Following this guide: API Authentication with OIDC, KeyCloak & Tyk API Gateway - YouTube, I’ve set up an API that only allow users access if they are providing Keycloak token.
I want to take this a step farther and also filter the access to users with certain role attached to them in Keycloak.
After searching I found the option “Use Scope Claim” under the Authentication > OpenID Connect tab in the API, but I couldn’t find how to configure it. Seeing this post Keycloak integration - Support / Setting up Tyk - Tyk API Management Community Forum there seems to be some mismatch in the data type Tyk expect and the data parsed in the Keycloak jwt (also unlike the guide he’s using id-token and not access-token), though this post is 3 years old.
So, is it possible to filter the access using Keycloak role from Tyk? and if its possible how do you configure it in the dashboard?
For your scenario, you’ll need to configure a few things on the KeyCloak side to make user roles available in the id_token. Necessary because the id_token is used to access the API, not the access_token, as you observed.
Create a Mapper for the KeyCloak client: There’s a built-in mapper for user roles. In the attached photos, I’ve used the built-in mapper “Client Roles” which works for the use case.
Configure the mapper to add the claim to the id_token. You can also specify the claim name if you wish. The setting here would determine how it would be accessed in Tyk for filtering. In my setup, I’ve left it as default, except I’ve turned off “multivalued” so the value is a single role rather than an array of roles.
Here’s the setup in my dashboard. I’ve defined different policies and applied different rate limits depending on the role, just like in the video linked above. Also, set a default policy.
Sorry for the delay in response, I’ve had some issues with the policy setting and had to work on other stuff as well. @Ubong , your response was great and covered most of what I needed step by step with pictures and examples, thank you very much.
Also a question about @marvin response, I keep seeing those json style api definitions and have no clue where I’m meant to input them. I only know how to define those things through dashboard or at the start at the docker compose environment variables. where are those definitions located?
Edit: found the “VIEW RAW DEFINITION” button, seems to show the json format of the definitions.
Did this get resolved? I am having a similar issue trying to manage access to APIs by Keycloak Client roles. I have followed all these same steps as above. If you got it working, can you post your api and policy definition?