kong with keycloak Authorization based on scope
i am looking forward to restricting user access based on scope. i am using Kong API gateway here is my docker file used for adding nokia-oidc plugin. https://github.com/nokia/kong-oidc
docker file :
FROM kong:latest
USER root
RUN apk update && apk add git unzip luarocks
RUN luarocks install kong-oidc
USER kong
in token, i am getting scope like "openid profile email"
"session_state": "8d408ace-4692-458c-a7d0-69b19c1ded11",
"acr": "0",
"allowed-origins": [
"*"
],
"scope": "openid profile email",
i am looking how restrict used based on scope exist or not as openid is default one.
it's not working as expected. if myscope not exist in token still i am able to login.
please help thanks in advance...!
With OIDC plugin you won't be able to perform authentication however you can do authorization
You have to use plugin : https://github.com/gbbirkisson/kong-plugin-jwt-keycloak
Which will parse JWT token from internal header x-access-token and based on you can authenticate user via scope, realm role and client roles.
Use this docker to add plugin inside Kong
FROM kong:2.0.3-alpine
LABEL description="Alpine + Kong 2.0.3 + kong-oidc plugin"
ENV OIDC_PLUGIN_VERSION=1.1.0-0
ENV JWT_PLUGIN_VERSION=1.1.0-1
USER root
RUN apk update && apk add git unzip luarocks
RUN luarocks install kong-oidc
RUN git clone https://github.com/PSheshenya/kong-oidc.git \
&& cd kong-oidc \
&& luarocks make
RUN luarocks pack kong-oidc ${OIDC_PLUGIN_VERSION} \
&& luarocks install kong-oidc-${OIDC_PLUGIN_VERSION}.all.rock
RUN git clone --branch 20200505-access-token-processing https://github.com/BGaunitz/kong-plugin-jwt-keycloak.git \
&& cd kong-plugin-jwt-keycloak \
&& luarocks make
RUN luarocks pack kong-plugin-jwt-keycloak ${JWT_PLUGIN_VERSION} \
&& luarocks install kong-plugin-jwt-keycloak-${JWT_PLUGIN_VERSION}.all.rock
USER kong
you might also have to change JWT-Keyclaok plugin priority to 900 or less to start execution after OIDC plugin.
- Keycloak: REST url for custom endpoint
- Keycloak move from 23.0 to 24.0: Account is not fully set up [invalid_grant]
- Keycloak Add user's name in email theme template
- Refresh access_token via refresh_token in Keycloak
- What is the uma_authorization role in Keycloak?
- Do Keycloak Clients have a Client Secret?
- Keycloak empty h2 database
- Keycloak, not returning access token if update password action selected
- JWKS URI missing in JWT based on Keycloak Client
- Generate JWT Token in Keycloak and get public key to verify the JWT token on a third party platform
- Keycloak: Access token validation end point
- keycloak-angular with standalone components this._instance undefined causing TypeError on login()
- Keycloak-gatekeeper: 'aud' claim and 'client_id' do not match
- Iss claim not valid Keycloak
- React app navigation after authentication via keycloak
- How to load initial realm in keycloak server with docker?
- Keycloak lost admin password
- Second login with remote IdP through Keycloak fails, "Invalid username or password"
- Spring boot application won't start after adding keycloak integration
- Error "Session doesn't have required client" when using refresh token to renew an access token in Keycloak with React public client having useEffect
- React nextjs app with next-auth in docker: connection refused 127.0.0.1
- Use variable in Keycloak email subject
- Keycloak Account API returns Unauthorized 401 with token from user logged in via my spring client
- Best Practices for Associating userId (from JWT) with Google OAuth Tokens
- How to keep the realms, users and roles in Keycloak to be persisted when using docker and docker compose to run it
- Keycloak not accepting a/any custom LoginFormsProviders
- keycloak token introspection always fails with {"active":false}
- Enable "Extend to children" doesn't work - Keycloak UI
- Role-based authentication not working with Keycloak and Java Spring
- Keycloak error on console " violating Content Security Policy directive: "frame-ancestors 'self'"