⚠ This project was archived to use a different approach. The plugin this project demonstrates uses the OIDC Authorization Code flow to retrieve a token. We don't need the Gateway to retrieve a token though: the token will be added to the request by the downstream services. Work continues at the moh-iam-kong-plugin repo.
A proof of concept securing HNI services behind Kong integrated with Keycloak.
This is a draft Getting Started guide. I think it's complete, but we'll see. The only prerequisite is Docker.
It uses old versions of Kong and Docker because this guide is based old tutorials.
- git clone the project
- cd to the project directory
- Run
docker build -t kong:0.14-alpine-oidc docker/kong/
- Run
docker-compose run --rm kong kong migrations bootstrap
- Run
docker-compose up -d
curl -s -X POST http://localhost:8001/services \
-d name=httpbin-service \
-d url=http://httpbin.org
Add a route for the service:
curl -s -X POST http://localhost:8001/services/httpbin-service/routes \
-d "paths[]=/mock"
Navigate to http://localhost:8000/mock and it should take you to httpbin.org.
First add a client:
- Navigate to the Keycloak admin console at http://localhost:8180. Credentials are admin/admin.
- Add Client with "Client ID"
Kong
. - Set the "Access Type" to
Confidential
. - Set "Valid Redirect URIs" to
*
. - Click Save.
- Go to the "Credentials" tab. Copy the "Secret" and save it for later.
Now add a user:
- Create a user with "Username" `user.
- Set "Email Verified" to
On
. - Set password to
password
, and "Temporary" toOff
.
curl -s -X POST http://localhost:8001/plugins \
-d name=oidc \
-d config.client_id=kong \
-d config.client_secret=CLIENT_SECRET \
-d config.discovery=http://HOST_IP:8180/auth/realms/master/.well-known/openid-configuration
Put in your host IP address and the Keycloak client secret.
Now when you navigate to http://localhost:8000/mock, you should be redirected to Keycloak for authentication.
I ran all of the above commands in Git Bash on Windows. It has curl
pre-installed and a handy utility for formatting JSON called json_pp
.
curl -s http://localhost:8001 | json_pp
curl -s http://localhost:8001/services | json_pp
curl -s http://localhost:8001/routes | json_pp
curl -s http://localhost:8001/plugins | json_pp
If you muck up you'll probably need to delete or modify some things:
# Resource can be deleted by ID:
curl -s -X DELETE http://localhost:8001/services/edef33da-96fe-4c3d-8236-f3e35b3a0aaa
# Note that resources may also be referenced by "name" if you gave them one:
curl -s -X DELETE http://localhost:8001/services/httpbin-service
# You can modify configuration, you don't have to delete it:
curl -s -X PATCH http://localhost:8001/plugins/1e1637df-4718-4c7c-a412-4114ca29a41e --data "config.client_secret=c934568f-3fd3-4a21-bbfc-d8c7f97a3408"
If you need to read log files, you can use the Docker Dashboard available in the Windows task tray in the bottom right.
- https://docs.konghq.com/2.1.x/admin-api
- https://www.jerney.io/secure-apis-kong-keycloak-1 (original guide, little outdated)
- https://github.com/d4rkstar/kong-konga-keycloak (newer guide, little more involved)