keycloakapi-gatewaykongkong-plugin

kong with keycloak Authorization based on scope


i am looking forward to restricting user access based on scope. i am using Kong API gateway here is my docker file used for adding nokia-oidc plugin. https://github.com/nokia/kong-oidc

docker file :

FROM kong:latest  
USER root
RUN apk update && apk add git unzip luarocks
RUN luarocks install kong-oidc  
USER kong

in token, i am getting scope like "openid profile email"

"session_state": "8d408ace-4692-458c-a7d0-69b19c1ded11",
  "acr": "0",
  "allowed-origins": [
    "*"
  ],
  "scope": "openid profile email",

i am looking how restrict used based on scope exist or not as openid is default one.

Selection_078

it's not working as expected. if myscope not exist in token still i am able to login.

please help thanks in advance...!


Solution

  • With OIDC plugin you won't be able to perform authentication however you can do authorization

    You have to use plugin : https://github.com/gbbirkisson/kong-plugin-jwt-keycloak

    Which will parse JWT token from internal header x-access-token and based on you can authenticate user via scope, realm role and client roles.

    Use this docker to add plugin inside Kong

    FROM kong:2.0.3-alpine
    
    LABEL description="Alpine + Kong 2.0.3 + kong-oidc plugin"
    
    ENV OIDC_PLUGIN_VERSION=1.1.0-0
    ENV JWT_PLUGIN_VERSION=1.1.0-1
    
    USER root
    RUN apk update && apk add git unzip luarocks
    RUN luarocks install kong-oidc
    
    RUN git clone https://github.com/PSheshenya/kong-oidc.git \
        && cd kong-oidc \
        && luarocks make
    
    RUN luarocks pack kong-oidc ${OIDC_PLUGIN_VERSION} \
         && luarocks install kong-oidc-${OIDC_PLUGIN_VERSION}.all.rock
    
    RUN git clone --branch 20200505-access-token-processing https://github.com/BGaunitz/kong-plugin-jwt-keycloak.git \
        && cd kong-plugin-jwt-keycloak \
        && luarocks make
    
    RUN luarocks pack kong-plugin-jwt-keycloak ${JWT_PLUGIN_VERSION} \
         && luarocks install kong-plugin-jwt-keycloak-${JWT_PLUGIN_VERSION}.all.rock
    
    USER kong
    

    you might also have to change JWT-Keyclaok plugin priority to 900 or less to start execution after OIDC plugin.