I'm struggling with krakend and keycloak. I have the following:
Apache2 Webserver with a my-ip/keycloak-protected file (directly on the host) Krakend with my-ip:8402 (as a docker container) Keycloak with my-ip:8080 (as a docker container)
I want to protect the keycloak-protected file, so only logged in users can access it. For krakend I use this config: https://www.krakend.io/docs/authorization/keycloak/. I changed it to match my IP:
{"version": 3,
"timeout": "3s",
"endpoints":[{"endpoint": "/keycloak-protected",
"extra_config": {"auth/validator": {"alg": "RS256",
"jwk_url": "http://<my-ip>:8080/auth/realms/master/protocol/openid-connect/certs",
"disable_jwk_security": true}},
"backend": [{"host":["http://<my-ip>:80"],
"url_pattern": "/__health"}]}]}
I then set up keycloak, create a client with valid redirect URLs = http://my-ip:8402/* and access type Public. I also create a new user. Using postman, I try to access http://my-ip:8402/keycloak-protected with a GET. I fill out the parameters in the tab Authorization and click "Get new access token", where I successfully log in and get a (valid?) token. But when I then try to access http://my-ip:8402/keycloak-protected, it says 401 Unauthorized.
What am I missing here? Am I using postman wrong? Is the krakend config faulty? Or is the keycloak client not configured properly?
Thank you very much!
I followed the tutorials https://www.krakend.io/docs/authorization/keycloak/ and some parts of https://github.com/xyder/example-krakend-keycloak.
I would like to have different realms/clients/users to only access specific files on my apache2 webserver.
I found the solution: The example on the krakend website (on https://www.krakend.io/docs/authorization/keycloak/) is faulty. The URL in the jwk_url should be:
http://:8080/realms/master/protocol/openid-connect/certs
and NOT:
http://:8080/auth/realms/master/protocol/openid-connect/certs
(see the missing /auth in the URL).