I have a problem using keycloak gatekeeper for authorizing requests in a kubernetes cluster. A resource request is forwarded to login via keycloak, after login it is shown that access is forbidden using the gatekeepers forbidden page. The gatekeeper log looks like this:
{"level":"info","ts":1608128659.3984604,"msg":"keycloak proxy service starting","interface":":3000"}
{"level":"error","ts":1608128667.3914142,"msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}
{"level":"info","ts":1608128667.3915262,"msg":"client request","latency":0.002089839,"status":307,"bytes":95,"client_ip":"192.168.42.129:48724","method":"GET","path":"/auth/"}
{"level":"info","ts":1608128667.4082289,"msg":"client request","latency":0.000065187,"status":307,"bytes":317,"client_ip":"192.168.42.129:48724","method":"GET","path":"/oauth/authorize"}
{"level":"error","ts":1608128671.970435,"msg":"unable to exchange code for access token","error":"unknown_error"}
{"level":"info","ts":1608128671.9705727,"msg":"client request","latency":0.203322612,"status":403,"bytes":2174,"client_ip":"192.168.42.129:48724","method":"GET","path":"/oauth/callback"}
I used a configuration similar to https://gist.github.com/carlosedp/80ea54104cc6303f04b3755033f9c4fe.
Is my redirect address maybe wrong, or is about the resource part in the configuration file? The config file looks like this:
discovery-url: http://keycloak.192.168.42.129.nip.io/auth/realms/local/.well-known/openid-configuration
skip-openid-provider-tls-verify: true
client-id: gatekeeper
client-secret: XXX
listen: :3000
enable-refresh-tokens: true
tls-cert:
tls-private-key:
redirection-url: http://sb.192.168.42.129.nip.io
secure-cookie: false
encryption-key: XXX
upstream-url: http://127.0.0.1:5000/
forbidden-page: /html/access-forbidden.html
upstream-keepalives: true
skip-upstream-tls-verify: true
enable-logging: true
enable-json-logging: true
enable-encrypted-token: false
resources:
- uri: /*