1

I have a few microservices that validate and identify the user using Keycloak as below

enter image description here

I now want to place the Apache APISIX API Gateway before the microservices.

Apache APISIX has a plugin for Keycloak. Can the plugin do the following such that the validation is removed from all the microservices?

  • Validate the access_token from the user
  • If valid, forward the request to the microservice

enter image description here

Note

This article gives details on how to integrate the Keycloak plugin such that the user will have to authenticate using Keycloak (using a single Keycloak client_id and client_secret). In my case, however, each user will have a different client_id and client_secret.

Sahil Khanna
  • 4,262
  • 8
  • 47
  • 72

1 Answers1

2

Can the plugin do the following such that the validation is removed from all the microservices?

Yes, it can. The Apache APISIX can validate the access_token, also can add the user_info, id_token to the upstream. For more details, you can refer to the plugin docs of Apache APISIX. https://apisix.apache.org/docs/apisix/plugins/openid-connect.

In my case, however, each user will have a different client_id and client_secret.

Now, Apache APISIX doesn't support setting more than one client id of openid-connect in a route.Maybe you can create more routes, each route for each client? And use Host to distinguish them.

Peter Zhu
  • 36
  • 1
  • Thanks for the response. This works as expected. Moreover, the openid-connect plugin authenticates `access_token` generated using different `client_id` and `client_secret` – Sahil Khanna Mar 24 '22 at 10:55