Skip to content
This repository has been archived by the owner on Oct 8, 2020. It is now read-only.

A proof of concept securing HNI services behind Kong integrated with Keycloak.

License

Notifications You must be signed in to change notification settings

bcgov/moh-iam-kong-keycloak

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

⚠ This project was archived to use a different approach. The plugin this project demonstrates uses the OIDC Authorization Code flow to retrieve a token. We don't need the Gateway to retrieve a token though: the token will be added to the request by the downstream services. Work continues at the moh-iam-kong-plugin repo.

moh-iam-kong-keycloak

A proof of concept securing HNI services behind Kong integrated with Keycloak.

Getting started

This is a draft Getting Started guide. I think it's complete, but we'll see. The only prerequisite is Docker.

It uses old versions of Kong and Docker because this guide is based old tutorials.

Run the containers

  1. git clone the project
  2. cd to the project directory
  3. Run docker build -t kong:0.14-alpine-oidc docker/kong/
  4. Run docker-compose run --rm kong kong migrations bootstrap
  5. Run docker-compose up -d

Add a service to Kong

curl -s -X POST http://localhost:8001/services \
    -d name=httpbin-service \
    -d url=http://httpbin.org

Add a route for the service:

curl -s -X POST http://localhost:8001/services/httpbin-service/routes \
    -d "paths[]=/mock"

Navigate to http://localhost:8000/mock and it should take you to httpbin.org.

Configure Keycloak

First add a client:

  1. Navigate to the Keycloak admin console at http://localhost:8180. Credentials are admin/admin.
  2. Add Client with "Client ID" Kong.
  3. Set the "Access Type" to Confidential.
  4. Set "Valid Redirect URIs" to *.
  5. Click Save.
  6. Go to the "Credentials" tab. Copy the "Secret" and save it for later.

Now add a user:

  1. Create a user with "Username" `user.
  2. Set "Email Verified" to On.
  3. Set password to password, and "Temporary" to Off.

Configure OIDC on Kong

curl -s -X POST http://localhost:8001/plugins \
  -d name=oidc \
  -d config.client_id=kong \
  -d config.client_secret=CLIENT_SECRET \
  -d config.discovery=http://HOST_IP:8180/auth/realms/master/.well-known/openid-configuration

Put in your host IP address and the Keycloak client secret.

Now when you navigate to http://localhost:8000/mock, you should be redirected to Keycloak for authentication.

Tips

I ran all of the above commands in Git Bash on Windows. It has curl pre-installed and a handy utility for formatting JSON called json_pp.

curl -s http://localhost:8001 | json_pp
curl -s http://localhost:8001/services | json_pp
curl -s http://localhost:8001/routes | json_pp
curl -s http://localhost:8001/plugins | json_pp

If you muck up you'll probably need to delete or modify some things:

# Resource can be deleted by ID:
curl -s -X DELETE http://localhost:8001/services/edef33da-96fe-4c3d-8236-f3e35b3a0aaa
# Note that resources may also be referenced by "name" if you gave them one:
curl -s -X DELETE http://localhost:8001/services/httpbin-service
# You can modify configuration, you don't have to delete it:
curl -s -X PATCH http://localhost:8001/plugins/1e1637df-4718-4c7c-a412-4114ca29a41e --data "config.client_secret=c934568f-3fd3-4a21-bbfc-d8c7f97a3408"

If you need to read log files, you can use the Docker Dashboard available in the Windows task tray in the bottom right.

References

About

A proof of concept securing HNI services behind Kong integrated with Keycloak.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published