Keycloak Gatekeeper

Keycloak Gatekeeper was an OpenID Connect (OIDC)–based reverse proxy for securing web applications with Keycloak. It intercepted unauthenticated requests, redirected users to Keycloak for login, and injected ID/access tokens into backend sessions. Gatekeeper was deprecated in 2020 and replaced by the Keycloak OIDC Proxy and Authorization Services within Keycloak.

Key Capabilities

• Reverse proxy authentication: Intercepts HTTP requests and enforces authentication via OIDC against a Keycloak realm.

• Token management: Obtains and refreshes ID/access tokens; stores tokens in encrypted cookies.

• Policy enforcement: Enforces fine-grained access control using claims and roles from Keycloak tokens.

• Flexible deployment: Deployed as a standalone binary, sidecar, or Docker container in front of web services.

Limitations

• Lifecycle: Keycloak Gatekeeper has been officially deprecated since Keycloak 12 (2020) and is no longer maintained. Users are strongly encouraged to migrate to Keycloak OIDC Proxy or Keycloak Authorization Services for continued support and security updates.

• Limited modern OAuth features: Gatekeeper was developed before the introduction of advanced OAuth 2.0 profiles such as PAR, DPoP, and mTLS. There is no public confirmation of compliance with these modern standards.

• No SCIM or provisioning capabilities: The project functioned solely as an authentication and access proxy—it did not provide identity management, user provisioning, or lifecycle automation.

• Operational overhead: Deployment required running Gatekeeper as a sidecar or standalone proxy with manual setup for client credentials, cookie encryption keys, and token refresh configurations.

• Replacement guidance: New implementations should adopt Keycloak Authorization Services for in-app enforcement or use mod_auth_openidc for Apache/Nginx environments, as these are the officially recommended successors.