louketo / louketo-proxy Goto Github PK
View Code? Open in Web Editor NEWA OpenID / Proxy service
License: Apache License 2.0
A OpenID / Proxy service
License: Apache License 2.0
Hi, I get an error which I think is due to MustRegisterorGet being deprecated :
prometheus/client_golang@v0.8.0...master#diff-6223e8ae8180a02a4024a006b8e5f2f8
go get -u github.com/gambol99/keycloak-proxy
# github.com/gambol99/keycloak-proxy
src/github.com/gambol99/keycloak-proxy/middleware.go:71: undefined: prometheus.MustRegisterOrGet
I'd try and fix it but I have never written any Go before!
Just an idea - forward signing proxy can do keycloak auth at the min, could configure it to also do auth with client certificates
Would be nice to have forwarding agent support .. i.e. the proxy loads it logs in, requesting an access token. A application/micro-service seated behind and can proxy through service with the proxy adding the authorization header into the outgoing requests .. We could that verify resource access on the other end.
Should return a 401
with keycloak-proxy compiled from master, I got stuck in a infinite redirection cycle
(tested with keycloak 1.9.1.Final)
keycloak-prooxy-mater \
--discovery-url=https://auth.rvion.fr/auth/realms/master/.well-known/openid-configuration \
--listen=:3000 \
--client-id=unprotectedservice \
--upstream-url=http://unprotectedservice:8080 \
--redirection-url=http://keycloakproxy:3000 \
--client-secret=secret \
--resource="uri=/" \
--verbose=true
when I access http://keycloakproxy:3000, I'm redirected to keycloak. Then, I login on keycloak, and I'm redirected back to http://keycloakproxy:3000/oauth/callback?xxx. But then, it enter in a redirection loop, and chrome shows me an error message
I see in the logs:
ERRO[0016] failed to get session, redirecting for authorization error=authentication session not found
INFO[0016] incoming authorization request from client address: 37.161.218.27:41982 access_type= client_ip=37.161.218.27:41982
ERRO[0019] failed to get session, redirecting for authorization error=authentication session not found
INFO[0019] incoming authorization request from client address: 37.161.218.27:41982 access_type= client_ip=37.161.218.27:41982
ERRO[0057] failed to get session, redirecting for authorization error=authentication session not found
INFO[0057] incoming authorization request from client address: 37.161.218.27:41982 access_type= client_ip=37.161.218.27:41982
INFO[0058] issuing a new access token for user, email: [email protected] duration=58.995194544s [email protected] expires=07 May 16 20:55 +0000 idle=0
ERRO[0058] failed to get session, redirecting for authorization error=authentication session not found
INFO[0058] incoming authorization request from client address: 37.161.218.27:41982 access_type= client_ip=37.161.218.27:41982
INFO[0058] issuing a new access token for user, email: [email protected] duration=59.588883831s [email protected] expires=07 May 16 20:55 +0000 idle=0
ERRO[0058] failed to get session, redirecting for authorization error=authentication session not found
INFO[0058] incoming authorization request from client address: 37.161.218.27:41982 access_type= client_ip=37.161.218.27:41982
INFO[0058] issuing a new access token for user, email: [email protected] duration=59.290884249s [email protected] expires=07 May 16 20:55 +0000 idle=0
ERRO[0058] failed to get session, redirecting for authorization error=authentication session not found
INFO[0058] incoming authorization request from client address: 37.161.218.27:41982 access_type= client_ip=37.161.218.27:41982
INFO[0059] issuing a new access token for user, email: [email protected] duration=59.92635992s [email protected] expires=07 May 16 20:55 +0000 idle=0
ERRO[0059] failed to get session, redirecting for authorization error=authentication session not found
...
From the dockerfile looks like this runs as root currently. Could this be updated to not run as root?
Would be nice to have a logout endpoint
in my setup, ssl for both stuff.rvion.fr
and keycloak-proxy.rvion
are provided by cloudflare
when I run keycloak-proxy with
--discovery-url=https://auth.rvion.fr/auth/realms/master/.well-known/openid-configuration \
--listen=:8443 \
--client-id=stuff \
--upstream-url=https://stuff.rvion.fr/ \
--redirection-url=https://keycloak-proxy.rvion.fr:8443/ \
--client-secret=plop \
--resource="uri=/" \
--secure-cookie=false \
--encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j \
--enable-refresh-tokens=true \
--verbose=true
and when I contact https://keycloak-proxy.rvion.fr:8443/
,
cloudflare error page "ssl handshake fail" appears and refresh every ~0.5 seconds
nothing
Currently the cookie-domain flag is set as a StringSlice. Therefore if you pass --cookie-domain foo.com
on startup, dropping a cookie fails with:
net/http: invalid Cookie.Domain "[foo.com]"; dropping domain attribute
Using a config file works correctly.
--forwarding-domains=foo.bar.com
signs requests to foo.bar.com
according to the documentation
--forwarding-domains=bar.com
should also sign requests to foo.bar.com
but it doesn't
sadface.
The command line options use IsSet to check if the option is set, the implementation doesn't check for environment variable setters and so the environment variables options aren't being set
Need to increase the coverage of units tests
That can cause a infinite redirect loop back to itself.
Maybe there is a reason why it defaults back to itself?
/cc @chrisns
how about doing something like described here: http://www.atatus.com/blog/golang-auto-build-versioning/ to ease reporting ?
as of now, ressource syntax read as
--resource='uri:/logs|roles=test1
how about unifying the format to something like
--resource='uri=/logs|roles=test1|name=rvion|after=2015-03-21T00:18:56Z'
documentation would be much easier, and you open gates to feature expansion in an easy way.
I can imagine the resource
flag becoming resources
(with an s
) along some documentation saying
ressources are defined like this:
expr | def |
---|---|
resources |
ruleset [ ; ruleset ] |
ruleset |
`match [ |
match |
check = values |
checks can be
roles
checkroles= | explanation |
---|---|
rolename | any role name you want to grant access |
expr1 + expr2 | match when either expr1 OR expr2 match |
expr1 * expr2 | match when both expr1 AND expr2 match |
! expr | negate expression |
(expr) | allow define sub expressions |
%roles%
to be used in following ruleset
sexample:
...
uri
checkuri= | explanation |
---|---|
segment [ / segment] | |
* | * match one segment |
** | ** match any number of segment |
provides %url%
provides %last-segment% to following ruleset
s
๐ each ruleset would provide template for next ruleset, so implementation would be very easy, with no dependency resolution to do. if you want to use %role% in uri, or in whatever else, you just have to write your resource with ruleset in the correct order for keycloak-proxy to resolve them.
๐ it becomes very easy to write things like
--resources="roles=user"
when you only want to take roles into account.
no more
--resources="uri:/|roles=user""
when uri doesn't matter.
๐ yaml implementation should be very straighforward too as there is a direct encoding.
Hey,
First of all great work on the keycloak proxy. Looks pretty good!
A current use case we have is supporting JWE as we do not want to send plain JWTs to the clients in every case. Keycloak currently does not support this. What are your thoughts on configurable JWE support within the proxy. The scenario is basically to encrypt the tokens before being sent to the clients.
It would be great, if it would be possible to authenticate a upstream server with basic auth.
--upstream-username=foobar
--upstream-password=supersecret
I've tried --headers
but it's failing:
--headers "authorization=Basic <redacted>"
[error] invalid tag 'authorization=Basic <redacted>=' should be key=pair
Newest version of keycloak proxy doesn't allow the cookie to be sent over insecure connections. This is good as default behaviour but it would be good to be able to override this setting as when setting up things in dev it is annoying to need to set up TLS before setting up keycloak proxy
(How about mentioning if it is production ready in the readme ?)
Hi, is there an opportunity to pass the keycloak-proxy programmatically by specifying an Authorization Bearer header in the HTTP request?
Should take a look at the Oxy project as a replacement for the standard net.http.httputil reverse proxy. The project also comes with a few extra middleware worth perhaps looking at
Would be nice to permit tokenizing the url for role extraction .. i.e. instead of using
--resource='uri:/logs/project1|roles=project1'
--resource='uri:/logs/project2|roles=project2'
Its preferable to use
--resource='uri:/logs/%role%'
while reading #80, I had an idea about extending ressource access declarations
As of now, access policy is declared with a coma separated list of roles names, (,
meaning OR
)
--resource='uri:/logs/project1|roles=project1,project2'
what about replacing ,
with [+
, *
, (
, )
]
--resource='uri:/logs/project1|roles=r1+r2*r3+r4' # r1 OR (r2 and r3) OR r4
--resource='uri:/logs/project1|roles=r1+r2*(r3+r4+(r5*r6))'
where (+
and *
come from logic notation)
+
being OR
*
being AND
(
and )
allow to nest expressions.the behaviour is simple and is fully descibed, and it seems powerfull enough to support lots of usage cases.
note: I thought about +
and *
to avoid conflicts with |
current usage and &
meaning in URIs.
(as shown in the example given in #80, avoiding conflict with |
and &
is important so that
--resource='uri:/logs/%roles%|roles=test1+test2*(test3+test4)
correctly match
uri:/logs/test1
uri:/logs/test2*test3
uri:/logs/test2*test4
)
if you like the idea, how about also adding a NOT (!
) operator so one can use roles to temporarilly ban people, etc.
--resource='uri:/logs/project1|roles=!banned
Would just make things more consistent if they matched
We can currently proxy forward to a unix socket, it's a minor change to permit listening on it
the auhorization url appears to truncate the state= so urls with query string aren't getting fully redirected i.e.
state=/api?dksdj&jdksjds => state=/api?
when session expired without --enable-refresh-tokens, restarting the proxy with --enable-refresh-tokens don't refresh tokens and user has to delete cookies (or logout?).
indeed, after the restart with --enable-refresh-tokens, logs shows:
ERRO[0024] unable to find a refresh token for the client: [email protected] [email protected] error=authentication session not found
INFO[0024] incoming authorization request from client address: 37.161.206.246:63591 access_type= client_ip=37.161.206.246:63591
until I manually remove cookies
Could this support listening and proxying to file based sockets?
Please could there be a configuration setting that would prevent the proxy redirecting on no-auth and just return valid HTTP status code (401 Unauthorized
and 403 Forbidden
)?
Perhaps optionally combined with when the request Content-Type: application/json
(or maybe even wildcarded to application/*
?
This is particularly useful for APIs that javascript access since the browser won't permit the cross origin request to the keycloak service (without whitelisting all potential clients there), so it allows a javascript front end to better handle the status and direct the user to authenticate.
@gambol99 First of all thanks for your great work on this project :)
In our test environment we have a keycloak installation which has a self signed certificate. The proxy fails to start when retrieving the discovery URL:
_time="2016-11-07T10:10:51Z" level=warning msg="failed to get provider configuration from discovery url: https://<keycloak-url>/auth/realms/<realm>, Get https://<keycloak-url>/auth/realms/<realm>/.well-known/openid-configuration: x509: certificate signed by unknown authority"
I would suggest to add a config option --skip-openid-provider-tls-verify
to allow a self-signed certs for test environments!
If you want I can try and contribute
I want to allow tokens from different clients. How can I do that? I tried the following:
match-claims:
aud: (.*?)
I am getting the log:
INFO[0000] the token must container the claim: aud, required: (.*?)
After calling the endpoint with an token created by another client-id, I am getting:
ERRO[0040] access token failed verification client_ip=w.x.y.z. error=oidc: JWT claims invalid: invalid claims, 'aud' claim and 'client_id' do not match, aud=<otherClientId>, client_id=<configuredClientId>
He still claims, that the aud must be <configuredClientId>
Main issue with this is that nginx logs will include the full url including the query string, and don't want username and password to be logged.
Instead suggest having these as part of the body of the post request in the same way that the keycloak server does typically (x-www-form-urlencoded).
Hi,
Is there a docker image somewhere ?
I can see the Dockerfile in the repo, but couldn't find the image on the hub.
Thanks !
If there is a proxy/load balancer above the keycloak proxy, the keycloak proxy does not pass the original ip address on to the app.
see https://github.com/gambol99/keycloak-proxy/blob/master/handlers.go#L388
Should respect a potential x-forwarded-for
coming from an upstream.
Enable the proxy to support UMA
Hi,
I was just looking at the latest changes. The localhost origin requirement for the login handler caught my eye. What is the motivation behind it? Do you expect something else to terminate the client connection and proxy locally to the keycloak-proxy. Maybe it makes sense to be explained in more details in the docs?
"resource_access": {},
"name": "Rohith Jayawardene",
"preferred_username": "rohith.jayawardene",
"given_name": "Rohith",
"family_name": "Jayawardene",
"email": "[email protected]"
These are passed in the JWT token as above
I am wanting to use keycloak-proxy with grafana proxy auth module.
I have run into an issue where grafana detects the Authorization header and attempts to verify it as a grafana api key, and therefore throws an error.
One option could be to get grafana to disable api key checking, but I thought it may be simple to do it in here ?
Updated to v1.1.0 and now get following error in the logs:
[error] the cookie is set to secure but your redirection url is non-tls
However this is deployed in front of an API so there is no redirection URL set
Hey,
We've got a user who can't use docker, and is on windows
Could you therefore also have some cross compiles to different archs and have travis put them in the release artifacts?
I need something like:
GOOS=windows GOARCH=amd64 ./bin/godep go build -a -o bin/keycloak-proxy-amd64.exe
GOOS=windows GOARCH=386 ./bin/godep go build -a -o bin/keycloak-proxy-i386.exe
Few changes would be good:
Its regarded as good practice to validate the issued token via openid userinfo endpoint before accepting it
i've been meaning to do this for a well but adding proxy protocol is a desirable
At present maps and arrays when specified on the command line do not merge into any possible options from a config file. i.e you wanna add a quick --add-claims=, at present this would overwrite the ones in the config file ... Just need to append and merge maps
Could do with a section on building locally and contributing. Sure I am doing something wrong but after running:
go get
go install
go build
docker build .
docker run xxxxx
I get:
docker: Error response from daemon: Container command '/opt/keycloak-proxy' not found or does not exist..
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.