Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is keycloak behind api gateway a good practice?

Tags:

keycloak

kong

What are good arguments in favor to use or not to use Keycloak behind Api gateway (Kong)?

like image 493
Bro Avatar asked Mar 01 '18 18:03

Bro


1 Answers

There is a tradeoff to putting it behind the proxy: you will not be able to easily protect all of your services by applying the OIDC plugin on the global level. Instead, you will need to individually configure every service with its own OIDC plugin. This is because you will need at least one service that is not protected by the OIDC plugin so that user-agents can authenticate through that service. Unless you're planning to implement some other form of security on that service or need some other services that Kong can easily implement as requests pass through it, I don't see the point of putting Keycloak behind the proxy. That's not to say there aren't good reasons to do it, I'm just not aware of them.

I've set Keycloak up outside of the proxy, and have had good results. Here's what it looks like:

image of architecture w/ kong, keycloak, mobile app, and api

I'm writing a blog post about this set up now which I will release next week. I will try to remember to update my answer here when it is complete.

Edit

Links to blog: Part 1, Part 2

like image 145
jerney Avatar answered Sep 20 '22 18:09

jerney