Problem of integration krakend with keycloak

Question

I have keycloak bitnami chart and krakend deployed in in k8s. Also I have a test api, and I want being authenticated before access it. I'm able to get valid jwt token from keycloak, but when I'm trying to access my api through krakend, it returns 401 error Any help is really appreciated.

Software versions: keycloak: 16.1.1 crakend: 2.0.4

{
  "$schema": "https://www.krakend.io/schema/v3.json",
  "version": 3,
  "timeout": "3000ms",
  "cache_ttl": "300s",
  "output_encoding": "json",
  "port": 8080,
  "endpoints": [
      {
          "endpoint": "/mock/parents/{id}",
          "method": "GET",
          "input_headers": [
             "Authorization"
           ],
          "extra_config": {
              "auth/validator": {
                  "alg": "RS256",
                  "jwk-url": "http://keycloak-headless:8080/auth/realms/master/protocol/openid-connect/certs",
                  "disable_jwk_security": true,
                  "roles_key_is_nested": true,
                  "roles_key": "realm_access.roles",
                  "roles": ["test-app-parent"],
                  "operation_debug": true
              }
          },
          "output_encoding": "json",
          "concurrent_calls": 1,
          "backend": [
              {
                  "url_pattern": "/parents/{id}",
                  "encoding": "json",
                  "sd": "static",
                  "extra_config": {},
                  "host": [
                    "http://testapp-service:8400"
                  ],
                  "disable_host_sanitize": false,
                  "blacklist": [
                      "super_secret_field"
                  ]
              },
              {
                  "url_pattern": "/siblings/{id}",
                  "encoding": "json",
                  "sd": "static",
                  "extra_config": {},
                  "host": [
                      "http://testapp-service:8400"
                  ],
                  "blacklist": [
                      "sibling_id"
                  ],
                  "group": "extra_info",
                  "disable_host_sanitize": false
              },
              {
                  "url_pattern": "/parents/{id}/children",
                  "encoding": "json",
                  "sd": "static",
                  "extra_config": {},
                  "host": [
                      "http://testapp-service:8400"
                  ],
                  "disable_host_sanitize": false,
                  "mapping": {
                      "content": "cars"
                  },
                  "whitelist": [
                      "content"
                  ]
              }
          ]
      },
      {
          "endpoint": "/mock/bogus-new-api/{path}",
          "method": "GET",
          "extra_config": {
              "auth/validator": {
                  "alg": "RS256",
                  "jwk-url": "http://keycloak-headless:8080/auth/realms/master/protocol/openid-connect/certs",
                  "disable_jwk_security": true
              },
              "github.com/devopsfaith/krakend/proxy": {
                  "static": {
                      "data": {
                          "new_field_a": 123,
                          "new_field_b": [
                              "arr1",
                              "arr2"
                          ],
                          "new_field_c": {
                              "obj": "obj1"
                          }
                      },
                      "strategy": "always"
                  }
              }
          },
          "output_encoding": "json",
          "concurrent_calls": 1,
          "backend": [
              {
                  "url_pattern": "/not-finished-yet",
                  "encoding": "json",
                  "sd": "static",
                  "extra_config": {},
                  "host": [
                      "nothing-here"
                  ],
                  "disable_host_sanitize": false
              }
          ]
      }
  ]
 }

Can your KrakenD container access your 'keycloak-headless' container? If the jwk-url is not accessible from Kraken, then you'll get a 401. — gna, May 13 '22 at 06:48
have you got the fix for this issue. i am also getting the same 401 when try to access backend using api-gateway karkend — Waqas Ahmed, May 21 '22 at 14:47
Did you try with following "jwk_url" (removing "auth/")? http://keycloak-headless:8080/realms/master/protocol/openid-connect/certs To verify visit the address http:///realms//protocol/openid-connect/certs — tommynicoletti, Jun 07 '22 at 16:13

score 0 · Answer 1 · answered Jul 11 '22 at 15:44

0

Oh my God this made me go insane.

In one of the last version updates they changed jwk-url to jwk_url.

https://github.com/krakendio/krakend-ce/issues/495#issuecomment-1138397005

After I fixed that it worked for me.

answered Jul 11 '22 at 15:44

tpaul1611

151
6

score 0 · Answer 2 · answered Dec 16 '22 at 20:29

0

It worked for me after I changed "jwk_url": "http://KEYCLOAK-SERVICE-NAME:8080/auth/realms/master/protocol/openid-connect/certs" to "jwk_url": "http://host.docker.internal:8080/auth/realms/master/protocol/openid-connect/certs"

answered Dec 16 '22 at 20:29

V1P3RRR

1
2

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 25 '22 at 12:00

Problem of integration krakend with keycloak

2 Answers2