Bringing the KeyCloak community together to build the future of Identity and SSO. #security #blockchains #identity
Auth with Nginx and Keycloak - Do I need OAuth2 Proxy?
Sorry if this is a dumb question.
I want to have a quick look at using KeyCloak as IDP, and I have Nginx set up. Basically, I want to have role-based access control for different routes. Some users should have access to certain routes, while others should have access to different routes.
My main question is: Can Keycloak alone handle this scenario, or do I need an OAuth2 proxy as well? I've seen a lot of tutorials that integrate OAuth2 proxy with Nginx and Keycloak, and I'm trying to understand the reasons behind this setup.
Why can't Nginx and Keycloak together solve this authentication and authorization issue? Is there a specific reason for introducing OAuth2 proxy into the mix?
Ideally, I would like to keep things simple and avoid adding unnecessary components. If Nginx and Keycloak can handle role-based access control for different routes without the need for OAuth2 proxy, that would be great.
Thank you in advance for your help!
You need oauth2-proxy if the app does not already support Oauth/OIDC. You can use a native library with bespoke code to enable oauth, i which case you won’t need a proxy
By native library you mean something like this? https://github.com/authts/oidc-client-ts
You don't strictly need it. You can use whatever library for your framework and jump though the auth flow. Or handle it yourself server side and hand a session off to the user.
You'll also have trouble with it if you plan on supporting multiple tenants via realms because the issuer will differ between them.
So what are the benefits of having a library integrated like (https://github.com/authts/oidc-client-ts) versus having this Oauth2Proxy in front?
When authenticating, there needs to be something on the server (backend) which authenticates and authorizes the request for the given route. You said you are using NGINX, but didn't explain what else (if anything) is part of your backend tech stack.
If you are solely using NGINX in your tech stack and have no custom code, then using OAuth2 Proxy or a similar project is your ONLY option.
Make sure youI would put this in front of NGINX.If you are using NGINX to forward some requests which are unauthenticated and some which are authenticated, and ALL authenticated requests go to a backend server where you wrote the code, then you could use a native library for OAuth2 for your code. For example, if your code is in C# then google "C# OAuth2 server library" and you'll find several options.
If you want every route to be authenticated, and some requests go to static files and others to another place, then you need OAuth2 Proxy because if you authenticate in server code then you'll not have authentication for those static files.
Thanks for your reply. Regarding the above sentence, why does there always need to be a backend server? I think this is not always the case, for example, with native mobile (Android, iOS) apps, there is no server, but one can still authenticate. Am I correct?
Again, this is wrong. You can perfectly still have nginx as the public-facing gateway and use its
auth_requestdirective to forward authentication to oauth2-proxy from within. And this is by far the most popular setup on kubernetes installations, basically the standard.Yep - thats perfectly possible, you dont need oaut2 proxy at all. You have two options:
Nginx+LuaJIT+lua-resty-oidc and keycloak.
This means little coding in lua but not big deal
2) Paid Nginx+ has a native auth_jwt module. Its fast and with other nginx+ features like integrated keyval is ultimate kombo for designing oidc rp proxy for example. On the other hand nginx plus subscription is expensive.
If you ned more information just ask me or pm
Is there a solution for using Apache instead of Nginx+LuaJIT+lua-resty-oidc?
Using Keycloak with Nginx for role-based access? Wondering if OAuth2 proxy is necessary or if Keycloak alone can handle it. Ideally, looking to avoid extra complexity.