Assistance Needed for Keycloak and Kong Authorization Integration

102 views
Skip to first unread message

Lipakshi Kashyap

unread,
Jul 25, 2024, 3:38:24 AMJul 25
to Keycloak User
Hello Team,

I’m seeking assistance with integrating Keycloak for role-based access control (RBAC) with Kong. While I have configured Keycloak for authentication and am using Kong’s JWT plugin, Now, I am facing issues with authorization process:

Problem:

Authorization Challenge: Kong does not seem to enforce permissions based on roles defined in Keycloak. Although Keycloak manages the roles and issues JWT tokens with claims, Kong does not effectively use these claims to enforce role-based access control.
Could you provide guidance on configuring Kong to integrate with Keycloak for role-based authorization or suggest any relevant resources?

Thank you for your help.

Best regards

Maestria Cine

unread,
Aug 15, 2024, 2:07:12 AMAug 15
to Lipakshi Kashyap, Keycloak User

What You Can Do:

Here’s how you can set things up:

1. Keycloak Setup:

  • Create Roles: First, make sure you’ve created the necessary roles in Keycloak under the client you set up for Kong.
  • Map Roles to JWT Claims: You’ll need to map these roles to the JWT claims so that they’re included in the token. Head to the client settings, go to "Mappers," and add a mapper to include roles in the JWT.

2. Kong Configuration:

  • Check the JWT Plugin: Ensure that Kong’s JWT plugin is set up to pull the claims from the JWT and use them for access control.
  • Custom Kong Solution: By default, Kong doesn’t enforce RBAC based on JWT claims, so you might need to use a custom plugin or create a solution that checks the JWT and applies RBAC rules.
  • Use the ACL Plugin: Another approach is to use Kong’s ACL plugin to create groups that match the roles from Keycloak. Then, map users or services to these groups so that only users with the right roles can access certain endpoints.
  • Role-Based Policies: You can also look into using the Keycloak Authorization plugin for Kong, which lets you set up authorization policies directly in Kong using the JWT tokens from Keycloak.

3. Sample Configuration:

Mapping Roles in Keycloak:

  • Go to the client you’ve set up for Kong.
  • Navigate to "Mappers" > "Create."
  • Name it roles.
  • Set the Mapper Type to User Client Role.
  • Token Claim Name: roles.
  • Set Claim JSON Type to String.
  • Make sure to add it to the ID token, access token, and userinfo.

Kong ACL Plugin Setup:

  • Create groups in Kong using the ACL plugin:
    bash
    curl -X POST http://<Kong Admin URL>/consumers/{consumer}/acls \ --data "group=<role>"
  • Set up the JWT plugin to validate the token:
    bash
    curl -X POST http://<Kong Admin URL>/routes/{route_id}/plugins \ --data "name=jwt" \ --data "config.claims_to_verify=exp" \ --data "config.key_claim_name=iss" \ --data "config.secret_is_base64=false"
  • Add the ACL plugin to the relevant route:
    bash
    curl -X POST http://<Kong Admin URL>/routes/{route_id}/plugins \ --data "name=acl" \ --data "config.whitelist=<role>"

4. Test It Out:

  • Check Your JWT Tokens: Use a tool to generate and decode JWT tokens from Keycloak and make sure the roles are showing up in the claims.
  • Verify Access: Try accessing the configured routes in Kong and see if the access control is working as expected based on the roles defined in Keycloak.

Resources:

If you need more help with the specifics, feel free to ask!

Cheers,
ELTON


--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/f34d49c2-92ea-4c63-873c-0666d0135422n%40googlegroups.com.


--

MAESTRIA CINE
Elton Carlos Pasternak -
Diretor Geral

Skype: zecktron

www.maestriacine.com.br


Reply all
Reply to author
Forward
0 new messages