Keycloak with api gateway Invalid bearer token

Question

I am trying to use Keycloak behind an API gateway (Apache APISIX).

I use minikube to run Keycloak and my API gateway.

The gateway is working right and Keycloak too :

With Keycloak, I can use the different end-point (use the discovery end-point (http://127.0.0.1:7070/auth/realms/myrealm/.well-known/uma2-configuration), ask an access token and verify it).

With APISIX, and a simple route, I can join a backend microservice on my minikube. (typically : http://127.0.0.1:80/greeting is served by the gateway which routes the request to the right backend microservice)

The problem occurs when I try to use the two tools together. I have used the Keycloak integration, in order to force the user to use a valid token when he is using a route served by the gateway.

In this case, when I use a valid bearer token (I get it and verify it with the end-point of keycloak), and I try to request the backend via the api gateway with the verified bearer token, I obtain systematically an "Invalid bearer token" exception.

{"error":"invalid_grant","error_description":"Invalid bearer token"}

I think the settings of the integration is well set because I am sure that te gateway call Keycloak to verify the token.

Here are the keycloak I have used to get and verify the token :

Get token : http://127.0.0.1:7070/auth/realms/myrealm/protocol/openid-connect/token

Verify : http://127.0.0.1:7070/auth/realms/myrealm/protocol/openid-connect/token/introspect

I have seen some posts about problem when Keycloak is behind a reverse proxy, but I don't find a clear solution to my case.

Thanks for any help you can bring to me. Regards CG

Answer 1

I think there are those ways you can do it.

First, I think you can check the log of Apache APISIX.

Second, you can check the log of Keycloak.

Third, you can use tcpdump or wireshark to capture the request that Apache APISIX sends to keycloak.And diff the request that sends by APISIX and curl.

Looking forward to your reply.