keycloak + Kong API Gateway

Question

We are using keycloak to handle authentication (client/secret) in our API Gateway.

The Kong api service uses konnect-managed-plugin to refer to keycloak to authenicate client credentials and return a bearer token.

Future calls to other endpoints use oauth2-introspection to verify the bearer token via keycloak introspection

I almost have this working however, when I authenticate via Kong api gateway, it returns a bearer token, but this token fails introspection.

If I auth straight to keycloak, the bearer token works for introspection.

eg

Returns:

{"access_token":"ey..ZiUQyw","expires_in":900,"refresh_expires_in":0,"token_type":"Bearer","not-before-policy":0,"scope":"email profile"}

Calling api endpoint in kong that uses introspection fails: http://kongapigateway.domain/bookings

{
    "error_description": "The access token is invalid or has expired",
    "error": "invalid_token"
}

{
    "active": false
}

{"access_token":"eyJhb...4lT8w","expires_in":900,"refresh_expires_in":0,"token_type":"Bearer","not-before-policy":0,"scope":"email profile"}

So why doesn't the introspection work for the token returned in the first scenario

Have you checked the content of the token using https://jwt.io/ for example ? — Ôrel, Jan 27 '22 at 08:22
Thank. I checked the token and the token that fails has an ip address for the issuer server. The one that works has keycloak.domain for host. I assume this is the issue? Is there a way to configure issuing server in keycloak? Or in KONG? — Johan Poot, Jan 27 '22 at 21:36
Nevermind. Thank you Orel ! I was able to fix by setting Realm Frontend url to desired host name. — Johan Poot, Jan 27 '22 at 21:44

score 0 · Accepted Answer · answered Jan 27 '22 at 22:33

0

You can fix this by setting Keycloak's frontend URL to your public URL. For details please refer to my answer to another but similar question.

answered Jan 27 '22 at 22:33

sventorben

1 Answers1