Enable json-logging, encrypted-token, pkce by default

gogatekeeper · Oct 30, 2024 · 5ebfa40 · 5ebfa40
1 parent ecfaf91
commit 5ebfa40
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 3 deletions.
diff --git a/docs/content/configuration/_index.md b/docs/content/configuration/_index.md
@@ -44,10 +44,10 @@ weight: 2
 |    --enable-logout-redirect                | indicates we should redirect to the identity provider for logging out | false | PROXY_ENABLE_LOGOUT_REDIRECT
 |    --enable-default-deny                   | enables a default denial on all requests, requests with valid token are permitted, you have to explicitly say what is permitted | true | PROXY_ENABLE_DEFAULT_DENY
 |    --enable-default-deny-strict            | enables a default denial on all requests, requests with valid token are denied, you have to explicitly say what is permitted (recommended) | false | PROXY_ENABLE_DEFAULT_DENY_STRICT
-|    --enable-encrypted-token                | enable encryption for the access tokens | false | PROXY_ENABLE_ENCRYPTED_TOKEN
+|    --enable-encrypted-token                | enable encryption for the access tokens | true | PROXY_ENABLE_ENCRYPTED_TOKEN
 |    --force-encrypted-cookie                | force encryption for the access tokens in cookies | false | PROXY_FORCE_ENCRYPTED_COOKIE
 |    --enable-logging                        | enable http logging of the requests | false | PROXY_ENABLE_LOGGING
-|    --enable-json-logging                   | switch on json logging rather than text | false | PROXY_ENABLE_JSON_LOGGING
+|    --enable-json-logging                   | switch on json logging rather than text | true | PROXY_ENABLE_JSON_LOGGING
 |    --enable-forwarding                     | enables the forwarding proxy mode, signing outbound request | false | PROXY_ENABLE_FORWARDING
 |    --enable-security-filter                | enables the security filter handler | false | PROXY_ENABLE_SECURITY_FILTER
 |    --enable-refresh-tokens                 | enables the handling of the refresh tokens | false | PROXY_ENABLE_REFRESH_TOKEN
@@ -65,7 +65,7 @@ weight: 2
 |    --content-security-policy value         | specify the content security policy | | PROXY_CONTENT_SECURITY_POLICY
 |    --localhost-metrics                     | enforces the metrics page can only been requested from 127.0.0.1 | false | PROXY_LOCALHOST_METRICS
 |    --enable-compression                    | enable gzip compression for response | false | PROXY_ENABLE_COMPRESSION
-|    --enable-pkce                           | enable pkce for auth code flow, only S256 code challenge supported | false | PROXY_ENABLE_PKCE
+|    --enable-pkce                           | enable pkce for auth code flow, only S256 code challenge supported | true | PROXY_ENABLE_PKCE
 |    --enable-idp-session-check              | during token validation it also checks if user session is still present, useful for multi app logout | true | PROXY_ENABLE_IDP_SESSION_CHECK
 |    --enable-uma                            | enable UMA authorization, please don't use in production as it is new feature, we would like to receive feedback first             | false | PROXY_ENABLE_UMA
 |	 --enable-opa                            | enable authorization with external Open policy agent  | false | PROXY_ENABLE_OPA

diff --git a/docs/content/userguide/_index.md b/docs/content/userguide/_index.md
@@ -43,6 +43,10 @@ client-secret: <CLIENT_SECRET>
 listen: :3000
 # port on which metrics and health endpoints will be available, if not specified it will be on above specified port
 listen-admin: :4000
+# this encrypts access token, set by default to true, you need to setup encryption key
+enable-encrypted-token: true
+# enables use of PKCE, enabled by default in gatekeeper, you need to enable it in keycloak for client
+enable-pkce: true
 # whether to enable refresh tokens
 enable-refresh-tokens: true
 # you can set up custom templates for forbidden/error/sign-in pages, gatekeeper

diff --git a/e2e/e2e_test.go b/e2e/e2e_test.go
@@ -146,6 +146,8 @@ var _ = Describe("NoRedirects Simple login/logout", func() {
 			"--skip-access-token-clientid-check=true",
 			"--skip-access-token-issuer-check=true",
 			"--openid-provider-retry-count=30",
+			"--enable-encrypted-token=false",
+			"--enable-pkce=false",
 		}
 
 		osArgs = append(osArgs, proxyArgs...)
@@ -210,6 +212,8 @@ var _ = Describe("Code Flow login/logout", func() {
 			"--encryption-key=sdkljfalisujeoir",
 			"--secure-cookie=false",
 			"--post-login-redirect-path=" + postLoginRedirectPath,
+			"--enable-encrypted-token=false",
+			"--enable-pkce=false",
 		}
 
 		osArgs = append(osArgs, proxyArgs...)
@@ -347,6 +351,7 @@ var _ = Describe("Code Flow PKCE login/logout", func() {
 			"--secure-cookie=false",
 			"--enable-pkce=true",
 			"--cookie-pkce-name=" + pkceCookieName,
+			"--enable-encrypted-token=false",
 		}
 
 		osArgs = append(osArgs, proxyArgs...)
@@ -405,6 +410,8 @@ var _ = Describe("Code Flow login/logout with session check", func() {
 			"--enable-logout-redirect=true",
 			"--enable-id-token-cookie=true",
 			"--post-logout-redirect-uri=http://google.com",
+			"--enable-encrypted-token=false",
+			"--enable-pkce=false",
 		}
 
 		osArgs = append(osArgs, proxyArgs...)
@@ -431,6 +438,7 @@ var _ = Describe("Code Flow login/logout with session check", func() {
 			"--enable-logout-redirect=true",
 			"--enable-id-token-cookie=true",
 			"--post-logout-redirect-uri=http://google.com",
+			"--enable-encrypted-token=false",
 		}
 
 		osArgs = append(osArgs, proxyArgs...)
@@ -506,6 +514,8 @@ var _ = Describe("Level Of Authentication Code Flow login/logout", func() {
 			"--encryption-key=sdkljfalisujeoir",
 			"--secure-cookie=false",
 			"--post-login-redirect-path=" + postLoginRedirectPath,
+			"--enable-encrypted-token=false",
+			"--enable-pkce=false",
 		}
 
 		osArgs = append(osArgs, proxyArgs...)

diff --git a/e2e/e2e_uma_test.go b/e2e/e2e_uma_test.go
@@ -40,6 +40,8 @@ var _ = Describe("UMA Code Flow authorization", func() {
 			"--skip-access-token-issuer-check=true",
 			"--openid-provider-retry-count=30",
 			"--secure-cookie=false",
+			"--enable-encrypted-token=false",
+			"--enable-pkce=false",
 		}
 
 		osArgs = append(osArgs, proxyArgs...)
@@ -136,6 +138,8 @@ var _ = Describe("UMA Code Flow authorization with method scope", func() {
 			"--secure-cookie=false",
 			"--verbose=true",
 			"--enable-logging=true",
+			"--enable-encrypted-token=false",
+			"--enable-pkce=false",
 		}
 
 		osArgs = append(osArgs, proxyArgs...)
@@ -198,6 +202,8 @@ var _ = Describe("UMA no-redirects authorization with forwarding client credenti
 			"--skip-access-token-issuer-check=true",
 			"--openid-provider-retry-count=30",
 			"--enable-idp-session-check=false",
+			"--enable-encrypted-token=false",
+			"--enable-pkce=false",
 		}
 
 		fwdProxyArgs := []string{
@@ -214,6 +220,8 @@ var _ = Describe("UMA no-redirects authorization with forwarding client credenti
 			"--skip-access-token-clientid-check=true",
 			"--skip-access-token-issuer-check=true",
 			"--openid-provider-retry-count=30",
+			"--enable-encrypted-token=false",
+			"--enable-pkce=false",
 		}
 
 		osArgs = append(osArgs, proxyArgs...)
@@ -279,6 +287,8 @@ var _ = Describe("UMA no-redirects authorization with forwarding direct access g
 			"--openid-provider-retry-count=30",
 			"--verbose=true",
 			"--enable-idp-session-check=false",
+			"--enable-encrypted-token=false",
+			"--enable-pkce=false",
 		}
 
 		fwdProxyArgs := []string{
@@ -296,6 +306,8 @@ var _ = Describe("UMA no-redirects authorization with forwarding direct access g
 			"--skip-access-token-clientid-check=true",
 			"--skip-access-token-issuer-check=true",
 			"--openid-provider-retry-count=30",
+			"--enable-encrypted-token=false",
+			"--enable-pkce=false",
 		}
 
 		osArgs = append(osArgs, proxyArgs...)
@@ -375,6 +387,8 @@ var _ = Describe("UMA Code Flow, NOPROXY authorization with method scope", func(
 			"--secure-cookie=false",
 			"--verbose=true",
 			"--enable-logging=true",
+			"--enable-encrypted-token=false",
+			"--enable-pkce=false",
 		}
 
 		osArgs = append(osArgs, proxyArgs...)

diff --git a/pkg/keycloak/config/config.go b/pkg/keycloak/config/config.go
@@ -204,6 +204,9 @@ func NewDefaultConfig() *Config {
 		EnableDefaultDeny:             true,
 		EnableSessionCookies:          true,
 		EnableTokenHeader:             true,
+		EnableJSONLogging:             true,
+		EnableEncryptedToken:          true,
+		EnablePKCE:                    true,
 		HTTPOnlyCookie:                true,
 		Headers:                       make(map[string]string),
 		AllowedQueryParams:            make(map[string]string),

diff --git a/pkg/testsuite/fake_proxy.go b/pkg/testsuite/fake_proxy.go
@@ -677,6 +677,9 @@ func newFakeKeycloakConfig() *config.Config {
 		CookieRefreshName:           constant.RefreshCookie,
 		CookieIDTokenName:           constant.IDTokenCookie,
 		DisableAllLogging:           true,
+		EnablePKCE:                  false,
+		EnableJSONLogging:           false,
+		EnableEncryptedToken:        false,
 		DiscoveryURL:                randomLocalHost,
 		EnableAuthorizationCookies:  true,
 		EnableAuthorizationHeader:   true,