February 18, 2025

Implementing OAuth2 Authorization with Keycloak and Gatekeeper

By Rakshit Menpara
Improwised Technologies Pvt. Ltd.

Keycloak Overview

Keycloak is an open-source IAM platform provided by Red Hat’s JBoss. It supports various authentication and authorization protocols, including OpenID Connect (OIDC) and SAML 2.0.

Setting Up Keycloak

Install Keycloak: Download and install Keycloak or use a Docker image.
Create a Realm: Set up a realm in the Keycloak administration console.
Create a Client: Define a client application, set Client ID, and configure redirect URLs.

Configuring Keycloak Gatekeeper

Keycloak Gatekeeper is an authentication proxy that integrates with Keycloak.

discovery-url: https://your-keycloak-instance.com/auth/realms/your-realm/.well-known/openid-configuration


  client-id: gatekeeper-client
  client-secret: your-client-secret
  encryption-key: your-encryption-key
  redirect-url: https://your-application-url.com
  resources:
    - uri: /protected-path
      methods:
        - GET
        - POST

Integrating with Kubernetes

To integrate Gatekeeper with Kubernetes, use ingress annotations:


  apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    name: protected-ingress
    annotations:
      nginx.ingress.kubernetes.io/auth-type: "oauth2"
  spec:
    rules:
    - host: your-application-url.com
      http:
        paths:
        - path: /protected-path
          pathType: Prefix
          backend:
            service:
              name: your-service-name
              port:
                number: 80

Accessing and Decoding JSON Web Tokens (JWTs)

Decode JWTs in your application:


  import jwt

  def decode_jwt(token):
      try:
          payload = jwt.decode(token, 
          options=`{"verify_signature": False}`)
          return payload
      except jwt.ExpiredSignatureError:
          return "Token has expired"
      except jwt.InvalidTokenError:
          return "Invalid token"

Conclusion

Using Keycloak and Gatekeeper for OAuth2 authorization enhances security and centralizes authentication management, making it ideal for Kubernetes deployments.

Written by

Rakshit Menpara

Rakshit Menpara is the CTO and Co-Founder at Improwised Technologies. With deep expertise in cloud-native systems, DevOps, and Kubernetes, he leads the technology vision and architecture across all engineering initiatives. Rakshit drives innovation at the intersection of infrastructure, automation, and scalability.