luizimcpi/kong-oathkeeper-keycloak

About

Hello, have you heard about OAUTH2 ? And do you know what a proxy is?

In this simple, but teachable project, we can reach the main concepts of them.

How ?

Using a open source project as a auth module[Keycloak], to generate a valid Json Web Token and throw forward to a proxy[Ory Oathkeeper].

Keycloak

An excelent free auth module, wrote in Java, as we can see on its web page. keycloak-page.

Its over APACHE2.0 license. Thus, in case you wanna try it, read the license doc.

Ory Oathkeeper

"Ory is the largest open source community in the world for cloud software application security". ory-page.

We gonna use one of its products, the incredible proxy wrote in Golang(:heart:).

Also over APACHE2.0 license.

What you need

Have installed docker and docker-compose in your system is all you need to run the project. docker-main-page

Just follow the steps to be able to run any containers you wish over the kernel layer of your system.

Start keycloak

cd keycloak

docker-compose up --build

Save jwks file in oath-image folder

 Open __http://localhost:8080/realms/master/protocol/openid-connect/certs__ save as jwks.json in oath-image folder

Creating a keycloak client

1. Let put hands on. Open your browse in localhost:8080 as showned below:

2. On admin console, type admin as user and admin123 as password (set of docker-compose).

3. Lets create a client named my-client:

4. Lets change to confidential option, so we must use the Client Id and the Secret Id as part of the authentication.

• You need to enter a valid URI redirect page. In any case, just type localhost to pass by this option.

5. Get the client and secret values on Credential TAB:

Start another services and apis

docker-compose up

Done for now. Lets test the Oauth2 flow using admin user and the my-client scope.

Testing Authorization

1. Install a UI to http request. Postman and Insomnia are great options.

• https://www.postman.com/
• https://insomnia.rest/

2. Lets get a valid JWT sending a POST request to:

   localhost:8080/realms/master/protocol/openid-connect/token

And using Form URL Encodend, we send:

    {
        username: admin,
        password: admin123,
        client_id: my-client,
        client_secret: {past_secret_here},
        grant_type: password
    }

3. Check if you got a 200 status Request with a valid JWT:

• We are using OpenID Connection, what allow us make this type of requisition.

Testing Ory Proxy

Until this point, all we got is a functional auth module. With Ory Oathkeeper well pointed and seted by the files jwks and rules files, we are ready to test our embedded APIs.

1. Lets make a GET requisition to http://localhost:4455/cities with no valid token:

2. We are passing throught Ory Proxy(:4455) to receive any response from API. If you wanna do it directly, the ports are being exposed by docker. So, we can make:

3. With a valid token on header to fill the Authorization Header, we can get the response from successfull