIE \u0026ndash;http-only-cookie enforces the cookie is in http only mode true PROXY_HTTP_ONLY_COOKIE \u0026ndash;same-site-cookie value enforces cookies to be send only to same site requests according to the policy (can be | Strict|Lax|None) Lax PROXY_SAME_SITE_COOKIE \u0026ndash;enable-id-token-cookie enable id token cookie false PROXY_ENABLE_IDTOKEN_COOKIE \u0026ndash;match-claims value keypair values for matching access token claims e.g. aud=myapp, iss=http://example.* \u0026ndash;add-claims value extra claims from the token and inject into headers, e.g given_name -\u0026gt; X-Auth-Given-Name \u0026ndash;enable-uma-method-scope enables passing request method as \u0026lsquo;method:GET\u0026rsquo; scope to keycloak for authorization false PROXY_ENABLE_UMA_METHOD_SCOPE \u0026ndash;tls-min-version specify server minimal TLS version one of tlsv1.0,tlsv1.1,tlsv1.2,tlsv1.3 TLS_MIN_VERSION \u0026ndash;tls-cert value path to ths TLS certificate PROXY_TLS_CERTIFICATE \u0026ndash;tls-private-key value path to the private key for TLS PROXY_TLS_PRIVATE_KEY \u0026ndash;tls-ca-certificate value path to the ca certificate used for signing requests PROXY_TLS_CA_CERTIFICATE \u0026ndash;tls-ca-key value path the ca private key, used by the forward signing proxy PROXY_TLS_CA_PRIVATE_KEY \u0026ndash;tls-client-certificate value path to the client certificate for outbound connections in reverse and forwarding proxy modes PROXY_TLS_CLIENT_CERTIFICATE \u0026ndash;skip-upstream-tls-verify skip the verification of any upstream TLS true PROXY_SKIP_UPSTREAM_TLS_VERIFY \u0026ndash;tls-admin-cert value path to ths TLS certificate PROXY_TLS_ADMIN_CERTIFICATE \u0026ndash;tls-admin-private-key value path to the private key for TLS PROXY_TLS_ADMIN_PRIVATE_KEY \u0026ndash;tls-admin-ca-certificate value path to the ca certificate used for signing requests PROXY_TLS_ADMIN_CA_CERTIFICATE \u0026ndash;tls-admin-client-certificate value path to the client certificate for outbound connections in reverse and forwarding proxy modes PROXY_TLS_ADMIN_CLIENT_CERTIFICATE \u0026ndash;cors-origins value origins to add to the CORE origins control (Access-Control-Allow-Origin) \u0026ndash;cors-methods value methods permitted in the access control (Access-Control-Allow-Methods) \u0026ndash;cors-headers value set of headers to add to the CORS access control (Access-Control-Allow-Headers) \u0026ndash;cors-exposed-headers value expose cors headers access control (Access-Control-Expose-Headers) \u0026ndash;cors-credentials credentials access control header (Access-Control-Allow-Credentials) false PROXY_CORS_CREDENTIALS \u0026ndash;cors-max-age value max age applied to cors headers (Access-Control-Max-Age) 0s PROXY_CORS_MAX_AGE \u0026ndash;hostnames value list of hostnames the service will respond to \u0026ndash;store-url value url for the storage subsystem, e.g redis://user:secret@localhost:6379/0?protocol=3, only supported is redis usig redis uri spec PROXY_STORE_URL \u0026ndash;encryption-key value encryption key used to encryption the session state PROXY_ENCRYPTION_KEY \u0026ndash;enable-hmac enable creating hmac for forwarded requests and verification on incoming requests false PROXY_ENABLE_HMAC \u0026ndash;no-proxy value do not proxy requests to upstream, useful for forward-auth usage (with nginx, traefik) PROXY_NO_PROXY \u0026ndash;no-redirects do not have back redirects when no authentication is present, 401 them false PROXY_NO_REDIRECTS \u0026ndash;skip-token-verification TESTING ONLY; bypass token verification, only expiration and roles enforced false PROXY_SKIP_TOKEN_VERIFICATION \u0026ndash;skip-access-token-issuer-check according RFC issuer should not be checked on access token, this will be default true in future true PROXY_SKIP_ACCESS_TOKEN_ISSUER_CHECK \u0026ndash;skip-access-token-clientid-check according RFC client id should not be checked on access token, this will be default true in future true PROXY_SKIP_ACCESS_TOKEN_CLIENT_ID_CHECK \u0026ndash;skip-authorization-header-identity skip authorization header identity, means that we won\u0026rsquo;t be extracting token from authorization header, only from cookie or fail if even no cookie present (e.g. if authorization header is used only by application behind gatekeeper)\u0026quot;` false PROXY_SKIP_AUTHORIZATION_HEADER_IDENTITY \u0026ndash;upstream-keepalives enables or disables the keepalive connections for upstream endpoint true PROXY_UPSTREAM_KEEPALIVES \u0026ndash;upstream-timeout value maximum amount of time a dial will wait for a connect to complete 10s PROXY_UPSTREAM_TIMEOUT \u0026ndash;upstream-keepalive-timeout value specifies the keep-alive period for an active network connection 10s PROXY_UPSTREAM_KEEPALIVE_TIMEOUT \u0026ndash;upstream-tls-handshake-timeout value the timeout placed on the tls handshake for upstream 10s PROXY_UPSTREAM_TLS_HANDSHAKE_TIMEOUT \u0026ndash;upstream-response-header-timeout value the timeout placed on the response header for upstream 10s PROXY_UPSTREAM_RESPONSE_HEADER_TIMEOUT \u0026ndash;upstream-expect-continue-timeout value the timeout placed on the expect continue for upstream 10s PROXY_UPSTREAM_EXPECT_CONTINUE_TIMEOUT \u0026ndash;verbose switch on debug / verbose logging false PROXY_VERBOSE \u0026ndash;enabled-proxy-protocol enable proxy protocol false PROXY_ENABLE_PROXY_PROTOCOL \u0026ndash;max-idle-connections value max idle upstream / keycloak connections to keep alive, ready for reuse 0 PROXY_MAX_IDLE_CONNS \u0026ndash;max-idle-connections-per-host value limits the number of idle connections maintained per host 0 PROXY_MAX_IDLE_CONNS_PER_HOST \u0026ndash;server-read-timeout value the server read timeout on the http server 10s PROXY_SERVER_READ_TIMEOUT \u0026ndash;server-write-timeout value the server write timeout on the http server 10s PROXY_SERVER_WRITE_TIMEOUT \u0026ndash;server-idle-timeout value the server idle timeout on the http server 2m0s PROXY_SERVER_IDLE_TIMEOUT \u0026ndash;use-letsencrypt use letsencrypt for certificates false PROXY_USE_LETS_ENCRYPT \u0026ndash;letsencrypt-cache-dir value path where cached letsencrypt certificates are stored ./cache/ PROXY_LETS_ENCRYPT_CACHE_DIR \u0026ndash;sign-in-page value path to custom template displayed for signin PROXY_SIGN_IN_PAGE \u0026ndash;forbidden-page value path to custom template used for access forbidden PROXY_FORBIDDEN_PAGE \u0026ndash;error-page value path to custom template displayed for http.StatusBadRequest PROXY_ERROR_PAGE \u0026ndash;tags value keypairs passed to the templates at render,e.g title=Page \u0026ndash;forwarding-grant-type value grant-type to use when logging into the openid provider, can be one of password, client_credentials password PROXY_FORWARDING_GRANT_TYPE \u0026ndash;forwarding-username value username to use when logging into the openid provider PROXY_FORWARDING_USERNAME \u0026ndash;forwarding-password value password to use when logging into the openid provider PROXY_FORWARDING_PASSWORD \u0026ndash;forwarding-domains value list of domains which should be signed; everything else is relayed unsigned \u0026ndash;disable-all-logging disables all logging to stdout and stderr false PROXY_DISABLE_ALL_LOGGING \u0026ndash;help, -h show help \u0026ndash;version, -v print the version "},{"uri":"https://gogatekeeper.github.io/gatekeeper/","title":"","tags":[],"description":"","content":"gatekeeper gatekeeper is the simple authentication and authorization proxy that gets your app off the ground!\ngatekeeper was previously known as louketo and keycloak-gatekeeper.\nGoals To have just enough auth features (both authentication and authorization) to get your app off the ground To be well documented and easy to get started with To remain true to the roots of this project gatekeeper will be interoperable with keycloak out of the box, Announcements! gatekeeper is reborn with from the ashes of louketo under the new organization gogatekeeper.\nWatch this space!\n"},{"uri":"https://gogatekeeper.github.io/gatekeeper/categories/","title":"Categories","tags":[],"description":"","content":""},{"uri":"https://gogatekeeper.github.io/gatekeeper/tags/","title":"Tags","tags":[],"description":"","content":""}] \ No newline at end of file +[{"uri":"https://gogatekeeper.github.io/gatekeeper/userguide/","title":"User Guide","tags":[],"description":"","content":"Gatekeeper Gatekeeper is a proxy which integrates with OpenID Connect (OIDC) Providers, it supports both access tokens in a browser cookie or bearer tokens.\nThis documentation details how to build and configure Gatekeeper followed by details of how to use each of its features.\nFor further information, see the included help file which includes a full list of commands and switches. View the file by entering the following at the command line (modify the location to match where you install Gatekeeper Proxy):\n$ bin/gatekeeper help You can view all settings also in this table Settings\nRequirements Go 1.19 or higher Configuration options Configuration can come from a YAML/JSON file or by using command line options. Here is a list of options.\n# is the URL for retrieve the OpenID configuration discovery-url: \u0026lt;DISCOVERY URL\u0026gt; # Indicates we should deny by default all requests and explicitly specify what is permitted, default true # this is equivalent of --resource=/*|methods enable-default-deny: true # the client id for the \u0026#39;client\u0026#39; application client-id: \u0026lt;CLIENT_ID\u0026gt; # the secret associated to the \u0026#39;client\u0026#39; application client-secret: \u0026lt;CLIENT_SECRET\u0026gt; # the interface definition you wish the proxy to listen, all interfaces is specified as \u0026#39;:\u0026lt;port\u0026gt;\u0026#39;, unix sockets as unix://\u0026lt;REL_PATH\u0026gt;|\u0026lt;/ABS PATH\u0026gt; listen: :3000 # port on which metrics and health endpoints will be available, if not specified it will be on above specified port listen-admin: :4000 # whether to enable refresh tokens enable-refresh-tokens: true # you can set up custom templates for forbidden/error/sign-in pages, gatekeeper # also provides these already builtin (but they are not set by default) forbidden-page: templates/forbidden.html.tmpl error-page: templates/error.html.tmpl sign-in-page: sign_in.html.tmpl # the location of a certificate you wish the proxy to use for TLS support tls-cert: # the location of a private key for TLS tls-private-key: # TLS options related to admin listener tls-admin-cert: tls-admin-private-key: tls-admin-ca-certificate: tls-admin-client-certificate: # the redirection URL, essentially the site URL, note: /oauth/callback is added at the end redirection-url: http://127.0.0.1:3000 # the encryption key used to encode the session state encryption-key: \u0026lt;ENCRYPTION_KEY\u0026gt; # the upstream endpoint which we should proxy request upstream-url: http://127.0.0.1:80 # Returns HTTP 401 when no authentication is present, used with forward proxies or API protection with client credentials grant. no-redirects: false # additional scopes to add to the default (openid+email+profile) scopes: - vpn-user # a collection of resource i.e. URLs that you wish to protect, this are simple gatekeeper authorization rules, # to get more complex authorization you can look at external authorization section in our documentation resources: - uri: /admin/test # the methods on this URL that should be protected, uri is required when defining resource methods: - GET # a list of roles the user must have in order to access URLs under the above # If all you want is authentication ONLY, simply remove the roles array - the user must be authenticated but # no roles are required roles: - openvpn:vpn-user - openvpn:prod-vpn - test - uri: /admin/* methods: - GET roles: - openvpn:vpn-user - openvpn:commons-prod-vpn Options issued at the command line have a higher priority and will override or merge with options referenced in a config file. Examples of each style are shown in the following sections.\nExample of usage and configuration with Keycloak Assuming you have some web service you wish protected by Keycloak:\nCreate the client using the Keycloak GUI or CLI; the client protocol is \u0026lsquo;openid-connect\u0026rsquo;, access-type: confidential.\nAdd a Valid Redirect URI of http://127.0.0.1:3000/oauth/callback.\nGrab the client id and client secret.\nCreate the roles under the client or existing clients for authorization purposes.\nHere is an example configuration file.\nclient-id: \u0026lt;CLIENT_ID\u0026gt; client-secret: \u0026lt;CLIENT_SECRET\u0026gt; # require for access_type: confidential # Note the redirection-url is optional, it will default to the the URL scheme and host, # only in case of forward auth it will use X-Forwarded-Proto / X-Forwarded-Host, please see forward-auth section discovery-url: https://keycloak.example.com/realms/\u0026lt;REALM_NAME\u0026gt; # Indicates we should deny by default all requests and explicitly specify what is permitted, default true, # you cannot specify enable-default-deny:true together with defining resource=uri=/* enable-default-deny: true encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j listen: :3000 redirection-url: http://127.0.0.1:3000 upstream-url: http://127.0.0.1:80 # a collection of resource i.e. URLs that you wish to protect, this are simple gatekeeper authorization rules, # to get more complex authorization you can look at external authorization section in our documentation resources: - uri: /admin* methods: - GET roles: # this will match realm role from token - examplerealmrole # you can see here, that roles below will match client roles from token # it will look for client1\u0026#39;s client role test1 and client2\u0026#39;s client role test2 - client1:test1 - client2:test2 require-any-role: true groups: - admins - users - uri: /backend* roles: - client:test1 - uri: /public/* # Allow access to the resource above white-listed: true - uri: /favicon # Allow access to the resource above white-listed: true - uri: /css/* # Allow access to the resource above white-listed: true - uri: /img/* # Allow access to the resource above white-listed: true # Adds custom headers headers: myheader1: value_1 myheader2: value_2 Anything defined in a configuration file can also be configured using command line options, such as in this example.\nbin/gatekeeper \\ --discovery-url=https://keycloak.example.com/realms/\u0026lt;REALM_NAME\u0026gt; \\ --client-id=\u0026lt;CLIENT_ID\u0026gt; \\ --client-secret=\u0026lt;SECRET\u0026gt; \\ --listen=127.0.0.1:3000 \\ # unix sockets format unix://path --redirection-url=http://127.0.0.1:3000 \\ --enable-refresh-tokens=true \\ --encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j \\ --upstream-url=http://127.0.0.1:80 \\ --enable-default-deny=true \\ --resources=\u0026#34;uri=/admin*|roles=test1,test2\u0026#34; \\ --resources=\u0026#34;uri=/backend*|roles=test1\u0026#34; \\ --resources=\u0026#34;uri=/css/*|white-listed=true\u0026#34; \\ --resources=\u0026#34;uri=/img/*|white-listed=true\u0026#34; \\ --resources=\u0026#34;uri=/public/*|white-listed=true\u0026#34; \\ --headers=\u0026#34;myheader1=value1\u0026#34; \\ --headers=\u0026#34;myheader2=value2\u0026#34; Roles By default, the roles defined on a resource perform a logical AND so all roles specified must be present in the claims, this behavior can be altered by the require-any-role option, however, so as long as one role is present the permission is granted.\nYou can match on realm roles or client roles:\nresources: - uri: /admin* methods: - GET roles: # this will match realm role from token - examplerealmrole # you can see here, that roles below will match client roles from token # it will look for client1\u0026#39;s client role test1 and client2\u0026#39;s client role test2 - client1:test1 - client2:test2 If you have roles listed in some custom claim, please see custom claim matching\nAuthentication flows You can use gatekeeper to protect APIs, frontend server applications, frontend client applications. Frontend server-side applications can be protected by Authorization Code Flow (also with PKCE), during which several redirection steps take place. For protecting APIs you can use Client Credentials Grant to avoid redirections steps involved in authorization code flow you have to use --no-redirects=true. For frontend applications you can use Authorization Code Flow (also with PKCE) with encrypted refresh token cookies enabled, in this case however you have to handle redirections at login/logout and you must make cookies available to js (less secure, altough at least they are encrypted).\nDefault Deny --enable-default-deny - option blocks all requests without valid token on all basic HTTP methods, (DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE). WARNING: There are no additional requirements on the token, it isn\u0026rsquo;t checked for some claims or roles, groups etc\u0026hellip;(this is by default true)\n--enable-default-deny-strict (recommended) - option blocks all requests (including valid token) unless specific path with requirements specified in resources (this option is by default false)\nOpenID Provider Communication By default the communication with the OpenID provider is direct. If you wish, you can specify a forwarding proxy server in your configuration file:\nopenid-provider-proxy: http://proxy.example.com:8080 HTTP routing By default, all requests will be proxied on to the upstream, if you wish to ensure all requests are authenticated you can use this:\n--resources=uri=/* # note, unless specified the method is assumed to be \u0026#39;any|ANY\u0026#39; The HTTP routing rules follow the guidelines from chi. The ordering of the resources does not matter, the router will handle that for you.\nCookies size All browsers have limitations on cookies number and cookie size. This usually does not adhere to any standard. E.g. Chrome has limitation of 4096 bytes on all cookies per domain. This might cause you troubles e.g. Chrome responding with 431 Request Header Fields are Too Large. To overcome this limitations gatekeeper offers several options:\n--enable-id-token-cookie - is set by default false, in case you don\u0026rsquo;t need id token, leave it/turn it off --store-url - this will enable storing of refresh token in redis store, instead of cookies, which saves you some bytes, also has some additional effect of raising security on client side as refresh token won\u0026rsquo;t be exposed on client side\nSession-only cookies By default, the access and refresh cookies are session-only and disposed of on browser close; you can disable this feature using the --enable-session-cookies option.\nCookie Names There are two parameters which you can use to set up cookie names for access token and refresh token.\n--cookie-access-name=myAccessTokenCookie --cookie-refresh-name=myRefreshTokenCookie TCP proxy with HTTP CONNECT You can protect your TCP services with gogatekeeper by adding CONNECT HTTP method to list of custom-http-methods. On client side you will need to pass of course token in Authorization header (righ now there are few clients which could make HTTP connect with Bearer token and then forward tcp, e.g. gost proxy - but only in static way, some IDE provide HTTP CONNECT functionality for db connectors but only with Basic authentication, we would like to add this functionality to gatekeeper in future). This setup will authenticate connection at start and will create tunnel to your backend service. Please use with care and ensure that it allows connection only to intended services, otherwise it can be missused for various attacks.\nThis example allows users with valid token to connect to backend postgres service:\n\u0026#34;--discovery-url=http://127.0.0.1:8081/realms/test/.well-known/openid-configuration\u0026#34;, \u0026#34;--client-id=test-client\u0026#34;, \u0026#34;--client-secret=6447d0c0-d510-42a7-b654-6e3a16b2d7e2\u0026#34;, \u0026#34;--upstream-url=http://127.0.0.1:5432\u0026#34;, \u0026#34;--listen=0.0.0.0:5000\u0026#34;, \u0026#34;--no-redirects=true\u0026#34;, \u0026#34;--enable-authorization-header=true\u0026#34;, \u0026#34;--custom-http-methods=CONNECT\u0026#34;, \u0026#34;--enable-default-deny=true\u0026#34;, \u0026#34;--enable-logging=true\u0026#34;, \u0026#34;--enable-compression=true\u0026#34;, \u0026#34;--enable-json-logging=true\u0026#34;, \u0026#34;--verbose=true\u0026#34;, \u0026#34;--skip-token-verification=false\u0026#34;, \u0026#34;--upstream-keepalive-timeout=30s\u0026#34;, \u0026#34;--scopes=openid\u0026#34;, \u0026#34;--skip-access-token-clientid-check=true\u0026#34; Configuration for gost proxy, to forward your tcp client connection with HTTP CONNECT, please be aware that you need to input there your token (there is only example token in this config):\ncat \u0026gt; config.yaml \u0026lt;\u0026lt;EOF services: - name: service-0 addr: \u0026#34;:8000\u0026#34; handler: type: tcp chain: chain-0 listener: type: tcp chains: - name: chain-0 hops: - name: hop-0 nodes: - name: localhost addr: :5000 connector: type: http metadata: header: Authorization: \u0026#34;Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJndWZUNUxaOWROWE5QSHV1d2U3T3AwWnI3b0VqdjhqVzdzbF8xUU1jaUkwIn0.eyJleHAiOjE2ODY1NzI1MDEsImlhdCI6MTY4NjU3MjIwMSwianRpIjoiY2UyZmRkMjAtNTc1YS00ZjIyLThkYTktOWQxYjM0ZTE3YjE3IiwiaXNzIjoiaHR0cDov LzEyNy4wLjAuMTo4MDgxL3JlYWxtcy90ZXN0IiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImE2NzgyMzg4LTNjOTMtNDA4Ny1iNDk5LTI5MmViYTU2ZDYwNiIsInR5cCI6IkJlYXJlciIsImF6cCI6InRlc3QtY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6ImRhODlmMDU4LTAyOGItNGJlNS05ZmQ4LTg5MjBmOTRkZTEwNiIsImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0 sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwidXNlciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwic2lkIjoiZGE4OWYwNTgtMDI4Yi00YmU1LT lmZDgtODkyMGY5NGRlMTA2IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJUZXN0IFRlc3QiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJteXVzZXIiLCJnaXZlbl9uYW1lIjoiVGVzdCIsImZhbWlseV9uYW1lIjoiVGVzdCIsImVtYWlsIjoic29tZWJvZHlAc29tZXdoZXJlLmNvbSJ9.D-qDEDBumfIsVRJY6ONaXAY6fZWKZhrTG9-qtaSxYZIq7TLfApKh ZCdLTkNzZPDSuL7FugJ7AGnwnmbRos9hOV25UgqAZ9biO2eo04olwXXsn7q0cboVqQXMlFc4kNCWQJov9JqhG_f21T25gdQH7eMlSu1QvnKvvTRQNEHpG9fvL86D16GETPnVExRoH81fe0zHMQPk7u_eZcOlNxg5HDFacNSUpnpgoH37Fhzt0FHj5mN_nfknty5KLCO6Zs_kmdvlgVkPzceZqp2Chmq4rmlp9OPMslTEwBlRn1qTRZPpJXCxoLuMMNMeVvrXXKvFXuI uQ7vZFOE8xNVogm7cxQ\u0026#34; dialer: type: tcp EOF start gost proxy:\ngost -C config.yaml Connect with psql client:\npsql -U postgres -h localhost -p 8000 Websocket proxy You can protect also websocket servers with gatekeeper proxy. You must use standard upgrade headers to proxy to your websocket backend. There are additional considerations you need to take into account when protecting websocket backend. Browsers doesn\u0026rsquo;t have built-in protection against CORS for websocket protocol like they have for HTTP. That means you need to consider enabling additional methods for verifying that browsers connect only to your backend and receives response only from your backend. For this we recommend to turn-on --enable-encrypted-token and --encryption-key options and also verify Origin header with headers matching, please refer to Headers matching.\nHMAC Signature, signing and verification For raising your security you can verify/sign HMAC for your requests. Signing can be done when using --enable-hmac with forward signing feature below. Verification is done when using gatekeeper as authentication/authorization proxy. Gatekeeper in forward-signing mode creates signature, this is also signature which gatekeeper expects when used as auth/authz proxy, you can create this signature on your own, assuming you have proper secret. Signature is passed in X-HMAC-SHA256 header. Signature is created by signing several fields:\nstringToSign := fmt.Sprintf( \u0026#34;%s\\n%s%s\\n%s;%s;%s\u0026#34;, req.Method, req.URL.Path, req.URL.RawQuery, req.Header.Get(constant.AuthorizationHeader), req.Host, sha256.Sum256(body), ) Forward-signing proxy Forward-signing provides a mechanism for authentication and authorization between services using tokens issued from the IdP. When operating in this mode the proxy will automatically acquire an access token (handling the refreshing or logins on your behalf) and tag outbound requests with an Authorization header. You can control which domains are tagged with the --forwarding-domains option. Note, this option uses a contains comparison on domains. So, if you wanted to match all domains under *.svc.cluster.local you can use: --forwarding-domain=svc.cluster.local.\nYou can choose between two types of OAuth authentications: password grant type (default) or client_credentials grant type.\nExample setup password grant:\nYou have a collection of micro-services which are permitted to speak to one another; you have already set up the credentials, roles, and clients in Keycloak, providing granular role controls over issue tokens.\n- name: gatekeeper image: quay.io/gogatekeeper/gatekeeper:2.9.2 args: - --enable-forwarding=true - --forwarding-username=projecta - --forwarding-password=some_password - --forwarding-domains=projecta.svc.cluster.local - --forwarding-domains=projectb.svc.cluster.local - --client-id=xxxxxx - --client-secret=xxxx - --discovery-url=http://keycloak:8080/realms/master - --tls-ca-certificate=/etc/secrets/ca.pem - --tls-ca-key=/etc/secrets/ca-key.pem # Note: if you don\u0026#39;t specify any forwarding domains, all domains will be signed; Also the code checks is the # domain \u0026#39;contains\u0026#39; the value (it\u0026#39;s not a regex) so if you wanted to sign all requests to svc.cluster.local, just use # svc.cluster.local volumeMounts: - name: keycloak-socket mountPoint: /var/run/keycloak - name: projecta image: some_images Example setup client credentials grant:\n- name: gatekeeper image: quay.io/gogatekeeper/gatekeeper:2.9.2 args: - --enable-forwarding=true - --forwarding-domains=projecta.svc.cluster.local - --forwarding-domains=projectb.svc.cluster.local - --client-id=xxxxxx - --client-secret=xxxx - --discovery-url=http://keycloak:8080/realms/master - --tls-ca-certificate=/etc/secrets/ca.pem - --tls-ca-key=/etc/secrets/ca-key.pem - --forwarding-grant-type=client_credentials # Note: if you don\u0026#39;t specify any forwarding domains, all domains will be signed; Also the code checks is the # domain \u0026#39;contains\u0026#39; the value (it\u0026#39;s not a regex) so if you wanted to sign all requests to svc.cluster.local, just use # svc.cluster.local volumeMounts: - name: keycloak-socket mountPoint: /var/run/keycloak - name: projecta image: some_images Test the forward proxy:\ncurl -k --proxy http://127.0.0.1:3000 https://test.projesta.svc.cluster.local On the receiver side, you could set up the Gatekeeper Proxy --no-redirects=true and permit this to verify and handle admission for you. Alternatively, the access token can found as a bearer token in the request.\nForwarding signed HTTPS connections Handling HTTPS requires a man-in-the-middle sort of TLS connection. By default, if no --tls-ca-certificate and --tls-ca-key are provided the proxy will use the default certificate. If you wish to verify the trust, you’ll need to generate a CA, for example.\n$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ca.key -out ca.pem $ bin/gatekeeper \\ --enable-forwarding \\ --forwarding-username=USERNAME \\ --forwarding-password=PASSWORD \\ --client-id=CLIENT_ID \\ --client-secret=SECRET \\ --discovery-url=https://keycloak.example.com/realms/test \\ --tls-ca-certificate=ca.pem \\ --tls-ca-key=ca-key.pem Forwarding with UMA token When --enable-uma is set in forwarding mode, proxy signs request with RPT token\nHTTPS redirect The proxy supports an HTTP listener, so the only real requirement here is to perform an HTTP → HTTPS redirect. You can enable the option like this:\n--listen-http=127.0.0.1:80 --enable-security-filter=true # is required for the https redirect --enable-https-redirection Let’s Encrypt configuration Here is an example of the required configuration for Let’s Encrypt support:\nlisten: 0.0.0.0:443 enable-https-redirection: true enable-security-filter: true use-letsencrypt: true letsencrypt-cache-dir: ./cache/ redirection-url: https://domain.tld:443/ hostnames: - domain.tld Listening on port 443 is mandatory.\nAccess token encryption By default, the session token is placed into a cookie in plaintext. If you prefer to encrypt the session cookie, use the --enable-encrypted-token and --encryption-key options. Note that the access token forwarded in the X-Auth-Token header to upstream is unaffected.\nBearer token passthrough If your Bearer token is intended for your upstream application and not for gatekeeper you can use option --skip-authorization-header-identity. Please be aware that token is still required to be in cookies.\nUpstream headers On protected resources, the upstream endpoint will receive a number of headers added by the proxy, along with custom claims, like this:\nX-Auth-Email X-Auth-ExpiresIn X-Auth-Groups X-Auth-Roles X-Auth-Subject X-Auth-Token X-Auth-Userid X-Auth-Username To control the Authorization header use the enable-authorization-header YAML configuration or the --enable-authorization-header command line option. By default, this option is set to true.\nCustom claim headers You can inject additional claims from the access token into the upstream headers with the --add-claims option. For example, a token from a Keycloak provider might include the following claims:\n\u0026#34;resource_access\u0026#34;: {}, \u0026#34;name\u0026#34;: \u0026#34;Beloved User\u0026#34;, \u0026#34;preferred_username\u0026#34;: \u0026#34;beloved.user\u0026#34;, \u0026#34;given_name\u0026#34;: \u0026#34;Beloved\u0026#34;, \u0026#34;family_name\u0026#34;: \u0026#34;User\u0026#34;, \u0026#34;email\u0026#34;: \u0026#34;beloved@example.com\u0026#34; In order to request you receive the given_name, family_name, and name in the authentication header, we would add --add-claims=given_name and --add-claims=family_name and so on, or we can do it in the configuration file, like this:\nadd-claims: - given_name - family_name - name This would add the additional headers to the authenticated request along with standard ones.\nX-Auth-Family-Name: User X-Auth-Given-Name: Beloved X-Auth-Name: Beloved User Custom headers You can inject custom headers using the --headers=\u0026quot;name=value\u0026quot; option or the configuration file:\nheaders: name: value OpenID provider headers In some cases you might need to send headers to your OpenId provider discovery endpoint (e.g. you have your endpoint protected by basic auth). For this use cases there is --openid-provider-headers option:\nopenid-provider-headers: - X-SEND: \u0026#34;MYVALUE\u0026#34; - X-OTHER-SEND: \u0026#34;NEXT VALUE\u0026#34; --openid-provider-headers=\u0026#34;myheader1=value1\u0026#34; \\ --openid-provider-headers=\u0026#34;myheader2=value2\u0026#34; Encryption key In order to remain stateless and not have to rely on a central cache to persist the refresh_tokens, the refresh token is encrypted and added as a cookie using crypto/aes. The key must be the same if you are running behind a load balancer. The key length should be either 16 or 32 bytes, depending or whether you want AES-128 or AES-256.\nClaim matching The proxy supports adding a variable list of claim matches against the presented tokens for additional access control. You can match the \u0026lsquo;iss\u0026rsquo; or \u0026lsquo;aud\u0026rsquo; to the token or custom attributes; each of the matches are regexes. For example, --match-claims 'aud=sso.*' or --claim iss=https://.*' or via the configuration file, like this:\nmatch-claims: aud: openvpn iss: https://keycloak.example.com/realms/commons or via the CLI, like this:\n--match-claims=auth=openvpn --match-claims=iss=http://keycloak.example.com/realms/commons You can limit the email domain permitted; for example, if you want to limit to only users on the example.com domain:\nmatch-claims: email: ^.*@example.com$ The adapter supports matching on multi-value strings claims. The match will succeed if one of the values matches, for example:\nmatch-claims: perms: perm1 will successfully match\n{ \u0026#34;iss\u0026#34;: \u0026#34;https://sso.example.com\u0026#34;, \u0026#34;sub\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;perms\u0026#34;: [\u0026#34;perm1\u0026#34;, \u0026#34;perm2\u0026#34;] } Group claims You can match on the group claims within a token via the groups parameter available within the resource. While roles are implicitly required, such as roles=admin,user where the user MUST have roles \u0026lsquo;admin\u0026rsquo; AND \u0026lsquo;user\u0026rsquo;, groups are applied with an OR operation, so groups=users,testers requires that the user MUST be within either \u0026lsquo;users\u0026rsquo; OR \u0026rsquo;testers\u0026rsquo;. The claim name is hard-coded to groups, so a JWT token would look like this:\n{ \u0026#34;iss\u0026#34;: \u0026#34;https://sso.example.com\u0026#34;, \u0026#34;sub\u0026#34;: \u0026#34;\u0026#34;, \u0026#34;aud\u0026#34;: \u0026#34;test\u0026#34;, \u0026#34;exp\u0026#34;: 1515269245, \u0026#34;iat\u0026#34;: 1515182845, \u0026#34;email\u0026#34;: \u0026#34;beloved@example.com\u0026#34;, \u0026#34;groups\u0026#34;: [ \u0026#34;group_one\u0026#34;, \u0026#34;group_two\u0026#34; ], \u0026#34;name\u0026#34;: \u0026#34;Beloved\u0026#34; } Headers matching You can match on the request headers via the headers parameter available within the resource. Headers are implicitly required, such as headers=x-some-header:somevalue,x-other-header:othervalue where the request MUST have headers \u0026lsquo;x-some-header\u0026rsquo; with value \u0026lsquo;somevalue\u0026rsquo; AND \u0026lsquo;x-other-header\u0026rsquo;, with value \u0026lsquo;othervalue\u0026rsquo;.\nForward-auth Traefik, nginx ingress and other gateways usually have feature called forward-auth. This enables them to forward request to external auth/authz service which returns 2xx in case auth/authz was successful and otherwise some higher code (usually 401/403) or redirects them for authentication to keycloak server. You can use gatekeeper as this external auth/authz service by using headers matching feature as describe above and enabling --no-proxy option (this option will not forward request to upstream).\nExample:\ntraefik forward-auth configuration when you don\u0026rsquo;t want to redirect user to authentication server by gatekeeper (useful for e.g. API authentication or when you are using redirect to keycloak server on front proxy)\napiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: labels: app.kubernetes.io/name: dashboard-apis-oauth app.kubernetes.io/part-of: dashboard name: dashboard-apis-oauth namespace: censored spec: forwardAuth: address: http://gatekeeper-dns-name:4180 gatekeeper configuration\n- args: - --client-id=dashboard - --no-redirects=true # this option will ensure there will be no redirects - --no-proxy=true # this option will ensure that request will be not forwarded to upstream - --listen=0.0.0.0:4180 - --discovery-url=https://keycloak-dns-name/realms/censored - --enable-default-deny=true # this option will ensure protection of all paths /*, according our traefik config, traefik will send it to / - --resources=headers=x-some-header:somevalue,x-other-header:othervalue traefik forward-auth configuration when you WANT to redirect user to authentication server by gatekeeper (useful for e.g. frontend application authentication). Please be aware that in this mode you need to forward headers X-Forwarded-Host, X-Forwarded-Uri, X-Forwarded-Proto, from front proxy to gatekeeper. You can find more complete example here.\nNOTE: Please very important is to forward prefix (means all paths with prefix) /oauth directly to gatekeeper service as you can see in manifest, otherwise you will see redirect loop.\nIMPORTANT: Please ensure that you are receiving headers only from trusted proxy and gatekeeper is not exposed directly to internet, otherwise attacker might misuse this!\napiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: labels: app.kubernetes.io/name: dashboard-apis-oauth app.kubernetes.io/part-of: dashboard name: dashboard-apis-oauth namespace: censored spec: forwardAuth: address: http://gatekeeper-dns-name:4180 gatekeeper configuration:\n- args: - --client-id=dashboard - --no-redirects=false # this option will ensure there WILL BE redirects to keycloak server - --no-proxy=true # this option will ensure that request will be not forwarded to upstream - --listen=0.0.0.0:4180 - --discovery-url=https://keycloak-dns-name/realms/censored - --enable-default-deny=true # this option will ensure protection of all paths /*, according our traefik config, traefik will send it to / - --resources=headers=x-some-header:somevalue,x-other-header:othervalue nginx forward-auth configuration, nginx is more strict than traefik and rejects redirects, so in this case redirection to authorization server can be done only on nginx, example:\nnginx.ingress.kubernetes.io/configuration-snippet: | auth_request /auth; nginx.ingress.kubernetes.io/server-snippet: | location ^~ /auth { internal; proxy_pass \u0026lt;gatekeeper-url\u0026gt;/$request_uri; proxy_pass_request_body off; proxy_set_header Content-Length \u0026#34;\u0026#34;; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Forwarded-URI $request_uri; proxy_busy_buffers_size 64k; proxy_buffers 8 32k; proxy_buffer_size 32k; } gatekeeper configuration, must be --no-proxy=true with --no-redirects=true\nCustom pages By default, Gatekeeper Proxy will immediately redirect you for authentication and hand back a 403 for access denied. Most users will probably want to present the user with a more friendly sign-in and access denied page. You can pass the command line options (or via config file) paths to the files with --sign-in-page=PATH. The sign-in page will have a \u0026lsquo;redirect\u0026rsquo; variable passed into the scope and holding the OAuth redirection URL. If you wish to pass additional variables into the templates, such as title, sitename and so on, you can use the --tags key=pair option, like this: --tags title=\u0026quot;This is my site\u0026quot; and the variable would be accessible from {{ .title }}.\n\u0026lt;html\u0026gt; \u0026lt;body\u0026gt; \u0026lt;a href=\u0026#34;{{ .redirect }}\u0026#34;\u0026gt;Sign-in\u0026lt;/a\u0026gt; \u0026lt;/body\u0026gt; \u0026lt;/html\u0026gt; Custom Error Page for Bad Request One use case for this is that: inside keycloak server have \u0026ldquo;required user actions\u0026rdquo; set to \u0026ldquo;Terms and Conditions\u0026rdquo;. That means, if it is the first time an user access app X, he will need to accept the T\u0026amp;C or decline. If he accepts the terms, he can login fine to app X. However, if he declines it, he gets an empty error page with \u0026ldquo;bad request\u0026rdquo;.\nYou can use built-in template or your custom:\n--error-page=templates/error.html.tmpl White-listed URL’s Depending on how the application URL’s are laid out, you might want protect the root / URL but have exceptions on a list of paths, for example /health. While this is best solved by adjusting the paths, you can add exceptions to the protected resources, like this:\nresources: - uri: /some_white_listed_url white-listed: true - uri: /* methods: - GET roles: - \u0026lt;CLIENT_APP_NAME\u0026gt;:\u0026lt;ROLE_NAME\u0026gt; - \u0026lt;CLIENT_APP_NAME\u0026gt;:\u0026lt;ROLE_NAME\u0026gt; Or on the command line\n--resources \u0026#34;uri=/some_white_listed_url|white-listed=true\u0026#34; --resources \u0026#34;uri=/*\u0026#34; # requires authentication on the rest --resources \u0026#34;uri=/admin*|roles=admin,superuser|methods=POST,DELETE\u0026#34; PKCE (Proof Key for Code Exchange) Gatekeeper supports PKCE with S256 code challenge method. It stores code verifier in cookie. You can set custom cookie name with --cookie-pkce-name.\nMutual TLS The proxy support enforcing mutual TLS for the clients by adding the --tls-ca-certificate command line option or configuration file option. All clients connecting must present a certificate that was signed by the CA being used.\nCertificate rotation The proxy will automatically rotate the server certificates if the files change on disk. Note, no downtime will occur as the change is made inline. Clients who connected before the certificate rotation will be unaffected and will continue as normal with all new connections presented with the new certificate.\nRefresh tokens If a request for an access token contains a refresh token and --enable-refresh-tokens is set to true, the proxy will automatically refresh the access token for you. The tokens themselves are kept either as an encrypted (--encryption-key=KEY) cookie (cookie name: kc-state). or a store (still requires encryption key).\nTo enable a local Redis store use redis://user:secret@localhost:6379/0?protocol=3. See redis-uri specification In both cases, the refresh token is encrypted before being placed into the store.\nPost Login Redirect Without this option if user comes to site protected by gatekeeper e.g. http://somesite/somepath, user will be redirected to login and after login back to http://somesite/path. If user comes to / before login he will be redirected back to /. Sometimes you want redirect user back not to / but some path. For this there is option --post-login-redirect-path=/fallback/path which enables you to define some path to which user will be redirected after login if user comes to root path /.\nLogout endpoint There are 2 possibilities how to logout:\nUsing gatekeeper own mechanism --enable-logout-redirect=false In this case calling /oauth/logout will use revocation endpoint which might be set by option --revocation-url or if not set it will be retrieved from keycloak OpenID discovery response https://keycloak.example.com/realms/REALM_NAME/protocol/openid-connect/revoke. By default it will try to retrieve token from authorization header or access token cookie and then token from refresh token cookie, if latter present it will be used for revocation, if not first will be used. If access token is passed to revocation endpoint it will only revoke that access token, so on next request with refresh token user will get new access token. If refresh token is passed to revocation endpoint it will revoke refresh token and all access tokens. Thus it is recommended to pass refresh tokens, this means for --no-redirects=false (code flow) you should enable refresh tokens --enable-refresh-tokens=true so that refresh cookie will be passed to endpoint. For --no-redirects=true you have to pass refresh token in authorization header.\nPost Logout Redirection - redirection url will be gathered from this places from highest priority to lowest:\n\u0026ndash;post-logout-redirect-uri option - recommended /oauth/logout?redirect=url - from redirect url query parameter, not recommended, kept only for convenience \u0026ndash;redirection-url option Using keycloak mechanism, valid only for keycloak 18+ --enable-logout-redirect=true Uses keycloak logout endpoint https://keycloak.example.com/realms/REALM_NAME/protocol/openid-connect/logout.\nPost Logout Redirection - you can specify url in --post-logout-redirect-uri option, this logout mechanism uses id token for logging out, in case of code flow this is gathered automatically from id token cookie. In case of --no-redirects=true you have to pass id token in authorization header.\nSession logout Many times there are cases when you have multiple applications (multiple keycloak clients for gatekeeper) and you would like to achieve that logout on one application causes logout also on other application. For this use case there is option --enable-idp-session-check=true together with --enable-logout-redirect=true.\nCross-origin resource sharing (CORS) You can add a CORS header via the --cors-[method] with these configuration options.\nAccess-Control-Allow-Origin\nAccess-Control-Allow-Methods\nAccess-Control-Allow-Headers\nAccess-Control-Expose-Headers\nAccess-Control-Allow-Credentials\nAccess-Control-Max-Age\nYou can add using the config file:\ncors-origins: - \u0026#39;*\u0026#39; cors-methods: - GET - POST or via the command line:\n--cors-origins [--cors-origins option] a set of origins to add to the CORS access control (Access-Control-Allow-Origin) --cors-methods [--cors-methods option] the method permitted in the access control (Access-Control-Allow-Methods) --cors-headers [--cors-headers option] a set of headers to add to the CORS access control (Access-Control-Allow-Headers) --cors-exposes-headers [--cors-exposes-headers option] set the expose cors headers access control (Access-Control-Expose-Headers) Upstream URL You can control the upstream endpoint via the --upstream-url option. Both HTTP and HTTPS are supported with TLS verification and keep-alive support configured via the --skip-upstream-tls-verify / --upstream-keepalives option. Note, the proxy can also upstream via a UNIX socket, --upstream-url unix://path/to/the/file.sock.\nEndpoints /oauth/authorize is authentication endpoint which will generate the OpenID redirect to the provider\n/oauth/callback is provider OpenID callback endpoint\n/oauth/expired is a helper endpoint to check if a access token has expired, 200 for ok and, 401 for no token and 401 for expired\n/oauth/health is the health checking endpoint for the proxy, you can also grab version from headers\n/oauth/login provides a relay endpoint to login via grant_type=password, for example, POST /oauth/login form values are username=USERNAME\u0026amp;password=PASSWORD (must be enabled)\n/oauth/logout provides a convenient endpoint to log the user out, it will always attempt to perform a back channel log out of offline tokens\n/oauth/token is a helper endpoint which will display the current access token for you\n/oauth/metrics is a Prometheus metrics handler\n/oauth/discovery provides endpoint with basic urls gatekeeper provides\nExternal Authorization Open Policy Agent (OPA) authorization In version 1.8.8 we are introducing external authorization with OPA (applicable to auth code flow --no-redirects=false as well as for --no-redirects=true). Gatekeeper sends request with this structure to OPA for authorization:\n{ \u0026#34;input\u0026#34;: { \u0026#34;body\u0026#34;: \u0026#34;{\\\u0026#34;name\\\u0026#34;: \\\u0026#34;test\\\u0026#34;}\u0026#34; // body is sent as string so you will have to unmarshal it in case of json/yaml in OPA \u0026#34;headers\u0026#34;: { \u0026#34;X-SOME\u0026#34;: [\u0026#34;some value\u0026#34;, \u0026#34;other value\u0026#34;], }, \u0026#34;host\u0026#34;: \u0026#34;some.com\u0026#34;, \u0026#34;protocol\u0026#34;: \u0026#34;HTTP/1.1\u0026#34;, \u0026#34;path\u0026#34;: \u0026#34;/test\u0026#34;, \u0026#34;remote_addr\u0026#34;: \u0026#34;192.168.1.90\u0026#34;, \u0026#34;method\u0026#34;: \u0026#34;POST\u0026#34;, \u0026#34;user_agent\u0026#34;: \u0026#34;Firefox\u0026#34;, } } Example gatekeeper configuration:\nenable-opa: true enable-default-deny: true opa-timeout: \u0026#34;60s\u0026#34; opa-authz-uri: \u0026#34;http://127.0.0.1/v1/data/authz/allow\u0026#34; Example OPA policy, with upper gatekeeper configuration and request would result allowing request to upstream:\npackage authz default allow := false body := json.unmarshal(input.body) allow { body.name = \u0026#34;test\u0026#34; body.method = \u0026#34;POST\u0026#34; } Keycloak authorization (UMA) Gatekeeper has ability of external authorization with keycloak using --enable-uma option for browser flows and also api flows. You have to also either populate resources or use --enable-default-deny (see examples in previous sections). So you can mix both external authorization+static resource permissions, but we don\u0026rsquo;t recommend it to not overcomplicate setup. First is always external authorization then static resource authorization. As it is new feature please don\u0026rsquo;t use it in production, we would like first to receive feedback/testing by community. Right now we use external authorization options provided by Keycloak which are specified in UMA (user managed access specification UMA). To use this feature you MUST execute these actions in keycloak:\nenable authorization for client in keycloak (client which you will use in gatekeeper) in client authorization tab, you MUST have at least one protected resource protected resource MUST have User-Managed Access enabled protected resource MUST have at least one authorization scope protected resource MUST have proper permissions set Example Keycloak Authorization Guide.\nExample Browser Flow: --discovery-url=\u0026lt;DISCOVERY_URL\u0026gt; --openid-provider-timeout=120s --listen=0.0.0.0:3000 --client-id=\u0026lt;CLIENT_ID\u0026gt; --client-secret=\u0026lt;CLIENT_SECRET\u0026gt; --upstream-url=\u0026lt;UPSTREAM_URL\u0026gt; # code flow/browser flow --no-redirects=false # you have to set this or resources=/* to have enable-uma working --enable-default-deny=true # we are enabling UMA --enable-uma=true # we are also enabling using method scope, this is optional, # it will check resource in keycloak not just for accessed URL # but also for method scope e.g. method:GET, it will return # UMA token in cookie only for that URL+method scope, # if you don\u0026#39;t turn it on it will check just for URL # and will return UMA token in cookie # with all scopes --enable-uma-method-scope=true # UMA token is stored in cookie, you can setup custom name # by default cookie name is uma_token --cookie-uma-name=\u0026lt;CUSTOM_COOKIE_NAME\u0026gt; --skip-access-token-clientid-check=true --skip-access-token-issuer-check=true --openid-provider-retry-count=30 NOTE: You can have only one resource with same URL+method scope combination or URL (in case you don\u0026rsquo;t have method scope enabled), if you have more your access will be forbidden\nExample API Flow: we are recommending to use UMA forward signing for these purpose on client app side, otherwise you will have to get RPT token for client side manually. On client app side, forward signing setup (you app should have http proxy options set to this forward-signing proxy):\n--discovery-url=\u0026lt;DISCOVERY_URL\u0026gt; --openid-provider-timeout=120s --listen=0.0.0.0:3000 --client-id=\u0026lt;CLIENT_ID\u0026gt; --client-secret=\u0026lt;CLIENT_SECRET\u0026gt; --enable-uma=true --enable-uma-method-scope=true --enable-forwarding=true # you can use client credentials grant or direct access grant # see Forward-signing proxy section --forwarding-grant-type=client_credentials --skip-access-token-clientid-check=true --skip-access-token-issuer-check=true --openid-provider-retry-count=30 On server side, UMA in no-redirects mode:\n--discovery-url=\u0026lt;DISCOVERY_URL\u0026gt; --openid-provider-timeout=120s --listen=0.0.0.0:3000 --client-id=\u0026lt;CLIENT_ID\u0026gt; --client-secret=\u0026lt;CLIENT_SECRET\u0026gt; --upstream-url=\u0026lt;UPSTREAM_URL\u0026gt; # api flow --no-redirects=true # you have to set this or resources=/* to have enable-uma working --enable-default-deny=true # we are enabling UMA --enable-uma=true # we are also enabling using method scope, this is optional, # it will check resource in keycloak not just for accessed URL # but also for method scope e.g. method:GET, it will return # UMA token in cookie only for that URL+method scope, # if you don\u0026#39;t turn it on it will check just for URL # and will return UMA token in cookie # with all scopes --enable-uma-method-scope=true --skip-access-token-clientid-check=true --skip-access-token-issuer-check=true --openid-provider-retry-count=30 Request tracing Usually when there are multiple http services involved in serving user requests you need to use X-REQUEST-ID or some other header to track request flow through services. To make this possible with gatekeeper you can enable header logging by enabling --enable-logging and --verbose options. Also you can use request-id-header and enable-request-id options, which will generate unique uuid and will inject in header supplied in request-id-header option.\nMetrics Assuming --enable-metrics has been set, a Prometheus endpoint can be found on /oauth/metrics; at present the only metric being exposed is a counter per HTTP code.\nLimitations Keep in mind browser cookie limits if you use access or refresh tokens in the browser cookie. Gatekeeper Proxy divides the cookie automatically if your cookie is longer than 4093 bytes. The real size of the cookie depends on the content of the issued access token. Also, encryption might add additional bytes to the cookie size. If you have large cookies (\u0026gt;200 KB), you might reach browser cookie limits.\nAll cookies are part of the header request, so you might find a problem with the max headers size limits in your infrastructure (some load balancers have very low this value, such as 8 KB). Be sure that all network devices have sufficient header size limits. Otherwise, your users won’t be able to obtain an access token.\nKnown Issues There WAS a known issue with the Keycloak server 4.6.0.Final in which Gatekeeper Proxy is unable to find the client_id in the aud claim. This is due to the fact the client_id is not in the audience anymore. The workaround is to add the \u0026ldquo;Audience\u0026rdquo; protocol mapper to the client with the audience pointed to the client_id. For more information, see KEYCLOAK-8954.\nyou can now use --skip-access-token-clientid-check and --skip-access-token-issuer-check to overcome this limitations. These are now set by default to true so you should not by default see any these issues, but in case you would like to enable this checks you still have opportunity.\n"},{"uri":"https://gogatekeeper.github.io/gatekeeper/configuration/","title":"Configuration Reference","tags":[],"description":"","content":" CONFIG DESCRIPTION DEFAULT ENV \u0026ndash;config value path the a configuration file PROXY_CONFIG_FILE \u0026ndash;listen value Defines the binding interface for main listener, e.g. {address}:{port}. This is required and there is no default value PROXY_LISTEN \u0026ndash;listen-http value interface we should be listening to for HTTP traffic PROXY_LISTEN_HTTP \u0026ndash;listen-admin value defines the interface to bind admin-only endpoint (live-status, debug, prometheus\u0026hellip;). If not defined, this defaults to the main listener defined by Listen PROXY_LISTEN_ADMIN \u0026ndash;listen-admin-scheme value scheme to serve admin-only endpoint (http or https). PROXY_LISTEN_ADMIN_SCHEME \u0026ndash;discovery-url value discovery url to retrieve the openid configuration PROXY_DISCOVERY_URL \u0026ndash;client-id value client id used to authenticate to the oauth service PROXY_CLIENT_ID \u0026ndash;client-secret value client secret used to authenticate to the oauth service PROXY_CLIENT_SECRET \u0026ndash;redirection-url value redirection url for the oauth callback url, defaults to host header if absent PROXY_REDIRECTION_URL \u0026ndash;post-logout-redirect-uri value url to which client is redirected after successful logout PROXY_POST_LOGOUT_REDIRECT_URI \u0026ndash;post-login-redirect-path value post-login-redirect-path\u0026quot; usage:\u0026ldquo;path to which client is redirected after successful login, in case user access / PROXY_POST_LOGIN_REDIRECT_PATH \u0026ndash;revocation-url value url for the revocation endpoint to revoke refresh token PROXY_REVOCATION_URL \u0026ndash;skip-openid-provider-tls-verify skip the verification of any TLS communication with the openid provider false PROXY_SKIP_OPENID_PROVIDER_TLSVERIFY \u0026ndash;openid-provider-proxy value proxy for communication with the openid provider PROXY_OPENID_PROVIDER_PROXY \u0026ndash;openid-provider-timeout value timeout for openid configuration on .well-known/openid-configuration 30s PROXY_OPENID_PROVIDER_TIMEOUT \u0026ndash;openid-provider-retry-count value number of retries for retrieving openid configuration 3 PROXY_OPENID_PROVIDER_RETRY_COUNT \u0026ndash;openid-provider-headers value http headers sent to idp provider \u0026ndash;base-uri value common prefix for all URIs PROXY_BASE_URI \u0026ndash;oauth-uri value the uri for proxy oauth endpoints /oauth PROXY_OAUTH_URI \u0026ndash;scopes value list of scopes requested when authenticating the user \u0026ndash;upstream-url value url for the upstream endpoint you wish to proxy PROXY_UPSTREAM_URL \u0026ndash;upstream-ca value the path to a file container a CA certificate to validate the upstream tls endpoint PROXY_UPSTREAM_CA \u0026ndash;resources value list of resources \u0026lsquo;uri=/admin*|methods=GET,PUT|roles=role1,role2\u0026rsquo; \u0026ndash;headers value custom headers to the upstream request, key=value \u0026ndash;preserve-host preserve the host header of the proxied request in the upstream request false PROXY_PRESERVE_HOST \u0026ndash;request-id-header value the http header name for request id X-Request-ID PROXY_REQUEST_ID_HEADER \u0026ndash;response-headers value custom headers to added to the http response key=value PROXY_RESPONSE_HEADERS \u0026ndash;custom-http-methods list of additional non-standard http methods \u0026ndash;enable-self-signed-tls create self signed certificates for the proxy false PROXY_ENABLE_SELF_SIGNED_TLS \u0026ndash;self-signed-tls-hostnames value a list of hostnames to place on the self-signed certificate \u0026ndash;self-signed-tls-expiration value the expiration of the certificate before rotation 3h0m0s PROXY_SELF_SIGNED_TLS_EXPIRATION \u0026ndash;enable-request-id indicates we should add a request id if none found false PROXY_ENABLE_REQUEST_ID \u0026ndash;enable-logout-redirect indicates we should redirect to the identity provider for logging out false PROXY_ENABLE_LOGOUT_REDIRECT \u0026ndash;enable-default-deny enables a default denial on all requests, requests with valid token are permitted, you have to explicitly say what is permitted true PROXY_ENABLE_DEFAULT_DENY \u0026ndash;enable-default-deny-strict enables a default denial on all requests, requests with valid token are denied, you have to explicitly say what is permitted (recommended) false PROXY_ENABLE_DEFAULT_DENY_STRICT \u0026ndash;enable-encrypted-token enable encryption for the access tokens false PROXY_ENABLE_ENCRYPTED_TOKEN \u0026ndash;force-encrypted-cookie force encryption for the access tokens in cookies false PROXY_FORCE_ENCRYPTED_COOKIE \u0026ndash;enable-logging enable http logging of the requests false PROXY_ENABLE_LOGGING \u0026ndash;enable-json-logging switch on json logging rather than text false PROXY_ENABLE_JSON_LOGGING \u0026ndash;enable-forwarding enables the forwarding proxy mode, signing outbound request false PROXY_ENABLE_FORWARDING \u0026ndash;enable-security-filter enables the security filter handler false PROXY_ENABLE_SECURITY_FILTER \u0026ndash;enable-refresh-tokens enables the handling of the refresh tokens false PROXY_ENABLE_REFRESH_TOKEN \u0026ndash;enable-session-cookies access and refresh tokens are session only i.e. removed browser close true PROXY_ENABLE_SESSION_COOKIES \u0026ndash;enable-login-handler enables the handling of the refresh tokens false PROXY_ENABLE_LOGIN_HANDLER \u0026ndash;enable-token-header enables the token authentication header X-Auth-Token to upstream true PROXY_ENABLE_TOKEN_HEADER \u0026ndash;enable-authorization-header adds the authorization header to the proxy request true PROXY_ENABLE_AUTHORIZATION_HEADER \u0026ndash;enable-authorization-cookies adds the authorization cookies to the uptream proxy request true PROXY_ENABLE_AUTHORIZATION_COOKIES \u0026ndash;enable-https-redirection enable the http to https redirection on the http service false PROXY_ENABLE_HTTPS_REDIRECT \u0026ndash;enable-profiling switching on the golang profiling via pprof on /debug/pprof, /debug/pprof/heap etc false PROXY_ENABLE_PROFILING \u0026ndash;enable-metrics enable the prometheus metrics collector on /oauth/metrics false PROXY_ENABLE_METRICS \u0026ndash;filter-browser-xss enable the adds the X-XSS-Protection header with mode=block false PROXY_ENABLE_BROWSER_XSS_FILTER \u0026ndash;filter-content-nosniff adds the X-Content-Type-Options header with the value nosniff false PROXY_ENABLE_CONTENT_NO_SNIFF \u0026ndash;filter-frame-deny enable to the frame deny header false PROXY_ENABLE_FRAME_DENY \u0026ndash;content-security-policy value specify the content security policy PROXY_CONTENT_SECURITY_POLICY \u0026ndash;localhost-metrics enforces the metrics page can only been requested from 127.0.0.1 false PROXY_LOCALHOST_METRICS \u0026ndash;enable-compression enable gzip compression for response false PROXY_ENABLE_COMPRESSION \u0026ndash;enable-pkce enable pkce for auth code flow, only S256 code challenge supported false PROXY_ENABLE_PKCE \u0026ndash;enable-idp-session-check during token validation it also checks if user session is still present, useful for multi app logout true PROXY_ENABLE_IDP_SESSION_CHECK \u0026ndash;enable-uma enable UMA authorization, please don\u0026rsquo;t use in production as it is new feature, we would like to receive feedback first false PROXY_ENABLE_UMA \u0026ndash;enable-opa enable authorization with external Open policy agent false PROXY_ENABLE_OPA \u0026ndash;opa-timeout timeout for connection to OPA 10s PROXY_OPA_TIMEOUT \u0026ndash;opa-authz-uri OPA endpoint address with path PROXY_OPA_AUTHZ_URI \u0026ndash;pat-retry-count number of retries to get PAT 5 PROXY_PAT_RETRY_COUNT \u0026ndash;pat-retry-interval interval between retries to get PAT 2s PROXY_PAT_RETRY_INTERVAL \u0026ndash;access-token-duration value fallback cookie duration for the access token when using refresh tokens 720h0m0s PROXY_ACCESS_TOKEN_DURATION \u0026ndash;cookie-domain value domain the access cookie is available to, defaults host header PROXY_COOKIE_DOMAIN \u0026ndash;cookie-access-name value name of the cookie use to hold the access token kc-access PROXY_COOKIE_ACCESS_NAME \u0026ndash;cookie-refresh-name value name of the cookie used to hold the encrypted refresh token kc-state PROXY_COOKIE_REFRESH_NAME \u0026ndash;cookie-oauth-state-name value name of the cookie used to hold the Oauth request state OAuth_Token_Request_State COOKIE_OAUTH_STATE_NAME \u0026ndash;cookie-request-uri-name value name of the cookie used to hold the request uri request_uri COOKIE_REQUEST_URI_NAME \u0026ndash;cookie-pkce-name value name of the cookie used to hold PKCE code verifier pkce COOKIE_PKCE_NAME \u0026ndash;secure-cookie enforces the cookie to be secure true PROXY_SECURE_COOKIE \u0026ndash;http-only-cookie enforces the cookie is in http only mode true PROXY_HTTP_ONLY_COOKIE \u0026ndash;same-site-cookie value enforces cookies to be send only to same site requests according to the policy (can be | Strict|Lax|None) Lax PROXY_SAME_SITE_COOKIE \u0026ndash;enable-id-token-cookie enable id token cookie false PROXY_ENABLE_IDTOKEN_COOKIE \u0026ndash;match-claims value keypair values for matching access token claims e.g. aud=myapp, iss=http://example.* \u0026ndash;add-claims value extra claims from the token and inject into headers, e.g given_name -\u0026gt; X-Auth-Given-Name \u0026ndash;enable-uma-method-scope enables passing request method as \u0026lsquo;method:GET\u0026rsquo; scope to keycloak for authorization false PROXY_ENABLE_UMA_METHOD_SCOPE \u0026ndash;tls-min-version specify server minimal TLS version one of tlsv1.0,tlsv1.1,tlsv1.2,tlsv1.3 TLS_MIN_VERSION \u0026ndash;tls-cert value path to ths TLS certificate PROXY_TLS_CERTIFICATE \u0026ndash;tls-private-key value path to the private key for TLS PROXY_TLS_PRIVATE_KEY \u0026ndash;tls-ca-certificate value path to the ca certificate used for signing requests PROXY_TLS_CA_CERTIFICATE \u0026ndash;tls-ca-key value path the ca private key, used by the forward signing proxy PROXY_TLS_CA_PRIVATE_KEY \u0026ndash;tls-client-certificate value path to the client certificate for outbound connections in reverse and forwarding proxy modes PROXY_TLS_CLIENT_CERTIFICATE \u0026ndash;skip-upstream-tls-verify skip the verification of any upstream TLS true PROXY_SKIP_UPSTREAM_TLS_VERIFY \u0026ndash;tls-admin-cert value path to ths TLS certificate PROXY_TLS_ADMIN_CERTIFICATE \u0026ndash;tls-admin-private-key value path to the private key for TLS PROXY_TLS_ADMIN_PRIVATE_KEY \u0026ndash;tls-admin-ca-certificate value path to the ca certificate used for signing requests PROXY_TLS_ADMIN_CA_CERTIFICATE \u0026ndash;tls-admin-client-certificate value path to the client certificate for outbound connections in reverse and forwarding proxy modes PROXY_TLS_ADMIN_CLIENT_CERTIFICATE \u0026ndash;cors-origins value origins to add to the CORE origins control (Access-Control-Allow-Origin) \u0026ndash;cors-methods value methods permitted in the access control (Access-Control-Allow-Methods) \u0026ndash;cors-headers value set of headers to add to the CORS access control (Access-Control-Allow-Headers) \u0026ndash;cors-exposed-headers value expose cors headers access control (Access-Control-Expose-Headers) \u0026ndash;cors-credentials credentials access control header (Access-Control-Allow-Credentials) false PROXY_CORS_CREDENTIALS \u0026ndash;cors-max-age value max age applied to cors headers (Access-Control-Max-Age) 0s PROXY_CORS_MAX_AGE \u0026ndash;hostnames value list of hostnames the service will respond to \u0026ndash;store-url value url for the storage subsystem, e.g redis://user:secret@localhost:6379/0?protocol=3, only supported is redis usig redis uri spec PROXY_STORE_URL \u0026ndash;encryption-key value encryption key used to encryption the session state PROXY_ENCRYPTION_KEY \u0026ndash;enable-hmac enable creating hmac for forwarded requests and verification on incoming requests false PROXY_ENABLE_HMAC \u0026ndash;no-proxy value do not proxy requests to upstream, useful for forward-auth usage (with nginx, traefik) PROXY_NO_PROXY \u0026ndash;no-redirects do not have back redirects when no authentication is present, 401 them false PROXY_NO_REDIRECTS \u0026ndash;skip-token-verification TESTING ONLY; bypass token verification, only expiration and roles enforced false PROXY_SKIP_TOKEN_VERIFICATION \u0026ndash;skip-access-token-issuer-check according RFC issuer should not be checked on access token, this will be default true in future true PROXY_SKIP_ACCESS_TOKEN_ISSUER_CHECK \u0026ndash;skip-access-token-clientid-check according RFC client id should not be checked on access token, this will be default true in future true PROXY_SKIP_ACCESS_TOKEN_CLIENT_ID_CHECK \u0026ndash;skip-authorization-header-identity skip authorization header identity, means that we won\u0026rsquo;t be extracting token from authorization header, only from cookie or fail if even no cookie present (e.g. if authorization header is used only by application behind gatekeeper)\u0026quot;` false PROXY_SKIP_AUTHORIZATION_HEADER_IDENTITY \u0026ndash;upstream-keepalives enables or disables the keepalive connections for upstream endpoint true PROXY_UPSTREAM_KEEPALIVES \u0026ndash;upstream-timeout value maximum amount of time a dial will wait for a connect to complete 10s PROXY_UPSTREAM_TIMEOUT \u0026ndash;upstream-keepalive-timeout value specifies the keep-alive period for an active network connection 10s PROXY_UPSTREAM_KEEPALIVE_TIMEOUT \u0026ndash;upstream-tls-handshake-timeout value the timeout placed on the tls handshake for upstream 10s PROXY_UPSTREAM_TLS_HANDSHAKE_TIMEOUT \u0026ndash;upstream-response-header-timeout value the timeout placed on the response header for upstream 10s PROXY_UPSTREAM_RESPONSE_HEADER_TIMEOUT \u0026ndash;upstream-expect-continue-timeout value the timeout placed on the expect continue for upstream 10s PROXY_UPSTREAM_EXPECT_CONTINUE_TIMEOUT \u0026ndash;verbose switch on debug / verbose logging false PROXY_VERBOSE \u0026ndash;enabled-proxy-protocol enable proxy protocol false PROXY_ENABLE_PROXY_PROTOCOL \u0026ndash;max-idle-connections value max idle upstream / keycloak connections to keep alive, ready for reuse 0 PROXY_MAX_IDLE_CONNS \u0026ndash;max-idle-connections-per-host value limits the number of idle connections maintained per host 0 PROXY_MAX_IDLE_CONNS_PER_HOST \u0026ndash;server-read-timeout value the server read timeout on the http server 10s PROXY_SERVER_READ_TIMEOUT \u0026ndash;server-write-timeout value the server write timeout on the http server 10s PROXY_SERVER_WRITE_TIMEOUT \u0026ndash;server-idle-timeout value the server idle timeout on the http server 2m0s PROXY_SERVER_IDLE_TIMEOUT \u0026ndash;use-letsencrypt use letsencrypt for certificates false PROXY_USE_LETS_ENCRYPT \u0026ndash;letsencrypt-cache-dir value path where cached letsencrypt certificates are stored ./cache/ PROXY_LETS_ENCRYPT_CACHE_DIR \u0026ndash;sign-in-page value path to custom template displayed for signin PROXY_SIGN_IN_PAGE \u0026ndash;forbidden-page value path to custom template used for access forbidden PROXY_FORBIDDEN_PAGE \u0026ndash;error-page value path to custom template displayed for http.StatusBadRequest PROXY_ERROR_PAGE \u0026ndash;tags value keypairs passed to the templates at render,e.g title=Page \u0026ndash;forwarding-grant-type value grant-type to use when logging into the openid provider, can be one of password, client_credentials password PROXY_FORWARDING_GRANT_TYPE \u0026ndash;forwarding-username value username to use when logging into the openid provider PROXY_FORWARDING_USERNAME \u0026ndash;forwarding-password value password to use when logging into the openid provider PROXY_FORWARDING_PASSWORD \u0026ndash;forwarding-domains value list of domains which should be signed; everything else is relayed unsigned \u0026ndash;disable-all-logging disables all logging to stdout and stderr false PROXY_DISABLE_ALL_LOGGING \u0026ndash;help, -h show help \u0026ndash;version, -v print the version "},{"uri":"https://gogatekeeper.github.io/gatekeeper/","title":"","tags":[],"description":"","content":"gatekeeper gatekeeper is the simple authentication and authorization proxy that gets your app off the ground!\ngatekeeper was previously known as louketo and keycloak-gatekeeper.\nGoals To have just enough auth features (both authentication and authorization) to get your app off the ground To be well documented and easy to get started with To remain true to the roots of this project gatekeeper will be interoperable with keycloak out of the box, Announcements! gatekeeper is reborn with from the ashes of louketo under the new organization gogatekeeper.\nWatch this space!\n"},{"uri":"https://gogatekeeper.github.io/gatekeeper/categories/","title":"Categories","tags":[],"description":"","content":""},{"uri":"https://gogatekeeper.github.io/gatekeeper/tags/","title":"Tags","tags":[],"description":"","content":""}] \ No newline at end of file diff --git a/tags/index.html b/tags/index.html index 925d4bdb..776c6759 100644 --- a/tags/index.html +++ b/tags/index.html @@ -1,7 +1,7 @@ Tags - Gatekeeper -

    tag :: -Tags

      \ No newline at end of file +Tags
      \ No newline at end of file diff --git a/userguide/index.html b/userguide/index.html index fef44274..b4fab74c 100644 --- a/userguide/index.html +++ b/userguide/index.html @@ -1,7 +1,7 @@ User Guide - Gatekeeper -

      User Guide

      Gatekeeper

      Gatekeeper is a proxy which integrates with OpenID Connect (OIDC) Providers, it supports both access tokens in a browser cookie or bearer tokens.

      This documentation details how to build and configure Gatekeeper followed by details of how to use each of its features.

      For further information, see the included help file which includes a @@ -258,7 +258,7 @@ --forwarding-domain=svc.cluster.local.

      You can choose between two types of OAuth authentications: password grant type (default) or client_credentials grant type.

      Example setup password grant:

      You have a collection of micro-services which are permitted to speak to one another; you have already set up the credentials, roles, and clients in Keycloak, providing granular role controls over issue tokens.

      - name: gatekeeper
-  image: quay.io/gogatekeeper/gatekeeper:2.9.1
+  image: quay.io/gogatekeeper/gatekeeper:2.9.2
   args:
   - --enable-forwarding=true
   - --forwarding-username=projecta
@@ -279,7 +279,7 @@
 - name: projecta
   image: some_images

      Example setup client credentials grant:

      - name: gatekeeper
-  image: quay.io/gogatekeeper/gatekeeper:2.9.1
+  image: quay.io/gogatekeeper/gatekeeper:2.9.2
   args:
   - --enable-forwarding=true
   - --forwarding-domains=projecta.svc.cluster.local
@@ -687,4 +687,4 @@
 KEYCLOAK-8954.
      you can now use --skip-access-token-clientid-check and
 --skip-access-token-issuer-check to overcome this limitations.
 These are now set by default to true so you should not by default see any these issues,
-but in case you would like to enable this checks you still have opportunity.
      \ No newline at end of file +but in case you would like to enable this checks you still have opportunity.

      \ No newline at end of file