Filtering access using Keycloak roles

Support Installation and Deployment
,
1

Hello,

Following this guide: API Authentication with OIDC, KeyCloak & Tyk API Gateway - YouTube, I’ve set up an API that only allow users access if they are providing Keycloak token.
I want to take this a step farther and also filter the access to users with certain role attached to them in Keycloak.
After searching I found the option “Use Scope Claim” under the Authentication > OpenID Connect tab in the API, but I couldn’t find how to configure it. Seeing this post Keycloak integration - Support / Setting up Tyk - Tyk API Management Community Forum there seems to be some mismatch in the data type Tyk expect and the data parsed in the Keycloak jwt (also unlike the guide he’s using id-token and not access-token), though this post is 3 years old.

So, is it possible to filter the access using Keycloak role from Tyk? and if its possible how do you configure it in the dashboard?

2

Hello! Thank you for reaching out. The link below should help set up the “Use Scope Claim.”

https://tyk.io/docs/advanced-configuration/integrate/api-auth-mode/open-id-connect/#jwt-scope-to-policy-mapping-support

As an example your api definition will have the following fields:

  "jwt_scope_to_policy_mapping": {
    "admin": "59672779fa4387000129507d",
    "developer": "53222349fa4387004324324e"
  },
  "jwt_scope_claim_name": "our_scope"
}

Let us know if this helps.

3

Hi @YakirYacov,

In addition to what Marvin posted above, please check out this video to see it in action. Dynamic Authorization Using JWT Scope Policies in Tyk - YouTube

For your scenario, you’ll need to configure a few things on the KeyCloak side to make user roles available in the id_token. Necessary because the id_token is used to access the API, not the access_token, as you observed.

  • Create a Mapper for the KeyCloak client: There’s a built-in mapper for user roles. In the attached photos, I’ve used the built-in mapper “Client Roles” which works for the use case.

    Screenshot 2022-08-02 at 20.12.42
    Screenshot 2022-08-02 at 20.12.421508×578 59.8 KB

  • Configure the mapper to add the claim to the id_token. You can also specify the claim name if you wish. The setting here would determine how it would be accessed in Tyk for filtering. In my setup, I’ve left it as default, except I’ve turned off “multivalued” so the value is a single role rather than an array of roles.

    Screenshot 2022-08-02 at 20.37.28
    Screenshot 2022-08-02 at 20.37.281508×651 44.9 KB

With that, you should be good to go.

Here’s the setup in my dashboard. I’ve defined different policies and applied different rate limits depending on the role, just like in the video linked above. Also, set a default policy.

Screenshot 2022-08-02 at 20.45.05
Screenshot 2022-08-02 at 20.45.051858×1112 92.3 KB
Screenshot 2022-08-02 at 20.44.14
Screenshot 2022-08-02 at 20.44.141970×798 90.2 KB

Here’s the user roles on my KeyCloak for reference.

Screenshot 2022-08-02 at 20.16.18
Screenshot 2022-08-02 at 20.16.181508×425 49.5 KB

If you wish to filter access by path in the API, you can do so within the policy. See documentation here:Secure your APIs by Method and Path

4

Sorry for the delay in response, I’ve had some issues with the policy setting and had to work on other stuff as well.
@Ubong , your response was great and covered most of what I needed step by step with pictures and examples, thank you very much.
Also a question about @marvin response, I keep seeing those json style api definitions and have no clue where I’m meant to input them. I only know how to define those things through dashboard or at the start at the docker compose environment variables. where are those definitions located?

Edit: found the “VIEW RAW DEFINITION” button, seems to show the json format of the definitions.

1 Like
5

Did this get resolved? I am having a similar issue trying to manage access to APIs by Keycloak Client roles. I have followed all these same steps as above. If you got it working, can you post your api and policy definition?

I am using community edition 4.3 docker

6

Here,

{
    "use_openid": true,
    "openid_options": {
        "providers": [
            {
                "issuer": "<issuer-url>",
                "client_ids": {
                    "<bas64 encoded>": "<policy-id>"
                }
            }
        ],
        "segregate_by_client": false
    },
    "enable_jwt": false,
    "jwt_signing_method": "",
    "jwt_source": "",
    "jwt_identity_base_field": "",
    "jwt_client_base_field": "",
    "jwt_policy_field_name": "",
    "jwt_default_policies": [],
    "jwt_skip_kid": false,
    "scopes": {
        "jwt": {},
        "oidc": {
            "scope_claim_name": "resource_access.tyk-client.roles",
            "scope_to_policy": {
                "[admin]": "62e92f5f679275000162348c",
                "[developer]": "62e96999679275000162348d",
                "[sre]": "62e96a7c679275000162348e",
                "[tester]": "62e970fb6792750001623490"
            }
        }
    },
    "jwt_scope_to_policy_mapping": {
        "[admin]": "62e92f5f679275000162348c",
        "[developer]": "62e96999679275000162348d",
        "[sre]": "62e96a7c679275000162348e",
        "[tester]": "62e970fb6792750001623490"
    },
    "jwt_scope_claim_name": "resource_access.tyk-client.roles",
    "base_identity_provided_by": ""
}