We are using two-way TLS communication between Apigee Edge and Backend server (which is exposed using NginxIngress in Kubernetes). However, we want to integrate Apigee Edge with keycloak to secure the Apigee Endpoint endpoint (eg https://org-name-env.apigee.net/path ).
I am new to Apigee and Keycloack and after searching a lot, I am posting this question to get proper documentation on using Keycloak with Apigee Edge. Any article, community answers, suggestions, direction, documentation or POC will be helpful.
Apigee Community is a great place to ask these type questions https://community.apigee.com/
I'm not 100% sure about the entirety of this position, but I believe that Apigee Edge's approach to 2-way TLS on the south-bound leg is not directly extensible to support an external key-management service like KeyCloak. The Apigee trustStore and 'target endpoint' configs are largely fixed. That said, in your Apigee policies you don't have to use Apigee's concept of a target endpoint as your traffic's ultimate destination. With some additional complexity in the Edge policy definition, additional JS, etc, you could call out to KeyCloak's admin API and then use the response objects to construct your own south-bound 2-way TLS secure calls to your back-end services.
Below is the document I created to do the setup and created a markdown document for the same which looks something like below:
1 Generating JWT token using KeyCloakRealm Settings
. Refer to this image to get the public key. -----BEGIN PUBLIC KEY-----
and append -----END PUBLIC KEY-----
to this copied public key to use it in Apigee configuration and on jwt.io. Here is how a valid and usable public key will look like : -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhAj9OCZd0XjzOIad2VbUPSMoVK1X8hdD2Ad+jUXCzhZJf0RaN6B+79AW5jSgceAgyAtLXiBayLlaqSjZM6oyti9gc2M2BXzoDKLye+Tgpftd72Zreb4HpwKGpVrJ3H3Ip5DNLSD4a1ovAJ6Sahjb8z34T8c1OCnf5j70Y7i9t3y/j076XIUU4vWpAhI9LRAOkSLqDUE5L/ZdPmwTgK91Dy1fxUQ4d02Ly4MTwV2+4OaEHhIfDSvakLBeg4jLGOSxLY0y38DocYzMXe0exJXkLxqHKMznpgGrbps0TPfSK0c3q2PxQLczCD3n63HxbN8U9FPyGeMrz59PPpkwIDAQAB -----END PUBLIC KEY-----
Refer this post from medium.com for more details on JWT generation with KeyCloak.
2 Using VerifyJWT policy in Apigee <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <AssignMessage async="false" continueOnError="false" enabled="true" name="Assign-Message-1"> <DisplayName>Assign Message-1</DisplayName> <Properties/> <AssignVariable> <Name>public.key</Name> <Value>-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhAj9OCZd0XjzOIad2VbUPSMoVK1X8hdD2Ad+jUXCzhZJf0RaN6B+79AW5jSgceAgyAtLXiBayLlaqSjZM6oyti9gc2M2BXzoDKLye+Tgpftd72Zreb4HpwKGpVrJ3H3Ip5DNLSD4a1ovAJ6Sahjb8z34T8c1OCnf5j70Y7i9t3y/j076XIUU4vWpAhI9LRAOkSLqDUubRX/ZdPmwTgK91Dy1fxUQ4d02Ly4MTwV2+4OaEHhIfDSvakLBeg4jLGOSxLY0y38DocYzMXe0exJXkLxqHKMznpgGrbps0TPfSK0c3q2PxQLczCD3n63HxbN8U9FPyGeMrz59PPpkwIDAQAB -----END PUBLIC KEY-----</Value> <Ref/> </AssignVariable> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> <AssignTo createNew="false" transport="http" type="request"/> </AssignMessage>
Note: It is always recommended to use KeyValueMap instead of directly using the values like private key or secret etc.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <VerifyJWT async="false" continueOnError="false" enabled="true" name="Verify-JWT-1"> <DisplayName>Verify JWT-1</DisplayName> <Algorithm>RS256</Algorithm> <PublicKey> <Value ref="public.key"/> </PublicKey> <Subject>Subject from the JWT token</Subject> <Issuer>http://issue-of-the-token.com</Issuer> <Audience>aud1,aud2</Audience> </VerifyJWT>
Note : Additional inputs can be verified using AdditionalClaims tag.
Click on AssignMessage , JWTPolicy or KeyValueMap to know more.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.