Part 3 - Keycloak - API Gateway APIs with Keycloak JWT authentication

-

In the previous article I showed you how to setup API Gateway in front of your Lambda function.  This article will show you how to setup Keycloak to be used for API Gateway.


Note: once again I am showing you the "ClickOps" method of setting up your environment by doing everything, in this example, though the Keycloak console.  This is not a best practice by any means.  Keycloak has multiple ways to create a script or program to configure it and you should be using tools that allow for repeatability.  But this is meant as a demo and so this version of the document will continue to use this method.

So let's set up a new Keycloak client to handle our API Gateway authorization.  This document will assume that you have a Keycloak instance available on this internet.  It's not too hard to do but look for future articles on the setup for AWS ECS.

To get started, login to your Keycloak instance, change to the correct realm and create a user with a password.  This is a "local" user that isn't tied to a social login like Google.  The user name and password are stored on the Keycloak server.

Next let's create a new client.  Go to "Clients" and then "Create client":


In the next screen, the "Client type" should remain OpenID Connect.  The other choice is SAML which, while Keycloak supports, API Gateway does not.  SAML is similar in concept to Oauth and is a framework for authorization.

Enter a "Client ID" of your choosing.  I'll create "awsapigateway":

Select "Next":


and "Next".  On the third screen there is nothing to enter.  Select "Save" to get to the general configuration screen for the client.

At this point you can use the user you created in the next steps of the process.

Optional - add a client secret to the client.

In some instances it is good to have a Keycloak client have a secret.  This is a shared password that is needed to access the client.  Ultimately it adds an additional layer of security so that only user that know the secret can use the client.

To configure this, go to the client settings tab:


scroll down and turn on "Client authentication":


Save this configuration.  Now, the client configuration includes a "Credentials" tab:

Select the "Credentials" tab and save the "Client Secret" off to your favorite password manager or a file.  We'll use the client secret when we get a token in the last part of this series.

 

Photo by Andy Keyser on Unsplash

Comments

Post a Comment

Popular posts from this blog

Starting SSO with Keycloak

-
Image
  I've been using  Keycloak  for years now and have been experimenting with the newer versions that are based on top of  Quarkus .  One of the struggles I've had is spinning up a test server for development.  The new Quarkus model though is pretty simple.  A small  Docker Compose  script let's you spin up an environment in almost no time. My script looks like: version: '3.8' services: postgres: image: postgres:latest environment: POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} restart: unless-stopped healthcheck: test: [ "CMD-SHELL", "pg_isready -U postgres" ] networks: - pg_network volumes: - ./pgdata:/var/lib/postgresql/data - ./create_db.sql:/docker-entrypoint-initdb.d/create_db.sql keycloak: image: quay.io/keycloak/keycloak:latest depends_on: postgres: condition: service_healthy environment: KC_DB: ${KC_DB} KC_DB_URL: ${KC_DB_URL} KC_DB_USE...
Read more

Generating JWT's using the Auth0 library

-
Image
I've created a small example set of code to generate and learn about JWTs .  This code allows you to create and sign your own JWT.  You can create your own public/private keys to sign and verify the tokens. In and of itself this code would not likely be used for a production environment but knowing how a JWT works and the part of it are an important part of understanding Oauth2 in general.  I've got some future code to show you how to use a JWT in more of a production environment but this is useful to learn from.   Photo by Maick Maciel on Unsplash
Read more