how to provide authorization in Spring. Cloud Gateway which is done by Keycloak

[Tonyukuk]

I am using Spring Cloud Gateway and to provide authentication and authorization in my application I am using Keycloak.  I have an endpoint which needs to be secured from Keycloak as only the users who has specific role is able to use that endpoint. I created a Role called "A" and assigned that A role to user B. IT works perfect but I do not know how to say that only the rest endpoints who is directed to that link that have A role can accesss this endpoint ? Do you know a way to do it ?

Maybe this question is not fully related with Keycloak. But I want to find out if there is a way to do it or if you have accomplished such kind of issue before ?

Thank you 

My Sample Code: 

  - id: create user 

  uri: https://createcustomertest:8543 

  predicates: 

  - Path=/customer/api/v2/customers/** 

  - Method=POST 

  filters: - StripPrefix=1 

[Thomas Darimont]

Hello Tonyukuk,

you need to inspect the JWT in the gateway with a proper filter or the downstream application. Your gateway should check whether the JWT is valid (signature, not expired, allowed issuer, scopes etc.)

For keycloak tokens you need to extract the roles from the nested realm_access or resource_access claims.

Take a look at this articles for examples:

https://piotrminkowski.com/2020/10/09/spring-cloud-gateway-oauth2-with-keycloak/

https://blog.jdriven.com/2019/11/spring-cloud-gateway-with-openid-connect-and-token-relay/ 

https://github.com/csimplestring/spring-jwt-gateway

https://www.baeldung.com/spring-cloud-custom-gateway-filters

Cheers,

Thomas

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/6364b475-6a3e-4239-8106-76f71b1f2183n%40googlegroups.com.