Dynamic JWKS URL handling for multiple Keycloak realms in KrakenD

hrai

unread,

Aug 20, 2025, 8:19:39 AMAug 20

to KrakenD Community

Hi KrakenD community,

I’m using KrakenD with Keycloak for JWT validation. Currently, I have one endpoint defined via Helm for a single realm, pointing to its jwk_url.

Now, I need to support multiple realms (around 7–8), each with its own JWKS URL, for example:

realm1.example.com/api/upload → http://sso.example.com/realms/realm1/protocol/openid-connect/certs
realm2.example.com/api/upload → http://sso.example.com/realms/realm2/protocol/openid-connect/certs
… up to 7–8 realms

I want a dynamic way for KrakenD to select the correct JWKS URL at runtime based on the request (e.g., using the Host header), without defining a separate endpoint for each realm.

Has anyone implemented a pattern or configuration for this? Are there plugins or best practices to handle multiple Keycloak realms efficiently in KrakenD?

Thanks for any guidance!

Albert Lombarte

unread,

Aug 20, 2025, 8:25:58 AMAug 20

to KrakenD Community, hrai

Hello Hrai,

There is no out of the box support for this scenario on the community edition. This is a functionality available in the Enterprise edition: https://www.krakend.io/docs/enterprise/authentication/multiple-identity-providers/

If you want to do something like this, you will need to implement your own plugin for validation.

El dia dimecres, 20 d’agost del 2025 a les 14:19:39 UTC+2, hrai va escriure:

hrai

unread,

Aug 21, 2025, 12:26:56 AMAug 21

to KrakenD Community, Albert Lombarte, hrai

Thanks for the clarification, I am exploring to solve this using the Lua plugin.

My idea is to:

Inspect the Host header (e.g., realm1.example.com, realm2.example.com)
Dynamically select the correct JWKS URL for validation
Validate the token against that realm’s keys before passing the request to the backend

Is it feasible to implement JWT validation dynamically with Lua in CE?

Albert Lombarte

unread,

Aug 21, 2025, 12:12:25 PMAug 21

to hrai, KrakenD Community

Hello,

You can do all kinds of manipulations with Lua, but this won't change the fact that the JWT validator will statically use the public signature defined in the configuration, regardless of what you can do with Lua.

So Lua is not a feasible solution in this scenario. If you want a custom validation in CE (this is what this is), you must implement your plugin for JWT validation. The Enterprise version has specific logic to handle this as this is not something you can do with the validator alone.

	Albert Lombarte CEO

Confidentiality Notice: This email, including any attachments, may contain confidential and privileged information for the sole use of the intended recipient(s). Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender immediately and destroy all copies of this email. Thank you. This email has been sent in accordance with the European Union General Data Protection Regulation (EU GDPR).

Missatge de hrai <hele...@berrybytes.com> del dia dj., 21 d’ag. 2025 a les 6:26:

Reply all

Reply to author

Forward