Keycloak integration

Support Administration and Operation
,
5

Hi Jack,

What I’m trying to achieve is authorization through my keycloak access_token.

On my keycloak I have a client called tyk-client. This client have a role called admin.

I also have an user on keycloak that have this role associated to my user. So when I finish the auth, I get 2 tokens, id-token and access-token. My roles are only present on my access-token key under the path resource_access.tyk-client.roles as you can check on this image image

The authentication process works just fine, Tyk goes to Keycloak, fetches the public key and validate that my access_token is good.

What I want to achieve is: Authorize some endpoints only when I have certain keycloaks roles associated.

For example: I have 1 api called httpbin which points to https://httpbin.org. Also, I have 1 endpoint called /get. I want to secure this endpoint only to people that have the role admin associated, like the one on my token.

If this is not possible, maybe associate some policies with the api dynamically, using the access token, for example.

@edit: checking on the mw_openid.go here, looks like that this implementation looks for a claim called scope, if it wasn’t changed, and extracts the policies to be applied from it.

On this line from mw_jwt.go https://github.com/TykTechnologies/tyk/blob/0b6424018db34e5a24ea4a965feb34df7191ed80/gateway/mw_jwt.go#L263, looks like it look for a list of ID’s that probably are the policies id’s.

On keycloak I think I can’t generate this claim the way it is expected, since I would have to convert an array into a space-separated string.

Here’s an real example of a payload generated from a keycloak login (it’s not the id-token, it’s the access token)

{
  "jti": "728de825-0a98-4ad2-ad3e-82f73cd3e15c",
  "exp": 1567011557,
  "nbf": 0,
  "iat": 1567011257,
  "iss": "https://doesntmatter.io/auth/realms/Tyk",
  "aud": "secret_login",
  "sub": "1cb58e09-1f79-4861-a840-3d360f8bdf53",
  "typ": "Bearer",
  "azp": "secret_login",
  "auth_time": 0,
  "session_state": "3727e5f3-2795-4ab2-83eb-6a13f8564f09",
  "acr": "1",
  "allowed-origins": [],
  "realm_access": {
    "roles": [
      "uma_authorization"
    ]
  },
  "resource_access": {
    "tyk-client": {
      "roles": [
        "admin"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "preferred_username": "william.okano",
  "email": ""
}

I know it’s a vendor-specific implementation, but I think that the solution for my problem would be “only” change the “scope” path and parse the array instead of the space-separated string.

2 Likes