Keycloak integration

Abdul_Wakeel · May 11, 2018, 4:41am

Can anyone guide me towards the integration of keycloak as Oauth server with tyk? Thanks

Jack_Fletcher · June 15, 2018, 10:47am

Hi Abdul,

You may find this page on Tyk docs useful, it explains how you can use Tyk Identity Broker to integrate with 3rd party identity providers, such as Keycloak.

williamoka · August 28, 2019, 1:59am

Hi Jack, how you doing?

I integrated my API with an OIDC provider and it’s correctly validating that my token is valid.

Now I’m trying to make Tyk apply policies that are in my token, but I could get it done.

Do you know if it is possible?

Jack_Fletcher · August 28, 2019, 10:49am

Hi William,

All good thanks! Hope you are too. Are you able to share any more details about the flow your are looking to achieve? Or the steps which you have tried up until this point?

It would also be useful to know, is your ID token in JWT format?

If you prefer to contact me directly to share any details, you’d be welcome to do so ([email protected])

Cheers,

Jack

williamoka · August 28, 2019, 5:34pm

Hi Jack,

What I’m trying to achieve is authorization through my keycloak access_token.

On my keycloak I have a client called tyk-client. This client have a role called admin.

I also have an user on keycloak that have this role associated to my user. So when I finish the auth, I get 2 tokens, id-token and access-token. My roles are only present on my access-token key under the path resource_access.tyk-client.roles as you can check on this image

The authentication process works just fine, Tyk goes to Keycloak, fetches the public key and validate that my access_token is good.

What I want to achieve is: Authorize some endpoints only when I have certain keycloaks roles associated.

For example: I have 1 api called httpbin which points to https://httpbin.org. Also, I have 1 endpoint called /get. I want to secure this endpoint only to people that have the role admin associated, like the one on my token.

If this is not possible, maybe associate some policies with the api dynamically, using the access token, for example.

@edit: checking on the mw_openid.go here, looks like that this implementation looks for a claim called scope, if it wasn’t changed, and extracts the policies to be applied from it.

On this line from mw_jwt.go https://github.com/TykTechnologies/tyk/blob/0b6424018db34e5a24ea4a965feb34df7191ed80/gateway/mw_jwt.go#L263, looks like it look for a list of ID’s that probably are the policies id’s.

On keycloak I think I can’t generate this claim the way it is expected, since I would have to convert an array into a space-separated string.

Here’s an real example of a payload generated from a keycloak login (it’s not the id-token, it’s the access token)

{
  "jti": "728de825-0a98-4ad2-ad3e-82f73cd3e15c",
  "exp": 1567011557,
  "nbf": 0,
  "iat": 1567011257,
  "iss": "https://doesntmatter.io/auth/realms/Tyk",
  "aud": "secret_login",
  "sub": "1cb58e09-1f79-4861-a840-3d360f8bdf53",
  "typ": "Bearer",
  "azp": "secret_login",
  "auth_time": 0,
  "session_state": "3727e5f3-2795-4ab2-83eb-6a13f8564f09",
  "acr": "1",
  "allowed-origins": [],
  "realm_access": {
    "roles": [
      "uma_authorization"
    ]
  },
  "resource_access": {
    "tyk-client": {
      "roles": [
        "admin"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "preferred_username": "william.okano",
  "email": ""
}

I know it’s a vendor-specific implementation, but I think that the solution for my problem would be “only” change the “scope” path and parse the array instead of the space-separated string.