Reputation: 21
Problem of integration krakend with keycloak
I have keycloak bitnami chart and krakend deployed in in k8s. Also I have a test api, and I want being authenticated before access it. I'm able to get valid jwt token from keycloak, but when I'm trying to access my api through krakend, it returns 401 error Any help is really appreciated.
Software versions: keycloak: 16.1.1 crakend: 2.0.4
{
"$schema": "https://www.krakend.io/schema/v3.json",
"version": 3,
"timeout": "3000ms",
"cache_ttl": "300s",
"output_encoding": "json",
"port": 8080,
"endpoints": [
{
"endpoint": "/mock/parents/{id}",
"method": "GET",
"input_headers": [
"Authorization"
],
"extra_config": {
"auth/validator": {
"alg": "RS256",
"jwk-url": "http://keycloak-headless:8080/auth/realms/master/protocol/openid-connect/certs",
"disable_jwk_security": true,
"roles_key_is_nested": true,
"roles_key": "realm_access.roles",
"roles": ["test-app-parent"],
"operation_debug": true
}
},
"output_encoding": "json",
"concurrent_calls": 1,
"backend": [
{
"url_pattern": "/parents/{id}",
"encoding": "json",
"sd": "static",
"extra_config": {},
"host": [
"http://testapp-service:8400"
],
"disable_host_sanitize": false,
"blacklist": [
"super_secret_field"
]
},
{
"url_pattern": "/siblings/{id}",
"encoding": "json",
"sd": "static",
"extra_config": {},
"host": [
"http://testapp-service:8400"
],
"blacklist": [
"sibling_id"
],
"group": "extra_info",
"disable_host_sanitize": false
},
{
"url_pattern": "/parents/{id}/children",
"encoding": "json",
"sd": "static",
"extra_config": {},
"host": [
"http://testapp-service:8400"
],
"disable_host_sanitize": false,
"mapping": {
"content": "cars"
},
"whitelist": [
"content"
]
}
]
},
{
"endpoint": "/mock/bogus-new-api/{path}",
"method": "GET",
"extra_config": {
"auth/validator": {
"alg": "RS256",
"jwk-url": "http://keycloak-headless:8080/auth/realms/master/protocol/openid-connect/certs",
"disable_jwk_security": true
},
"github.com/devopsfaith/krakend/proxy": {
"static": {
"data": {
"new_field_a": 123,
"new_field_b": [
"arr1",
"arr2"
],
"new_field_c": {
"obj": "obj1"
}
},
"strategy": "always"
}
}
},
"output_encoding": "json",
"concurrent_calls": 1,
"backend": [
{
"url_pattern": "/not-finished-yet",
"encoding": "json",
"sd": "static",
"extra_config": {},
"host": [
"nothing-here"
],
"disable_host_sanitize": false
}
]
}
]
}
Upvotes: 2
Views: 3324
Answers (3)
Reputation: 9
create new realms role "test-app-parent" and
go to user section and assign that roles to that user. you can check from https://jwt.io/ is_your token contain "test-app-parent" this role in "realm_access.roles". like below sample example
"realm_access": { "roles": [ "default-roles-krakend", "offline_access", "test-app-parent", "uma_authorization" ] }
Upvotes: 0
Reputation: 1
It worked for me after I changed
"jwk_url": "http://KEYCLOAK-SERVICE-NAME:8080/auth/realms/master/protocol/openid-connect/certs" to "jwk_url": "http://host.docker.internal:8080/auth/realms/master/protocol/openid-connect/certs"
Upvotes: 0
Reputation: 151
Oh my God this made me go insane.
In one of the last version updates they changed jwk-url to jwk_url.
https://github.com/krakendio/krakend-ce/issues/495#issuecomment-1138397005
After I fixed that it worked for me.
Upvotes: 0
Related Questions
- Keycloak Invalid token issuer
- Login to Keycloak using API
- krakend jwt authentication not validating any secure API
- Keycloak, oauth2-proxy and nginx.ingress.kubernetes
- Keycloak for backend service
- keycloak's access token is validated as github access token by oauth2
- OAuth with KeyCloak in Ktor : Is it supposed to work like this?
- Keycloak KubeAPI Authentication Fails
- API Server: Unable to authenticate the request due to an error: invalid bearer token
- OAuth2 authorization interface using KeyCloak