DEV Community

Securing your site via OIDC, powered by Kong and KeyCloak

Robin Cher on January 19, 2022

Quick sharing on how you can further secure your api or endpoints with OIDC, and powered by Kong and Keycloak. The examples shared are all open-sou...
Collapse
 
rajeeshcs profile image
rajeesh-cs • Edited

Hi Robin,

I have followed the docs and installed Kong with customised OIDC plugin.

However, when the kong-crds.yaml is getting deployed it shows the CRD error.

resource mapping not found for name: "oidc" namespace: "" from "kubernetes/kong-crds.yaml": no matches for kind "KongClusterPlugin" in version "configuration.konghq.com/v1"
ensure CRDs are installed first
resource mapping not found for name: "cors" namespace: "" from "kubernetes/kong-crds.yaml": no matches for kind "KongClusterPlugin" in version "configuration.konghq.com/v1"
ensure CRDs are installed first
resource mapping not found for name: "request-transformer" namespace: "" from "kubernetes/kong-crds.yaml": no matches for kind "KongClusterPlugin" in version "configuration.konghq.com/v1"
ensure CRDs are installed first
Enter fullscreen mode Exit fullscreen mode

Does the custom Kong install Ingress Controller as well?

I have followed the instructions as in the document. Is the CRD requires Ingress component? Or the Dockerfile provides only core Gateway?

Collapse
 
robincher profile image
Robin Cher

Did you include the required custom plugins ?

export KONG_PLUGINS=bundled,oidc

There are some updates to Kong KIC API, do have a look.

Collapse
 
rajeeshcs profile image
rajeesh-cs

Correct. I have included in Helm chart and it started working. Thanks!

Thread Thread
 
robincher profile image
Robin Cher

Happy to hear that, thanks for using Kong :)

Collapse
 
bermuda_2448_8923de7edadd profile image
BERMUDA 2448 • Edited

where to include the required custom plugins? when the kong-deployment.yaml file is applied to the cluster, no 'kong' ingress-class is created. Please hlep..I followed steps mentioned above but at the end, the ingress object created but not responding to external request..

Collapse
 
rajeeshcs profile image
rajeesh-cs

Hi Robin,

This is a different topic.

Need to validate the Kong route with the Keycloak authorisation configurations.
For i.e, there is an enforce set of methods available in** keycloak-connect plugin **npmjs.com/package/keycloak-connect.... The above methods work according to the Authorisation configuration in Keycloak Client which consists of Resources, Policies, Permissions and Scopes.

Just wondering, are the similar features are available in either OIDC or any other plugins in Kong?

-Rajeesh

Collapse
 
zaryab123 profile image
Zaryab Raza Malghani • Edited

Hi Robin, hope you are fine.
I've followed your article and setup the kong-ingress with both keycloak and sample-echo-app, also doing configuration of oidc plug-in in kong-crds.yml as provided in article. When i run echo-app with kong plug-ins (specifically oidc plugin), it throughs 404-not found error while accessing the sample-app url path.

I debugged the app and removed the oidc plugin from annotations in ingress config of sample-oidc.yml and it starts working fine. So, i came to conclusion that there might be error in kong-plugin (One that we configure in kong-crds.yml). Can you please debug it for me? i'll send you all the config files that i am using so you can quick run them on your side.

Hope you are having a good day and waiting for your reply, thanks.

Collapse
 
robincher profile image
Robin Cher

Hi, as this is the custom plugin provided by the third-party, better to check with them the update changes. github.com/revomatico/kong-oidc

Collapse
 
koo9 profile image
Kevin

does this plugin support route level OIDC?

Collapse
 
ayushic2899 profile image
Ayushi choudhary

Hii Robin...I have done the same things still when I am opening the site it's not redirecting to keycloak can uh help what I am doing wrong?

Collapse
 
robincher profile image
Robin Cher

Can share with me your ingress and Kong plugin set-up ?