This repository has been archived by the owner on Dec 7, 2020. It is now read-only.
Disable reading access token from Authorization header #549
Labels
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What:
Hi,
we are trying to run the Strapi CMS behind a Keycloak Gatekeeper. Login works, but then the Strapi Admin UI fails every request. After some debugging I found out that Strapi uses its own JWT token for authentication. This token is sent with every request in the Authorization header. The keycloak gatekeeper intercepts the request, reads the token from the Authorization header and tries to validate it. This fails, as the creator of this JWT is Strapi, not Keycloak. The gatekeeper then returns a 401 to the Strapi Admin UI.
I suggest a new config option to disable reading the token from the Authorization header, only using the kc-access cookie for that.
I would contribute a PR to implement this.
Reference:
The text was updated successfully, but these errors were encountered: