Kong and Keycloak JWT

We have been evaluating Kong for fronting our APIs and so far its been great.

Need some pointers on making Kong work with Keycloak. The authentication with a JWT is working fine.

Keycloak sends a ream_access attribute which is based on a LDAP group membership. For example;

“resource_access”: {
“account”: {
“roles”: [

Is there a way for Kong to read these attributes from the JWT token and allow/deny access to an API?


We had a related use case, were we needed to get the user login id from the JWT and pass it to the API.
We made a small change to the JWT plugin to do this.
Your use case should be kind of similar and if not maybe the code will help you anyway.

There is a down side to doing this. Because the plugin is not in a separate project, you have to fork and modify the main king project.

You can find the code here:

Pull Request:

Hope this helps.

Thank you. Will take a look at this.

Fairly certain it would be possible to modify the Kong OIDC plugin to do this. That will get you away from having to fork Kong.