How to Authorize with nested JWT claims generated from Keycloak? #1952

berkslv · 2024-01-30T08:27:18Z

berkslv
Jan 30, 2024

I use Keycloak as identity and JWT token provider. I am successfully using JWT tokens generated from Keycloak for Authentication but when it comes to Authorization, Keycloak's JWT token structure cannot be used in Ocelot's RouteClaimsRequirement field in ocelot.json because Keycloak's JWT structure is similar to the following and contains many nested attributes. How can I use these nested claims? Is there a feature for this or do I need to develop a custom middleware?

{
  "exp": 1706600524,
  "iat": 1706600224,
  "auth_time": 1706597784,
  "jti": "4057d8a1-457c-4c48-a877-4d6311cb7437",
  "iss": "http://localhost:5050/identity/realms/microcommerce",
  "aud": "account",
  "sub": "18957315-668b-4bfb-8d57-e67265553029",
  "typ": "Bearer",
  "azp": "postman",
  "session_state": "736a2ddc-7092-4c18-9d36-be2b38d02f94",
  "acr": "0",
  "allowed-origins": [
    "https://oauth.pstmn.io"
  ],
  "realm_access": {
    "roles": [
      "offline_access",
      "default-roles-microcommerce",
      "uma_authorization",
      "customer"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid email profile",
  "sid": "736a2ddc-7092-4c18-9d36-be2b38d02f94",
  "email_verified": false,
  "name": "Berk Selvi",
  "preferred_username": "berkslv",
  "given_name": "Berk",
  "family_name": "Selvi",
  "email": "[email protected]"
}

Answered by berkslv

Jan 30, 2024

I solve this problem by removing nested structure in keycloak admin panel. I prepared a short blog post on how to do it. I am adding the post for future reference. Thanks for your help @raman-m!

https://medium.com/@berkslv/how-to-use-ocelot-and-keycloak-together-to-secure-microservices-from-api-gateway-1d42483f0e61

View full answer

raman-m · 2024-01-30T08:33:55Z

raman-m
Jan 30, 2024
Maintainer

Hello, @berkslv !
Try to use Claims Transformation feature.
Good luck!

1 reply

raman-m Jan 30, 2024
Maintainer

Or, forward your Keycloak token to downstream service in anonymous route not having all this Auth pain in the neck. 😉

berkslv · 2024-01-30T15:16:22Z

berkslv
Jan 30, 2024
Author

I solve this problem by removing nested structure in keycloak admin panel. I prepared a short blog post on how to do it. I am adding the post for future reference. Thanks for your help @raman-m!

https://medium.com/@berkslv/how-to-use-ocelot-and-keycloak-together-to-secure-microservices-from-api-gateway-1d42483f0e61

1 reply

raman-m Jan 31, 2024
Maintainer

Very good article! Thank you!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to Authorize with nested JWT claims generated from Keycloak? #1952

{{title}}

Replies: 2 comments 2 replies

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

How to Authorize with nested JWT claims generated from Keycloak? #1952

berkslv Jan 30, 2024

Replies: 2 comments · 2 replies

raman-m Jan 30, 2024 Maintainer

raman-m Jan 30, 2024 Maintainer

berkslv Jan 30, 2024 Author

raman-m Jan 31, 2024 Maintainer

berkslv
Jan 30, 2024

Replies: 2 comments 2 replies

raman-m
Jan 30, 2024
Maintainer

raman-m Jan 30, 2024
Maintainer

berkslv
Jan 30, 2024
Author

raman-m Jan 31, 2024
Maintainer