Using Kong API Gateway key-auth plugin with keycloak protected rest apis

Question

My setup is as follows:

1. Rest APIs (Spring boot)
2. Front-end application (Angular 8)
3. Auth Server (Keycloak)

Current scenario:

1. User enters the username and password in the angular login page.
2. Angular makes a POST request and gets the access token, refresh token etc. from keycloak server.
3. In all subsequent request to rest api server(which is bearer only), the access token is passed in header as "Authorization: Bearer <ACCESS_TOKEN>"
4. Rest api looks at the role of the user and based on that either returns the desired data or throws a 403 Forbidden exception.

What I want: To authenticate external users using an api-key and then add rate-limiting to it. For that, i am using Kong API Gateway. For internal or trusted users that login through the angular app, the existing access token flow should work.

Issue: When using apikey in Kong, it does pass the Kong's authentication but the rest api server still expects an access token and hence get the 401 unauthorized error.

Answer 1

I found the solution for this. Basically you need to configure an anonymous consumer and enable multiple authentication methods using the Kong's key-auth plugin for api-key based security and openid-connect plugin for keycloak based security.

For those who don't have Kong Enterprise, since openid-connect plugin is not open source, you can configure just the key-auth plugin with anonymous access enabled and then handle the keycloak based authentication in your rest application.