This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Secure Apigee Edge proxy with keycloak?

Posted on 02-22-2019 04:07 AM
amityadavk2
New Member
Reply posted on --/--/---- --:-- AM

I am using two-way TLS communication between Apigee Edge and Backend server (which is exposed using NginxIngress in Kubernetes). However, we want to integrate Apigee Edge with keycloak to secure the endpoint (e.g https://org-name-env.apigee.net/path).


We have users, roles, and realms created on Keycloak and all of the users are managed through that. Credentials and tokens are also provided using Keycloak to all the developers (or Users with different roles).

How can I ask Keycloak or Apigee to verify the JWT token sent by the client without any code changes in the backend?

We want to implement Bearer only authentication. Keycloak issues the token, and then the client includes that (bearer) token in the request that is sent to Apigee Edge. We want Apigee Edge to validate that token.

I am new to Apigee and Keycloack and after searching a lot, I am posting this question to get proper documentation on using Keycloak with Apigee Edge. Any article, community answers, documentation or POC will be helpful. Thanks.

Solved Solved
1 17 4,989
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Keycloak, I believe, can act as an OpenID Connect provider.

This means that

  • Keycloak issues client credentials (client ID's and maybe secrets, or private keys)
  • Keycloak can generate an ID Token (JWT) when a user signs in

Maybe you want Apigee Edge to validate the ID Token generated by KeyCloak. If so, then, in your Apigee Edge API Proxy,

  1. use the VerifyJWT policy, and specify the public key of Keycloak, or specify the JWKS that Keycloak exposes. This will verify that the token being sent in was generated by Keycloak.
  2. Once you have verified the JWT, you can examine and validate the claims. If you would like to validate the client id, you can do that. (But strictly speaking this is not necessary as Keycloak has issued the JWT., and the VerifyJWT has verified the signature. Therefore Apigee Edge can be assured that the client id is valid in the Keycloak system). You can also validate any of the other claims in the JWT - subject, audience, or whatever. All of this is up to you. Validation in this case might mean "checking the value against a range of valid values" or it could be "checking that the value exists" or .. something else. It's up to your application needs.
  3. If everything succeeds, you can proxy the call to a backend system.

View solution in original post

Jump to Solution
17 REPLIES 17
Top Solution Authors
View all