refarch: keycloak integration with Amazon API Gateway
pahud opened this issue · comments
Let's create a reference architecture for the keycloak integration with Amazon API Gateway.
Any public document, links or references are appreciated.
References
- https://stackoverflow.com/questions/54016659/how-to-configure-keycloak-in-aws-api-gateway
- https://amazonaws-china.com/blogs/security/use-aws-lambda-authorizers-with-a-third-party-identity-provider-to-secure-amazon-api-gateway-rest-apis/
- 👍 https://www.npmjs.com/package/keycloak-lambda-authorizer
- https://argoproj.github.io/argo-cd/operator-manual/user-management/keycloak/
- 👍 https://aws.amazon.com/cn/blogs/china/combining-authing-to-realize-identity-authentication-and-authorization-on-aws/
- https://github.com/aws-samples/aws-serverless-workshops
- 👍 https://www.keycloak.org/docs/latest/securing_apps/#validating-access-tokens
- https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Flows
- Keycloak授权服务指南(上)
- Keycloak授权服务指南(下)
This is useful:
API login and JWT token generation using Keycloak
https://developers.redhat.com/blog/2020/01/29/api-login-and-jwt-token-generation-using-keycloak/
We should be able to generate the JWT token like above and the client send the JWT token as the Bearer token to API Gaetway followed by the token validation by the custom authorizer Lambda and return the IAM policy.
For the JWT token validation, I believe there should be existing libraries but technically it's possible to validate with the public key like this:
https://stackoverflow.com/questions/54884938/generate-jwt-token-in-keycloak-and-get-public-key-to-verify-the-jwt-token-on-a-t