Kong and Keycloak JWT


#1

We have been evaluating Kong for fronting our APIs and so far its been great.

Need some pointers on making Kong work with Keycloak. The authentication with a JWT is working fine.

Keycloak sends a ream_access attribute which is based on a LDAP group membership. For example;

“resource_access”: {
“account”: {
“roles”: [
“team-1”,
“team-2”,
“team-3”
]
}
}

Is there a way for Kong to read these attributes from the JWT token and allow/deny access to an API?

Thanks.


#2

We had a related use case, were we needed to get the user login id from the JWT and pass it to the API.
We made a small change to the JWT plugin to do this.
Your use case should be kind of similar and if not maybe the code will help you anyway.

There is a down side to doing this. Because the plugin is not in a separate project, you have to fork and modify the main king project.

You can find the code here:

Pull Request:

Hope this helps.


#3

Thank you. Will take a look at this.


#4

Fairly certain it would be possible to modify the Kong OIDC plugin to do this. That will get you away from having to fork Kong.