Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flow for Introspection #220

Open
RobWagMLP opened this issue Apr 18, 2024 · 0 comments
Open

Flow for Introspection #220

RobWagMLP opened this issue Apr 18, 2024 · 0 comments

Comments

@RobWagMLP
Copy link

RobWagMLP commented Apr 18, 2024
edited
Loading

Hi,
i know this is not really maintained anymore, but out of desperation i'd have a question, that maybe someone could answer me quite quickly.

I have a setup with Kong and Keycloak and i use that Plugin since it seems to be the only available that is free and works atm.
I configured multiple services with it, and here is what i want to achieve
i have a frontend path web/app, that is protected by oidc, so when accessing this path unauthenticated, the login ui is fired and the user can login, great, thats what i want.
Then i have backend runnign under /api/private... that one should of course also be secured. So when sending requests there with the sessioncookie activated all works well, in the backend auth-headers are received and all that.
But when the session expires, and the fe is sending a request to the backend because it doenst know yet, it gets redirected to the keycloak-login ui. Thats actually not the behaviour i want for a rest-api request. I would like it to respond with a 401, and only do the redirect to the login ui when i actually visit web/app in the browser.
So i tried to configure that backend service with bearer_only, to avoid that redirect, and only introspect the tokens and then pass or deny my request.
But it seems this is expecting an authorization header with the accesstoken, which make it quite useless for me, since i have all this to avoid the frontend from managing the tokenflow.
Is this really the intended behaviour or is there a setup i could configure, that does what i want, so only when an unauthenticated request goes to web/app i want to see the login-ui, and in any other case i want a 401. Authenticated requests with proper sessioncookie, should be passed in both cases

Would be great if i could get some hint, since i would expect that to be a pretty standard use case, and i cant imagine there is no option for that :)
Thanks

here's the config

  - name: api-private
          paths:
            - /api/private
          service: api-private-service
          plugins:
            - name: oidc
              config:
                client_id: ${client_id}
                client_secret: ${client_secret}
                discovery: ${baseurl}/realms/${realm}/.well-known/openid-configuration
                introspection_endpoint: ${baseurl}/realms/${realm}/protocol/openid-connect/token/introspect
                logout_path:${baseurl}//realms/${realm}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri
                bearer_only: "yes"
                
  - name: web-private
          paths:
            - /web/app
          service: web-service-private
          plugins:
            - name: oidc
              config:
               client_id: ${client_id}
                client_secret: ${client_secret}
                discovery: ${baseurl}/realms/${realm}/.well-known/openid-configuration
                logout_path:${baseurl}//realms/${realm}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@RobWagMLP