Hi! Just a quick note that Keycloak Gatekeeper sadly has reach its end-of-life and is no longer supported and no longer receiving security updates. That's really a shame because I used to have the exact same pattern as you to secure some of my application. I'll have a look into Authelia to see if that can be a replacement. Let me know your findings as well.
Hi Alexandre,
I hope you are fine!
I'm currently trying to protect a Django application using Keycloak and I recently discovered gatekeeper, so I was just starting to understand how it works, and then I found the EOL announcement, and that is why your comment was sooo welcome!
Do you think this could be a right tool to do it? (Keycloak/Gatekeeper/Django App)
From the few things I've read, I understand gatekeeper is language agnostic, but I'm not sure if it will require some sort of configuration on the Django side.
Does it?
Thank you again!!
Warm regards
Ricardo
Hi Ricardo, Gatekeeper is a great tool to secure access to an application. However, it acts like a proxy. It sits in "front" of your app and forwards traffic to it. For any unauthenticated users, it prompts them to authenticate before forwarding their traffic to the app.
That it to say, it's easy to use gatekeeper to secure access to a Django website or part of it (eg: the admin), but Django won't be aware that Gatekeeper is sitting in front of it.
There's a few PyPy package if you want to logging in Django using Keycloak as your identity provider.
Hi Alexandre,
Thank you very much for your answer!
Ok understood (I think).
Let me summarize to see if I really did understand:
So Gatekeeper would be your let's say "root url" the one users will point to when they try to log in to your app.
Then Gatekeeper will communicate with Keycloak to authenticate/authorize the user.
Keycloak will send Gatekeeper the corresponding tokens and Gatekeeper will redirect the user to your app url.
Gatekeeper will also send the tokens to your app, so you can use them in your code to protect your resources using the roles/permissions you have defined for that user in Keycloak. (if this last part really happens, how do you handle those roles once in Django?)
Is this how it works, or I'm not even close to it?
If you want to handle "tokens" in Django, I recommend using a Django app designed to do this. Search for "Django auth" and you should have quite a few options.
I don't know if Gatekeeper sends token to the backend (Django) when it forwards an authenticated requests. Perhaps it adds a header or a cookie. I don't know.
Ok. I'll do my research on that and let you know if I find anything interesting.
What I want to do in the end is to delegate as much as possible of the security handling to Keycloak , and get the Django code to the minimum, that is, just check if the user has the permission to access the given resource (view, model, etc.).
Thank you!!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hi! Just a quick note that Keycloak Gatekeeper sadly has reach its end-of-life and is no longer supported and no longer receiving security updates. That's really a shame because I used to have the exact same pattern as you to secure some of my application. I'll have a look into Authelia to see if that can be a replacement. Let me know your findings as well.
Ref:
For anyone reading my above comment, I found an actively maintained fork here: github.com/gogatekeeper/gatekeeper
Hi Alexandre,
I hope you are fine!
I'm currently trying to protect a Django application using Keycloak and I recently discovered gatekeeper, so I was just starting to understand how it works, and then I found the EOL announcement, and that is why your comment was sooo welcome!
Do you think this could be a right tool to do it? (Keycloak/Gatekeeper/Django App)
From the few things I've read, I understand gatekeeper is language agnostic, but I'm not sure if it will require some sort of configuration on the Django side.
Does it?
Thank you again!!
Warm regards
Ricardo
@nana Very nice article!
Hi Ricardo, Gatekeeper is a great tool to secure access to an application. However, it acts like a proxy. It sits in "front" of your app and forwards traffic to it. For any unauthenticated users, it prompts them to authenticate before forwarding their traffic to the app.
That it to say, it's easy to use gatekeeper to secure access to a Django website or part of it (eg: the admin), but Django won't be aware that Gatekeeper is sitting in front of it.
There's a few PyPy package if you want to logging in Django using Keycloak as your identity provider.
Hi Alexandre,
Thank you very much for your answer!
Ok understood (I think).
Let me summarize to see if I really did understand:
So Gatekeeper would be your let's say "root url" the one users will point to when they try to log in to your app.
Then Gatekeeper will communicate with Keycloak to authenticate/authorize the user.
Keycloak will send Gatekeeper the corresponding tokens and Gatekeeper will redirect the user to your app url.
Gatekeeper will also send the tokens to your app, so you can use them in your code to protect your resources using the roles/permissions you have defined for that user in Keycloak. (if this last part really happens, how do you handle those roles once in Django?)
Is this how it works, or I'm not even close to it?
Thank you!!
If you want to handle "tokens" in Django, I recommend using a Django app designed to do this. Search for "Django auth" and you should have quite a few options.
I don't know if Gatekeeper sends token to the backend (Django) when it forwards an authenticated requests. Perhaps it adds a header or a cookie. I don't know.
Ok. I'll do my research on that and let you know if I find anything interesting.
What I want to do in the end is to delegate as much as possible of the security handling to Keycloak , and get the Django code to the minimum, that is, just check if the user has the permission to access the given resource (view, model, etc.).
Thank you!!