stackoom
  简体   繁体   中英

Secure Apigee Edge proxy with keycloak?

 原文  2019-02-23 09:00:50       rest/ keycloak/ apigee

Question

We are using two-way TLS communication between Apigee Edge and Backend server (which is exposed using NginxIngress in Kubernetes). However, we want to integrate Apigee Edge with keycloak to secure the Apigee Endpoint endpoint (eg https://org-name-env.apigee.net/path ).

I am new to Apigee and Keycloack and after searching a lot, I am posting this question to get proper documentation on using Keycloak with Apigee Edge. Any article, community answers, suggestions, direction, documentation or POC will be helpful.

2 answers

solution1
 1  2019-02-26 17:33:35

Apigee Community is a great place to ask these type questions https://community.apigee.com/

I'm not 100% sure about the entirety of this position, but I believe that Apigee Edge's approach to 2-way TLS on the south-bound leg is not directly extensible to support an external key-management service like KeyCloak. The Apigee trustStore and 'target endpoint' configs are largely fixed. That said, in your Apigee policies you don't have to use Apigee's concept of a target endpoint as your traffic's ultimate destination. With some additional complexity in the Edge policy definition, additional JS, etc, you could call out to KeyCloak's admin API and then use the response objects to construct your own south-bound 2-way TLS secure calls to your back-end services.

solution2
 1 ACCPTED  2019-03-05 11:23:29

Below is the document I created to do the setup and created a markdown document for the same which looks something like below:

1 Generating JWT token using KeyCloak
  • Assuming the basic setup of KeyCloak like Realm, Roles, Users etc being done, create JWT token for a user. (You can validate this JWT token from jwt.io using the public key of KeyCloak realm to make sure the JWT token is valid and signed). The public key can be found in Realm Settings . Refer to this image to get the public key.
    Add -----BEGIN PUBLIC KEY----- and append -----END PUBLIC KEY----- to this copied public key to use it in Apigee configuration and on jwt.io. Here is how a valid and usable public key will look like : 
 -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhAj9OCZd0XjzOIad2VbUPSMoVK1X8hdD2Ad+jUXCzhZJf0RaN6B+79AW5jSgceAgyAtLXiBayLlaqSjZM6oyti9gc2M2BXzoDKLye+Tgpftd72Zreb4HpwKGpVrJ3H3Ip5DNLSD4a1ovAJ6Sahjb8z34T8c1OCnf5j70Y7i9t3y/j076XIUU4vWpAhI9LRAOkSLqDUE5L/ZdPmwTgK91Dy1fxUQ4d02Ly4MTwV2+4OaEHhIfDSvakLBeg4jLGOSxLY0y38DocYzMXe0exJXkLxqHKMznpgGrbps0TPfSK0c3q2PxQLczCD3n63HxbN8U9FPyGeMrz59PPpkwIDAQAB -----END PUBLIC KEY-----

Refer this post from medium.com for more details on JWT generation with KeyCloak.

2 Using VerifyJWT policy in Apigee
  • Assuming basic Apigee policy created for the server endpoint, add a AssignMessage policy to give the public key in the PreFlow section of the Proxy, so that all the requests will go via this policy and a public key of KeyCloak will be assigned to a variable.
    Click here to know more about configuring flows in Apigee.
    AssignMessage policy XML will look something like this: 
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1"> <DisplayName>Assign Message-1</DisplayName> <Properties/> <AssignVariable> <Name>public.key</Name> <Value>-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhAj9OCZd0XjzOIad2VbUPSMoVK1X8hdD2Ad+jUXCzhZJf0RaN6B+79AW5jSgceAgyAtLXiBayLlaqSjZM6oyti9gc2M2BXzoDKLye+Tgpftd72Zreb4HpwKGpVrJ3H3Ip5DNLSD4a1ovAJ6Sahjb8z34T8c1OCnf5j70Y7i9t3y/j076XIUU4vWpAhI9LRAOkSLqDUubRX/ZdPmwTgK91Dy1fxUQ4d02Ly4MTwV2+4OaEHhIfDSvakLBeg4jLGOSxLY0y38DocYzMXe0exJXkLxqHKMznpgGrbps0TPfSK0c3q2PxQLczCD3n63HxbN8U9FPyGeMrz59PPpkwIDAQAB -----END PUBLIC KEY-----</Value> <Ref/> </AssignVariable> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> <AssignTo createNew="false" transport="http" type="request"/> </AssignMessage>

Note: It is always recommended to use KeyValueMap instead of directly using the values like private key or secret etc.

  • Next step is to use JWTPolicy to verify the JWT token using the public key assigned in the previous step. Mention the variable name which has the public key as its value in PublicKey tag. The final XML file will look something like below. 
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <VerifyJWT async="false" continueOnError="false" enabled="true" name="Verify-JWT-1"> <DisplayName>Verify JWT-1</DisplayName> <Algorithm>RS256</Algorithm> <PublicKey> <Value ref="public.key"/> </PublicKey> <Subject>Subject from the JWT token</Subject> <Issuer>http://issue-of-the-token.com</Issuer> <Audience>aud1,aud2</Audience> </VerifyJWT>

Note : Additional inputs can be verified using AdditionalClaims tag.
Click on AssignMessage , JWTPolicy or KeyValueMap to know more.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Apigee - Issue while configuring an API Proxy One Apigee Api Proxy with a different target endpoint for each environment How to secure REST API of my JEE project with Keycloak? Can't access REST service with valid keycloak token after secure with keycloak How to access apigee endpoint? extract a queryparam with $ symbol in apigee consume REST service using apigee How to pass dynamic values to Apigee with key? Keycloak admin user creation Apigee; Rest > Soap (using POST), json payload parameters are not propagated
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM