I am working in a project that uses Kong as API Gateway and wants to introduce Keycloak as IdP (Identity Provider), so the desired flow would be something like that:
- The client obtain an access token from Keycloak
- The client with the token in hands invoke some API putting the token in the request header
- The request reaches Kong before the service
- The Kong acts as PEP (Policy Enforcement Point) requesting Keycloak authorization services an answer
- Keycloak acts as PDP (Policy Decision Point) and check if the client can access the desired service based on polices and permissions
- Kong receive the Keycloak answer (yes or no) and check if the access can be made.
In order to achieve this objective I have developed a custom Kong plugin and adopted other called jwt-keycloak
I have found few materials about scenarios where Keycloak work together and API Gateway, so could you guys validate if the solution I made is correct.
The custom plugin and details about the architecture is here.