dockerapache2keycloakkrakend

How to configure keycloak with krakend to access apache2 webserver?


I'm struggling with krakend and keycloak. I have the following:

Apache2 Webserver with a my-ip/keycloak-protected file (directly on the host) Krakend with my-ip:8402 (as a docker container) Keycloak with my-ip:8080 (as a docker container)

I want to protect the keycloak-protected file, so only logged in users can access it. For krakend I use this config: https://www.krakend.io/docs/authorization/keycloak/. I changed it to match my IP:

{"version": 3,
"timeout": "3s",
"endpoints":[{"endpoint": "/keycloak-protected",
"extra_config": {"auth/validator": {"alg": "RS256",
"jwk_url": "http://<my-ip>:8080/auth/realms/master/protocol/openid-connect/certs",
"disable_jwk_security": true}},
"backend": [{"host":["http://<my-ip>:80"],
"url_pattern": "/__health"}]}]}

I then set up keycloak, create a client with valid redirect URLs = http://my-ip:8402/* and access type Public. I also create a new user. Using postman, I try to access http://my-ip:8402/keycloak-protected with a GET. I fill out the parameters in the tab Authorization and click "Get new access token", where I successfully log in and get a (valid?) token. But when I then try to access http://my-ip:8402/keycloak-protected, it says 401 Unauthorized.

What am I missing here? Am I using postman wrong? Is the krakend config faulty? Or is the keycloak client not configured properly?

Thank you very much!

I followed the tutorials https://www.krakend.io/docs/authorization/keycloak/ and some parts of https://github.com/xyder/example-krakend-keycloak.

I would like to have different realms/clients/users to only access specific files on my apache2 webserver.


Solution

  • I found the solution: The example on the krakend website (on https://www.krakend.io/docs/authorization/keycloak/) is faulty. The URL in the jwk_url should be:

    http://:8080/realms/master/protocol/openid-connect/certs

    and NOT:

    http://:8080/auth/realms/master/protocol/openid-connect/certs

    (see the missing /auth in the URL).