Orion APIs authentication through Keycloak

Question

I want to add authentication on my Orion APIs through my Keycloak IdM. I know it is possible to use Orion together Pep Proxy Wilma and Keyrock to do this task, and a possible workaround can be to integrate keyrock with keycloak at this link (7 years ago).

Do you have some news or suggestion about this?

Thank you in advance.

score 4 · Answer 1 · answered Sep 22 '22 at 08:53

4

there is a (relatively new) solution available. Instead of Wilma, you can use the Kong-API-Gateway as a PEP-Proxy with the FIWARE-PEP-Plugin. That way, authentication(and authorization) can be delegated to Keycloak. You can find more on that in those 2 presentations:

https://github.com/wistefan/presentations/blob/main/summit-gran-canaria/kong/FGS22-Kong.pdf https://github.com/wistefan/presentations/blob/main/summit-gran-canaria/keycloak/FGS22-Keycloak.pdf

answered Sep 22 '22 at 08:53

Stefan Wiedemann

96
3

Thank you, Stefan. I'm interested in using quay.io/fiware/kong:0.3.3 docker image, could you provide me all params I need to start it? – pasquy73 Oct 03 '22 at 08:42
Hi, our example deployments all use helm-charts(f.e. this one: https://github.com/i4Trust/tutorials/tree/main/PacketDelivery-ReferenceExample/Data-Service-Provider), thus we don't have dedicated instructions on docker. But our image is build with the official kong chart, thus you can use the official documentation: https://docs.konghq.com/gateway/latest/install/docker/ The plugin specific configuration can be found in there folders, f.e.: https://github.com/FIWARE/kong-plugins-fiware/tree/main/kong-plugin-ngsi-ishare-policies#configuration – Stefan Wiedemann Oct 04 '22 at 10:27

pasquy73 · Answer 2 · 2022-10-07T10:54:03.363

I found all params you need to run the docker image (in powershell):

docker run -d --name kong-dbless `
  -v "$(pwd):/kong/declarative/" `
  -e "KONG_DATABASE=off" `
  -e "KONG_DECLARATIVE_CONFIG=/kong/declarative/kong.yml" `
  -e "KONG_PROXY_ACCESS_LOG=/dev/stdout" `
  -e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" `
  -e "KONG_PROXY_ERROR_LOG=/dev/stderr" `
  -e "KONG_ADMIN_ERROR_LOG=/dev/stderr" `
  -e "KONG_ADMIN_LISTEN=0.0.0.0:8001" `
  -e KONG_LICENSE_DATA `
  -e "KONG_LOG_LEVEL=info" `
  -e "KONG_PLUGINS=bundled,pep-plugin"  `
  -e "KONG_PLUGINSERVER_NAMES=pep-plugin" `
  -e "KONG_PLUGINSERVER_PEP_PLUGIN_QUERY_CMD=/go-plugins/pep-plugin -dump" `
  -e "KONG_PLUGINSERVER_PEP_PLUGIN_START_CMD=/go-plugins/pep-plugin" `
  -p 8000:8000 `
  -p 8001:8001 `
  quay.io/fiware/kong:0.3.3

score 2 · Accepted Answer · answered Oct 07 '22 at 10:49

And the kong.yml file is:

_format_version: "2.1"
_transform: true

services:
  - host: "orion_ip"
    name: "orion"
    path: "/v2"
    port: 1026
    protocol: http

    routes:
      - name: orion
        paths:
          - /orion
        strip_path: true

    plugins:
      - name: pep-plugin
        config:
          authorizationendpointtype: Keycloak
          authorizationendpointaddress: https://keycloak_ip
          keycloakrealm: myrealm
          keycloakclientid: clientid
          keycloakclientsecret: clientsecret
          keycloackadditionalclaims:
            "http.fiware-servicepath": "fiware-servicepath"
            "http.fiware-service": "fiware-service"

Orion APIs authentication through Keycloak

3 Answers3

Linked