Search code examples
microserviceskeycloakapi-gatewayapache-apisix

Apache APISIX integration with Keycloak

I have a few microservices that validate and identify the user using Keycloak as below

enter image description here

I now want to place the Apache APISIX API Gateway before the microservices.

Apache APISIX has a plugin for Keycloak. Can the plugin do the following such that the validation is removed from all the microservices?

  • Validate the access_token from the user
  • If valid, forward the request to the microservice

enter image description here

Note

This article gives details on how to integrate the Keycloak plugin such that the user will have to authenticate using Keycloak (using a single Keycloak client_id and client_secret). In my case, however, each user will have a different client_id and client_secret.

Solution

  • Can the plugin do the following such that the validation is removed from all the microservices?

    Yes, it can. The Apache APISIX can validate the access_token, also can add the user_info, id_token to the upstream. For more details, you can refer to the plugin docs of Apache APISIX. https://apisix.apache.org/docs/apisix/plugins/openid-connect.

    In my case, however, each user will have a different client_id and client_secret.

    Now, Apache APISIX doesn't support setting more than one client id of openid-connect in a route.Maybe you can create more routes, each route for each client? And use Host to distinguish them.