12 April 2023
Keycloak is an open-source identity and access management solution, while Kong Gateway is a popular open-source API gateway. OAuth is a popular authentication and authorization protocol that is often used with these technologies.
When using Keycloak and Kong Gateway together with OAuth, there are a few steps you can follow to enable load balancing upstream.
Configure Keycloak as the OAuth provider: Set up Keycloak to act as the OAuth provider, so that it can handle authentication and authorization requests.
Configure Kong Gateway: Set up Kong Gateway to use Keycloak as the OAuth provider, so that it can authenticate and authorize requests to your APIs.
Enable load balancing: To enable load balancing, you will need to configure your Kong Gateway to use an upstream server. This will allow Kong to distribute incoming requests across multiple backend servers.
Configure the upstream server: Configure the upstream server to handle incoming requests from Kong Gateway. This may involve setting up additional servers, load balancing, and other optimizations.
Test and monitor: Once everything is set up, test your system to ensure that everything is working as expected. You should also monitor your system to ensure that it is performing well and that there are no issues with the load balancing or other aspects of the system.
Overall, using Keycloak and Kong Gateway together with OAuth can provide a powerful and flexible authentication and authorization solution for your APIs. By enabling load balancing upstream, you can ensure that your system can handle large volumes of traffic and that it is highly available and performant.
Here are the requirements for using Docker Compose to set up Keycloak and Kong Gateway with OAuth and load balancing upstream:
After up all services, you can see check docker logs, Here we have a frontend running in 3000 ports. and we scale backend service into 3 ports ( 3311, 3312, 3313 )
Run Your Keycloak service in Local Environment
That service will be available in PORT : 8180
Open this URL : http://localhost:8180 in Browser
Login as admin :
Default admin login details :
1) username = admin2) password = admin
a) ADD REALM
1. Log in to Keycloak with administrative privileges.
2. Click on the "Add realm" button on the left-hand side of the screen.
3. Enter name “Experimental ”
b) ADD CLIENT
4. Enter "myapp" in the "Name" field and click on the "Create" button.
5. Enter a name for your client, such as "myapp", and select "confidential"; as the client type.
6. Under the "Access" tab, set "Valid Redirect URIs" to the callback URL of your application. For example, if your application is running on localhost, you could set it to "http://localhost:3000/*".
7. Under the "Credentials" tab, generate a new client secret and make a note of it.
8. Add Another client called Client ID = grafana, and CLient Protocol=openid-connect
9. in the next window, change Access Type to confidential
10. then click Save at the bottom. On Credentials tab, copy the secret
11. Still on grafana clients, click Mappers tab, then click create
12. Name : roles, Mapper Type : User Realm Role, Token Claim Name : roles
c) ADD USER
1. Enter name and email with first name.. and set Email verified as true
2. Then click save button.
3. Click on Role Mapping and give basic role access to that user
4. Go to the credentials tab and set the password..
5. Then click on reset password
Kong with plugins for CORS, OIDC, and upstream load balancing Here are the steps you can follow:
Run Your Kong service in Local Environment.
That service will be available in PORT : 1337
Open this URL : http://localhost:1337 in Browser
Login as admin : First time we have to create admin and password details.
a) ADD UPSTREAM
1. Create Upstream service name called “demo” , Hash on value “cookie” and hash fallback “none”
b) set user define value for Hash on cookie as like “user_type”
c) Now, click on the “Targets page” of the upstream add all backend ports. ( 3311,3312,3313 )
d) ADD SERVICE
1. click on Services - add new Services
2. create name as “upstream”
3. set host as “demo” (Upstream for load balance)
e) ADD PLUGINS
we have to add two plugins in this process OIDC , CORS
1. For OIDC run this curl
2. replace client_secret as <your client secret >
3. client_id as <your client id>
curl --location 'http://localhost:8001/plugins' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'name=oidc' --data-urlencode 'config.client_id=kong' --data-urlencode 'config.client_secret=mvhPx5FgcBcjGc1hwjlM2mV1wnTrsxd8' --data-urlencode 'config.bearer_only=yes' --data-urlencode 'config.realm=experimental' --data-urlencode 'config.introspection_endpoint=http://192.168.29.92:8180/realms/experimental/protocol/openid-connect/token/introspect' --data-urlencode 'config.discovery=http://192.168.29.92:8180/auth/realms/experimental/.well-known/openid-configuration'
1. Clone frontend code from git - frontend
2. Open the root directory and run “docker build -t frontend . “
3. Then Run docker image by below code “docker run -p 3000:3000 frontend” This will up frontend services in local port 3000
4. Note : you have to start keycloak service, otherwise frontend will show “This site cannot be reached”
d) Config Details
Go to - cg_account_summary_frontend\.env
5. Clone frontend code from git - frontend
6. Open the root directory and run “docker build -t backend . “
7. Then Run docker image by below code “docker run -p 8088:8088 backend ” This will up frontend services in local port 3000
Download docker-compose from this link https://drive.google.com/file/d/10DaoU3nx-_z5Bz5g22J6MZz074E5C2ZB
d) Config Details