Keycloak KrankenD cookie_key PoC

readme.md

docker compose up --remove-orphans

http://localhost:9090/auth/admin/ Username: admin Password: admin

create a realm "acme" create a user "tester" with password "test"

http://localhost:9090/auth/realms/acme/protocol/openid-connect/token

KC_ISSUER="http://localhost:9090/auth/realms/acme"
echo "Request new Access Token for user"
KC_RESPONSE=$( \
    curl \
     -s \
     -d "grant_type=password" \
     -d "username=tester" \
     -d "password=test" \
     -d "client_id=admin-cli" \
     -d "scope=profile" \
      $KC_ISSUER/protocol/openid-connect/token
)   

echo "Extract Access Token"
KC_ACCESS_TOKEN=$(echo $KC_RESPONSE | jq -r .access_token)
echo "using KC_ACCESS_TOKEN=$KC_ACCESS_TOKEN"

Curl with Authorization header

curl -v -k -H "Authorization: Bearer $KC_ACCESS_TOKEN" http://localhost:8080/test

Example 1

tom@neumann ~/dev/playground/iam/krakend 
$ curl -v -k -H "Authorization: Bearer $KC_ACCESS_TOKEN" http://localhost:8080/test 
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /test HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.0.1
> Accept: */*
> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItYU95MTNiMnRhMmdsaklFQVNrNndtSnlwbDRoWm8wbkVIakZnRm1SVHhzIn0.eyJleHAiOjE3MTk0MzE3MTEsImlhdCI6MTcxOTQzMTQxMSwianRpIjoiNjk2YjUzZmItNzU3Zi00M2M5LWEyNTEtMmM2NzExMmRlNGZkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo5MDkwL2F1dGgvcmVhbG1zL2FjbWUiLCJzdWIiOiI5OThlNDM4Ny0yNjZjLTQ1MjYtOGZiNi1kZmYzODZkMmZkYjMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzaWQiOiIyNGFhY2MzZi1jOWI2LTQ1MzktOWZmOS0zYTU5NTUxNGU1M2MiLCJhY3IiOiIxIiwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiVGhlbyBUZXN0ZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0ZXIiLCJnaXZlbl9uYW1lIjoiVGhlbyIsImZhbWlseV9uYW1lIjoiVGVzdGVyIiwiZW1haWwiOiJ0ZXN0ZXJAZXhhbXBsZS5vcmcifQ.yJV1HelHReZklBJNgCxrNWq0PxCDvaXp14fhcIDCDazlfjDnPWOETgA4XAdNlTOPZmYR_LJO5-zultB2nEGTSdkgRSCMNMdU1Y9Us-MVlXVx38sgfsG7GfQrJNSD8R86hH8vbsybio7QnfvG8f8sxruo5mcDEPonr56jVTXYBi8X8owm3Qn-lqbIZZvOWzzUECRxCRa7y_8spPqm8Z3i2LXtRCZOXQyOXxZQQEwjiT_QJUbLibutwOqbW2QgbNVAxoOYLYVK0YeYUJhL_nWkt4c9T7TiF5lY1-JNt3FsY1dyBIhPhcUQPSSfomuIuF_tra4TxB3VDGfTTLT2HUg_fQ
> 
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< X-Krakend: Version 2.6.3
< X-Krakend-Completed: true
< Date: Wed, 26 Jun 2024 19:50:47 GMT
< Content-Length: 297
< 
* Connection #0 to host localhost left intact
{"args":{},"data":"","files":{},"form":{},"headers":{"Accept-Encoding":["gzip"],"Host":["httpbin.io"],"User-Agent":["KrakenD Version 2.6.3"],"X-Forwarded-For":["172.28.0.1"],"X-Forwarded-Host":["localhost:8080"]},"json":null,"method":"GET","origin":"172.28.0.1","url":"http://httpbin.io/anything"}%

Curl with cookie key

curl -v -k --cookie "cookie_jwt=$KC_ACCESS_TOKEN" http://localhost:8080/test

Example 2:

tom@neumann ~/dev/playground/iam/krakend 
$ curl -v -k --cookie "cookie_jwt=$KC_ACCESS_TOKEN" http://localhost:8080/test
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /test HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.0.1
> Accept: */*
> Cookie: cookie_jwt=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItYU95MTNiMnRhMmdsaklFQVNrNndtSnlwbDRoWm8wbkVIakZnRm1SVHhzIn0.eyJleHAiOjE3MTk0MzIwMDAsImlhdCI6MTcxOTQzMTcwMCwianRpIjoiOWNjZTgxNTAtNzMwMS00ZDE5LThjMDQtYWVhYWExMzMzNDhmIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo5MDkwL2F1dGgvcmVhbG1zL2FjbWUiLCJzdWIiOiI5OThlNDM4Ny0yNjZjLTQ1MjYtOGZiNi1kZmYzODZkMmZkYjMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzaWQiOiI4ZGE2OTJkNS04NzE0LTRlNDEtYWU1ZS0zMTY1MzQ5Yjc0NDIiLCJhY3IiOiIxIiwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiVGhlbyBUZXN0ZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0ZXIiLCJnaXZlbl9uYW1lIjoiVGhlbyIsImZhbWlseV9uYW1lIjoiVGVzdGVyIiwiZW1haWwiOiJ0ZXN0ZXJAZXhhbXBsZS5vcmcifQ.EWPxr9LyqdNIDGquUJKjxNMv240QLKU43qHeTDgiLYvhCWqLczJuE0t4M28qXwDdlyTZaODbt9TA7xKi92NptNzyUeZp21zG6wv4n1ybjcuvp7kizOQv4AjgZVrZK2Z5CPLyrFXbSJF-Kt1Zc5qJ5sjMflThDTyqf6EsG24hKjU2VLELt7_o_RPr5H9996PCtRiyxIZn61-kZDev8-i-MrSLqeObcUJJNn3RmidLz3GmFx6RLu512LHMgIQGrR50jv2OueJd69QzJeIKR7mzX587EIOvDsKVxRuAJFb2SoNNFhY8qlRIzNmmH5rJ_0fO13J7xyN_9wM_2OaSShHduA
> 
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< X-Krakend: Version 2.6.3
< X-Krakend-Completed: true
< Date: Wed, 26 Jun 2024 19:55:11 GMT
< Content-Length: 297
< 
* Connection #0 to host localhost left intact
{"args":{},"data":"","files":{},"form":{},"headers":{"Accept-Encoding":["gzip"],"Host":["httpbin.io"],"User-Agent":["KrakenD Version 2.6.3"],"X-Forwarded-For":["172.28.0.1"],"X-Forwarded-Host":["localhost:8080"]},"json":null,"method":"GET","origin":"172.28.0.1","url":"http://httpbin.io/anything"}%  

docker-compose.yml

services:
  krakend:
    image: devopsfaith/krakend:2.6
    ports:
      - "8080:8080"
    volumes:
      - ./krankend/krakend.json:/etc/krakend/krakend.json

  keycloak:
    image: quay.io/keycloak/keycloak:25.0.1
    environment:

      # Keycloak Admin User
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin

      # Feature config, see: https://www.keycloak.org/server/features
      KC_FEATURES: preview

      # Disable specific features
      #      KC_FEATURES_DISABLED: "device-flow"

      # Logging, see: https://www.keycloak.org/server/logging
      KC_LOG_LEVEL: INFO

      # External frontend hostname, see: https://www.keycloak.org/server/hostname
      KC_HOSTNAME: localhost
      KC_HTTP_PORT: "9090"
      KC_HTTP_ENABLED: "true"
      KC_HTTP_RELATIVE_PATH: "/auth"

      KC_METRICS_ENABLED: "true"
      KC_HEALTH_ENABLED: "true"

      # Log Keycloak success events to the console
      KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_SUCCESS_LEVEL: "info"
      KC_SPI_EVENTS_LISTENER_JBOSS_LOGGING_ERROR_LEVEL: "warn"

      # Additional JVM options
      JAVA_OPTS_APPEND: "--show-version"

    volumes:
      # Keep keycloak data persistent
      - ./keycloak/data:/opt/keycloak/data:z
    ports:
      - 9090:9090   # HTTP

    command:
      - "--verbose"
      - "start-dev"

krakend.json

{
  "version": 3,
  "endpoints": [
    {
      "endpoint": "/test",
      "method": "GET",
      "output_encoding": "json",
      "extra_config": {
        "auth/validator": {
          "alg": "RS256",
          "jwk_url": "http://keycloak:9090/auth/realms/acme/protocol/openid-connect/certs",
          "disable_jwk_security": true,
          "cookie_key": "cookie_jwt"
        }
      },
      "backend": [
        {
          "url_pattern": "/anything",
          "encoding": "json",
          "method": "GET",
          "host": ["https://httpbin.io"]
        }
      ]
    }
  ]
}