I have an API running locally: http://localhost:8081/myapi I have configured nginx and Keycloak running on the same host. I have created a user and client in Keycloak and want all calls coming to my API be validated by calling Keycloak. I want to use Basic Auth.
Here are the relevant sections of my nginx.conf file:
my webservice (API)
upstream myws {
server localhost:8081;
keepalive 50;
}
my Keycloak
upstream kc{
server localhost:8080;
keepalive 50;
}
my authentication block
location /myauth {
internal;
proxy_pass_request_headers off;
proxy_set_header Authorization $http_authorization;
proxy_set_header Accept "application/json";
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_method POST;
proxy_set_body "grant_type=password&username=<username>&password=<password>&scope=openid";
proxy_pass_request_body on;
proxy_pass http://kc/auth/realms/master/protocol/openid-connect/token;
#proxy_pass http://kc/auth/realms/master/protocol/openid-connect/token/introspect;
#proxy_pass http://kc/auth/realms/master/protocol/openid-connect/auth;
}
my API location
location /myapi/ {
auth_request /myauth;
.
.
.
}
Any call to myAPI results in a POST to Keycloak but even after hardcoding the username and password, I get authentication failure due to invalid client credential. I have verified that the username/password I am passing with the API matches the one created in Keycloak.
Here is my client setting for Keycloak (not sure if I even require this):
From PCAPS I can see the following data being sent to KeyCloak.
Whenever I call my API I get this error message:
WARN [org.keycloak.events] (executor-thread-7) type=LOGIN_ERROR, realmId=master, clientId=<username>, userId=null, ipAddress=127.0.0.1, error=invalid_client_credentials, grant_type=password
I have tried everything but due to lack of knowledge of how exactly Keycloak works in these situations I am unable to make any progress.
What am I missing here? This seems to be a very simple use-case but I am stuck for a long time on this. Can anyone please help?
