This repository was archived by the owner on Dec 7, 2020. It is now read-only.
This repository was archived by the owner on Dec 7, 2020. It is now read-only.
Disable reading access token from Authorization header #549
Description
What:
Hi,
we are trying to run the Strapi CMS behind a Keycloak Gatekeeper. Login works, but then the Strapi Admin UI fails every request. After some debugging I found out that Strapi uses its own JWT token for authentication. This token is sent with every request in the Authorization header. The keycloak gatekeeper intercepts the request, reads the token from the Authorization header and tries to validate it. This fails, as the creator of this JWT is Strapi, not Keycloak. The gatekeeper then returns a 401 to the Strapi Admin UI.
I suggest a new config option to disable reading the token from the Authorization header, only using the kc-access cookie for that.
I would contribute a PR to implement this.