APISIX OIDC + Keycloak + whoami

Table of Contents

• Prerequisites
• How to use
• Explanation
  • Architecture
  • Keycloak
  • Keycloak config init
  • APISIX
  • APISIX init
  • Whoami

This example repo describe how to access whoami/any service securely via APISIX OIDC with keycloak.

Prerequisites

• Docker 24.0.6 or latest

• Docker compose v2.22.0 or latest

How to use

• Map foo.example.com and bar.example.com against 127.0.0.1 in /etc/hosts file

• Then docker-compose up -d

• Then visit http://foo.example.com/

• Login using username: foo@example.com password: welcome123

• Now the whoami page will load

• Goto http://bar.example.com/ . It will redirect to keycloak login page

• To logout from foo http://foo.example.com/logout

Explanation

TBD

Architecture

• Keycloak 22.0.3

• APISIX 3.6.0

• keycloak-config-cli 5.8.0-22.0.0

• Postgres 15.4

Keycloak

Keycloak is an OpenID Connect Identity Provider (OIDC IDP).

Keycloak config init

Load the keycloak config into the keycloak using their API. We used this only to create realm, clients and users.

APISIX

APISIX is an advance reverse proxy.

APISIX init

This is just a shell script with curl command against APISIX admin API.

This will create

• Service

• Routes

• Plugins

Whoami

This is mock app. We used this as protected endpoints.

Author

@arulrajnet