I need to connect the zuul and keycloak. But my issue is that I am not gettting any idea or code. I need from api gateway to call keycloak and get the access token and from api gateway again to validate the access token and call the request api
Related
I am trying to use Keycloak behind an API gateway (Apache APISIX).
I use minikube to run Keycloak and my API gateway.
The gateway is working right and Keycloak too :
With Keycloak, I can use the different end-point (use the discovery end-point (http://127.0.0.1:7070/auth/realms/myrealm/.well-known/uma2-configuration), ask an access token and verify it).
With APISIX, and a simple route, I can join a backend microservice on my minikube.
(typically : http://127.0.0.1:80/greeting is served by the gateway which routes the request to the right backend microservice)
The problem occurs when I try to use the two tools together. I have used the Keycloak integration, in order to force the user to use a valid token when he is using a route served by the gateway.
In this case, when I use a valid bearer token (I get it and verify it with the end-point of keycloak), and I try to request the backend via the api gateway with the verified bearer token, I obtain systematically an "Invalid bearer token" exception.
{"error":"invalid_grant","error_description":"Invalid bearer token"}
I think the settings of the integration is well set because I am sure that te gateway call Keycloak to verify the token.
Here are the keycloak I have used to get and verify the token :
Get token : http://127.0.0.1:7070/auth/realms/myrealm/protocol/openid-connect/token
Verify : http://127.0.0.1:7070/auth/realms/myrealm/protocol/openid-connect/token/introspect
I have seen some posts about problem when Keycloak is behind a reverse proxy, but I don't find a clear solution to my case.
Thanks for any help you can bring to me.
Regards
CG
I think there are those ways you can do it.
First, I think you can check the log of Apache APISIX.
Second, you can check the log of Keycloak.
Third, you can use tcpdump or wireshark to capture the request that Apache APISIX sends to keycloak.And diff the request that sends by APISIX and curl.
Looking forward to your reply.
Prerequisites
I have two Cloud Run services a frontend and a backend. The frontend is written in Vue.js/Nuxt.js and is using a Node backend therefore. The backend is written in Kotlin with Spring Boot.
Problem
To have an authenticated internal communication between the frontend and the backend I need to use a token thttps://cloud.google.com/run/docs/authenticating/service-to-service#javahat is fetched from the google metaserver. This is documented here: https://cloud.google.com/run/docs/authenticating/service-to-service#java
I did set it all up and it works.
For my second layer of security I integrated the Auth0 authentication provider both in my frontend and my backend. In my frontend a user can log in. The frontend is calling the backend API. Since only authorized users should be able to call the backend I integrated Spring Security to secure the backend API endpoints.
Now the backend verifies if the token of the caller's request are valid before allowing it to pass on to the API logic.
However this theory does not work. And that simply is because I delegate the API calls through the Node backend proxy. The proxy logic however is already applying a token to the request to the backend; it is the google metaserver token. So let me illustrate that:
Client (Browser) -> API Request with Auth0 Token -> Frontend Backend Proxy -> Overriding Auth0 Token with Google Metaserver Token -> Calling Backend API
Since the backend is receiving the metaserver token instead of the Auth0 Token it can never successfully authorize the API call.
Question
Due the fact that I was not able to find any articles about this problem I wonder if it's simply because I am doing it basically wrong.
What do I need to do to have a valid Cloud Run Service to Service communication (guaranteed by the metaserver token) but at the same time have a secured backend API with Auth0 authorization?
I see two workarounds to make this happen:
Authorize the API call in the Node backend proxy logic
Make the backend service public available thus the metaserver token is unnecessary
I don't like any of the above - especially the latter one. I would really like to have it working with my current setup but I have no idea how. There is no such thing like multiple authorization token, right?
Ok I figured out a third way to have a de-facto internal service to service communication.
To omit the meta-server token authentication but still restrict access from the internet I did the following for my backend cloud run service:
This makes the service available from the internet however the ingress is preventing any outsider from accessing the service. The service is available without IAM but only for internal traffic.
So my frontend is calling the backend API now via the Node backend proxy. Even though the frontend node-backend and the backend service are both somewhat "in the cloud" they do not share the same "internal network". In fact the frontend node-backend requests would be redirected via egress to the internet and call the backend service just like any other internet-user would do.
To make it work "like it is coming from internal" you have to do something similar like VPN but it's called VPC (Virtual Private Cloud). And luckily that is very simple. Just create a VPC Connector in GCP.
BUT be aware to create a so called Serverless VPC Access (Connector). Explained here: https://cloud.google.com/vpc/docs/serverless-vpc-access
After the Serverless VPC Access has been created you can select it in your Cloud Run Service "Connection" settings. For the backend service it can be simply selected. For the frontend service however it is important to select the second option:
At least that is important in my case since I am calling the backend service by it's assigned service URL instead of a private IP.
After all that is done my JWT token from the frontend is successfully delivered to the backend API without being overwritten by a MetaServer token.
I have a kubernetes cluster and i have my application deployed in the pods. There is a endpoint URL of my application which i used to send POST requests from Postman. I need to provide some level of authentication to the my URL. I read the service account authentication using the JWT token.
How can i achieve the same feature in postman ??
I tried creating a new service account and took the secret and the associated JWT token as the Bearer token in postman. But it is not giving any kind of authentication.
https://medium.com/better-programming/k8s-tips-using-a-serviceaccount-801c433d0023
Cant directly answer your question, but from what comes to my mind is that: Istio supports Token-based end-user authentication with JSON Web Tokens.
You should understand I havent tried to do that, but this looks for me very promising: Istio End-User Authentication for Kubernetes using JSON Web Tokens (JWT) and Auth0
And to test JWT-based authentication and authorization workflow thay exactly use Postman, as you prefer.
We have our identity server implemented using identity server
https://github.com/IdentityServer/IdentityServer3
or
https://github.com/IdentityServer/IdentityServer4
And user will authenticate and get the access token from the identity server. We have some APIs developed in AWS api gateway. Just wondering what is the common practice to implement the authentication / authorization in the aws api gateway. We would prefer to use the existing access token from the identity server in the API gateway.
You will need to configure a custom authorizer on your API Gateway. The Custom Authorizer will use a Lambda Function to validate the Access Token. You will need to configure the Lambda Function to validate accordingly to your token. Here are some resources to help you configure the API Gateway Custom Authorizer with Lambda Function:
Use API Gateway Lambda Authorizers
Custom Authorizers in API Gateway and Lambda
I was checking keycloak authorization service to implement authorization service for few of the REST endpoints which do not have keycloak adapter implemented.
From keycloak quick starts example it looks like authorization service only supported for end points which has keycloak adapter implemented.
Has any one tried to perform keycloak authentication to a REST request before request actually goes to that server.
The REST endpoints are written in Node.JS and i can't implement the adapter in Node.JS because it is not maintained by us. :)