Use OIDC Plugin to Read Info From Keycloak for Rate Limiting and ACL
In my previous post, I talked about using OIDC plugin to protect API services and further control access with consumer mapping. However, cosumer mapping requires Kong consumer objects, which might not be possible if you have hundreds of users on IDP (Keycloak) and you need to limit their access by rate limiting or ACL.
Fortunately Kong’s OIDC plugin supports mapping useres from IDP to virtual credentials in Kong.
In today’s post, I will show you how to get users and its groups information from IDP and use Rate limiting and ACL plugin to limit access.
Prerequisites:
- Kong Gateway (Enterprise)
- OIDC server is running. (Keycloak in my example) If you are not sure how to use keycloa, you can check my previous post
Prepare Kong
I am running latest Kong Gateway (Enterprise) version 2.3.3.2.
Create service
Define a service object in kong and use your api server as upstream. In our example, I will use httpbin.
1 | curl -X POST \ |
Create Route
Next we will create a path /demo
to access our service.
1 | curl -X POST \ |
Enable OIDC plugin
1 | curl --request POST \ |
Let me explain these settings in detail. As issuer
, client_id
, client_secret
are self-explanatory, I will skip them.
config.auth_methods=bearer
This means I am usingbearer
as auth method. In my API calls, I will pass a JWTid_token
as Authorization header.config.credential_claim=preferred_username
This setting is similar toconsumer_claim
except it is reading a claim value as virtual credential. In this example, I am using the value ofpreferred_username
as virtual credentials.config.authenticated_groups_claim=groups
This setting reads group names from your token and you can further use ACLconfig.allow
orconfig.deny
to control access by group.
Enable Rate Limiting plugin
1 | curl --request POST \ |
For Rate limiting advanced
plugin
1 | curl --request POST \ |
Rate limiting plugins gets credentials from OIDC plugin and set limit for each credential.
For example, OIDC reads value from preferred_username
, let’s say test
and admin
. These two users will get their own limits.
Enable ACL plugin
1 | curl --request POST \ |
let’s say my token contains a groups
claim
1 | ... |
This setting gets groups from OIDC plugin, ACL will allow/deny access based on the groups we set. In above example, only users in admin
group can access the api service.
That’s all I want to cover today.