Configure keycloak as an open id connect provider under Azure APIM

Business requirement:

Configure keycloak (an open-source identity and access management solution) as an open id connect provider under Azure APIM instance and validate token in azure apim.

About Keycloak:

Keycloak is an open source Identity and Access Management tool with features such as Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console.

Solution:

For this requirement we are going to setup OpenID Connect provider and link it to API. For token validation we will use azure apim in-build policy.

let’s start with related configurations ! 🙂

Consider that we are already having keycloak related details openid url, client id and client secret.

So next step would be to create new OpenID Connect provider under our APIM instance.

Keycloak openid details are as below:

Metadata endpoint URL: http://keycloakhost:keycloakport/auth/realms/{realm}/.well-known/openid-configuration

For example, if the realm name is ‘demo’ then metadata endpoint url will be:

https://akshay-kc-demo.com/auth/realms/demo/.well-known/openid-configuration

Client_Id: Your keycloak client id

Client_secret: Your keycloak client secret 🤫

Please follow below steps and create new OpenID Connect provider using above Metadata endpoint URL,Client_Id and Client_secret.

Step by step process to create new OpenID Connect provider (step 1–7 )

For e.g. We have created OpenID Connect provider named ‘real-kc-opid’. Then, next step is to configure this newly created OpenID Connect provider ‘real-kc-opid’ under API.

Below are the steps to setup OpenID Connect provider ‘real-kc-opid’ under API.

Step by step process to link your API with newly created OpenID Connect provider (step 8–13 )

So, till now we are done with linking of open id connect provider with our API. Now, we need to validate access/identity token coming from keycloak in our APIM instance.

Hence, we will use APIM policy ‘validate-jwt’ and provide related values under it. You can add this policy under inbound scope (API operation level) as below referring your openid-config url and claim.

We are done with related setup and we can test it under azure portal by providing valid access/identity token.

Test-1:

Request with valid Bearer token

Response: 200 ok

So as shown above, our openid connect setup is working as expected and apim policy is validating configured claim. Cool !😎 So now let’s try some invalid token test case.

Test-2:

Request with invalid Bearer token (have added ‘demo_’ as prefix to existing token)

Response:

401 Unauthorized

As we have manipulated our working token and made it as an invalid token, so APIM policy is not allowing this token and throwing 401 unauthorized error.

Hence, we have tested both valid and invalid token cases and we are getting expected response. 🙂

Thanks for reading my article till end. Stay tuned and follow me for more updates. Don’t forget to give is your 👏 if you really enjoyed reading this article just to support your author also please share to your friends..! 🙂

Thanks — Akshay Shinde