kong with keycloak Authorization based on scope
i am looking forward to restricting user access based on scope. i am using Kong API gateway here is my docker file used for adding nokia-oidc plugin. https://github.com/nokia/kong-oidc
docker file :
FROM kong:latest
USER root
RUN apk update && apk add git unzip luarocks
RUN luarocks install kong-oidc
USER kong
in token, i am getting scope like "openid profile email"
"session_state": "8d408ace-4692-458c-a7d0-69b19c1ded11",
"acr": "0",
"allowed-origins": [
"*"
],
"scope": "openid profile email",
i am looking how restrict used based on scope exist or not as openid is default one.
it's not working as expected. if myscope not exist in token still i am able to login.
please help thanks in advance...!
With OIDC plugin you won't be able to perform authentication however you can do authorization
You have to use plugin : https://github.com/gbbirkisson/kong-plugin-jwt-keycloak
Which will parse JWT token from internal header x-access-token and based on you can authenticate user via scope, realm role and client roles.
Use this docker to add plugin inside Kong
FROM kong:2.0.3-alpine
LABEL description="Alpine + Kong 2.0.3 + kong-oidc plugin"
ENV OIDC_PLUGIN_VERSION=1.1.0-0
ENV JWT_PLUGIN_VERSION=1.1.0-1
USER root
RUN apk update && apk add git unzip luarocks
RUN luarocks install kong-oidc
RUN git clone https://github.com/PSheshenya/kong-oidc.git \
&& cd kong-oidc \
&& luarocks make
RUN luarocks pack kong-oidc ${OIDC_PLUGIN_VERSION} \
&& luarocks install kong-oidc-${OIDC_PLUGIN_VERSION}.all.rock
RUN git clone --branch 20200505-access-token-processing https://github.com/BGaunitz/kong-plugin-jwt-keycloak.git \
&& cd kong-plugin-jwt-keycloak \
&& luarocks make
RUN luarocks pack kong-plugin-jwt-keycloak ${JWT_PLUGIN_VERSION} \
&& luarocks install kong-plugin-jwt-keycloak-${JWT_PLUGIN_VERSION}.all.rock
USER kong
you might also have to change JWT-Keyclaok plugin priority to 900 or less to start execution after OIDC plugin.
- Keycloak + SPA as client (Vue) + Spring Cloud Gateway as resource server + Spring Boot Microservices
- Use Keycloak Spring Adapter with Spring Boot 3
- KeyCloak - How to add Role's attribute into a user JWT (Access Token)?
- Keycloak - Client Roles - Retrieve custom attributes
- Configure Keycloak OTP via Administration REST API
- Blazor Hosted WebAssembly with Keycloak and Basic Authentication Issue
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- Keycloak: Not able to load admin GUI/console
- Keycloak retrieve custom attributes to KeycloakPrincipal
- Keycloak SSL setup using docker image
- How to change keycloak jvm arguments via CLI in standalone configuration
- Logout from next-auth with keycloak provider not works
- Cannot find module 'keycloak-js/authz' while import with TypeScript
- How to bypass keycloak login page and provide client suggested idp with spring security
- Keycloak Custom message on user temporary lock
- Angular - Spring Boot - Keycloak - 401 Error
- Spring Security + Keycloak (with self signed certs) - How do you disable hostname verification?
- Keycloak, not returning access token if update password action selected
- Keycloack Custom Identity provider
- Keycloak lost admin password
- How to make keycloak sessions survive server restarts or upgrades?
- How can I authenticate using the token exchange grant type for impersonation with spring boot and keycloak?
- Keycloak Realm VS Keycloak Client
- retrieve google refresh token in keycloak
- Request header field sentry-trace is not allowed by Access-Control-Allow-Headers in preflight response
- What's the relationship between Keycloak SSO Session Idle Time and Spring Session Timeout?
- Keycloak and Spring Boot web app in dockerized environment
- NuxtJS + keycloak-js: frontend doesn't render the correct value
- Keycloak admin console loading indefinitely
- Keycloak SPI to update password with condition