Kong and Keycloak JWT

pmb · November 7, 2018, 3:17am

We have been evaluating Kong for fronting our APIs and so far its been great.

Need some pointers on making Kong work with Keycloak. The authentication with a JWT is working fine.

Keycloak sends a ream_access attribute which is based on a LDAP group membership. For example;

“resource_access”: {
“account”: {
“roles”: [
“team-1”,
“team-2”,
“team-3”
]
}
}

Is there a way for Kong to read these attributes from the JWT token and allow/deny access to an API?

Thanks.

Stefan_Badenhorst · November 12, 2018, 4:09pm

We had a related use case, were we needed to get the user login id from the JWT and pass it to the API.
We made a small change to the JWT plugin to do this.
Your use case should be kind of similar and if not maybe the code will help you anyway.

There is a down side to doing this. Because the plugin is not in a separate project, you have to fork and modify the main king project.

You can find the code here:

Pull Request:

Hope this helps.

pmb · November 12, 2018, 10:30pm

Thank you. Will take a look at this.

jerney · November 20, 2018, 2:35pm

Fairly certain it would be possible to modify the Kong OIDC plugin to do this. That will get you away from having to fork Kong.

Topic		Replies	Views
Kong - Keycloak - Authorization	1	502	February 25, 2021
Keycloak integration Questions	1	2287	February 1, 2018
Kong keycloak integration not working Installation/Setup	1	289	November 17, 2023
Kong plugin to integrate with custom authentication service and issue oauth access token Questions	0	759	April 29, 2019
Kong OIDC - Handling routing for Authenticated and Non-Authenticated REST Services Questions	0	474	July 22, 2019

Kong and Keycloak JWT

Related Topics