Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Basic authentication #381

Open
daniel-pimenta-DME opened this issue Nov 20, 2023 · 1 comment
Open

Enable Basic authentication #381

daniel-pimenta-DME opened this issue Nov 20, 2023 · 1 comment

Comments

@daniel-pimenta-DME
Copy link

daniel-pimenta-DME commented Nov 20, 2023
edited

Summary

Enable Basic authentication.

Why?

I have a Gateekeper working well with Authorization Code Flow (using access tokens) but would like to also accept Password Credentials Grant (basic auth with user and password)

How

Not sure if this is already supported, but maybe a configuration flag to enable it.

Additional Information

My configuration

client-id: ...
discovery-url: https://keycloak/realms/master
no-redirects: true
no-proxy: true
enable-uma: true
enable-metrics: true
enable-logging: true
enable-request-id: true
enable-login-handler: true
enable-refresh-tokens: true
enable-logout-redirect: true
listen: :3000
listen-admin: :4000

Gatekeeper is used with nginx ingress, which then redirects to the upstream application if auth_request response is 200:

nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request /auth;
  # Preflighted requests
  if ($request_method = OPTIONS) {
    return 200;
  }
  add_header Access-Control-Allow-Origin $http_origin always;
  add_header Access-Control-Allow-Methods "*";
  add_header Access-Control-Allow-Headers "Authorization, Origin, Content-Type";
nginx.ingress.kubernetes.io/server-snippet: |
  location ^~ /auth {
    internal;
    proxy_pass http://gatekeeper/$request_uri;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Method $request_method;
    proxy_set_header X-Forwarded-URI $request_uri;
    proxy_busy_buffers_size 64k;
    proxy_buffers 8 32k;
    proxy_buffer_size 32k;
  }
@p53
Copy link

p53 commented Nov 20, 2023
edited

not sure if you know, but right now you can get token with user/password with login handler and then you can pass token to gatekeeper https://gogatekeeper.github.io/gatekeeper/userguide/#endpoints, one more thing there is forward signing mode for gatekeeper, which will automate process of getting access token/refresment on client side for you, you then just have to point application to your client side proxy with HTTP_PROXY variables or use curl -x your_client_side_proxy, additionally with this setup you can use --enable-hmac on client side gatekeeper proxy and server side which will add HMAC signature to request, enhancing security, here is code for generating HMAC https://github.com/gogatekeeper/gatekeeper/blob/master/pkg/utils/utils.go#L440, will update docu with description, but basically it creates HMAC from authz header, body of request, method, host, so when hmac enabled and someone would stole somehow somebody tokens he cannot use it alone to create request, because he would need to sign request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@p53 @daniel-pimenta-DME