Step 13 - Oauth2 Introspection

JWT is based on OAuth and OIDC. Keycloak is the OAuth Authorization Server. Keycloak is already configured to issue JWT tokens for developers.

What is Oauth2 Introspection?

In the previous lab, we configure a Policy to authenticate API requests with JWT tokens. This policy checked if a JWT token is part of the Authorization header, and the API Gateway checked if Keycloak signs the JWT (we pasted the JWKS keys into the JWT Policy). But in this use case, the API GW does not check against Keycloak if the JWT token is valid. Instead, only the signature and the timestamp are checked.

OAuthv2 Introspect adds a capability for the API GW to check against the Oauth AS (Keycloak) if the JWT is valid (https://docs.nginx.com/nginx-management-suite/acm/how-to/policies/introspection/)

../../../_images/oauth2-introspection.png

Add Oauth2 Introspection on API-Proxy

  1. Edit API-Proxy v2 like previously (we are going to replace JWT Auth with Oauth2 Introspection)
  2. In Policies, remove the JSON Web Token Asserion policy
  3. Add a new Oauth2 Introspection policy
  4. In the Introspection Request section, configure as follows
    1. Introspection endpoint: http://10.1.1.4:8080/realms/devportal/protocol/openid-connect/token/introspect
  5. In Credentials section, configure as follows
    1. Client ID: apigw
    2. Client secret: iOVsaPIfoQ2gk8CSO9H40qPUOXFNvn48
  6. Click Add
  7. Click Save and Publish

Test Oauth2 Introspection out with Postman

  1. In Postman, select the call GET Colors and check the version is v2 http://api.sentence.com/v2/api/colors

  2. In Authorization, select type OAuth 2.0

    Note

    As you can notice, the Postman OAuth v2.0 client is already set to request JWT against Keycloak

  3. Scroll down and click on Get New Access Token

    ../../../_images/get-access1.png

  4. Authenticate as dev1 and password dev1

    ../../../_images/login1.png

  5. Click Proceed, then Use Token

    ../../../_images/use-token1.png

  6. Send the request. It should pass.

    ../../../_images/send1.png

Note

Congratulations, you configured your API Gateway to use Oauth2 Introspection from Keycloak as Authorization Server.

Note

Remember to clean up your Postman Oauth v2 store by deleting all JWT tokens.