Hi,
i know this is not really maintained anymore, but out of desperation i'd have a question, that maybe someone could answer me quite quickly.
I have a setup with Kong and Keycloak and i use that Plugin since it seems to be the only available that is free and works atm.
I configured multiple services with it, and here is what i want to achieve
i have a frontend path web/app, that is protected by oidc, so when accessing this path unauthenticated, the login ui is fired and the user can login, great, thats what i want.
Then i have backend runnign under /api/private... that one should of course also be secured. So when sending requests there with the sessioncookie activated all works well, in the backend auth-headers are received and all that.
But when the session expires, and the fe is sending a request to the backend because it doenst know yet, it gets redirected to the keycloak-login ui. Thats actually not the behaviour i want for a rest-api request. I would like it to respond with a 401, and only do the redirect to the login ui when i actually visit web/app in the browser.
So i tried to configure that backend service with bearer_only, to avoid that redirect, and only introspect the tokens and then pass or deny my request.
But it seems this is expecting an authorization header with the accesstoken, which make it quite useless for me, since i have all this to avoid the frontend from managing the tokenflow.
Is this really the intended behaviour or is there a setup i could configure, that does what i want, so only when an unauthenticated request goes to web/app i want to see the login-ui, and in any other case i want a 401. Authenticated requests with proper sessioncookie, should be passed in both cases
Would be great if i could get some hint, since i would expect that to be a pretty standard use case, and i cant imagine there is no option for that :)
Thanks
Hi, i know this is not really maintained anymore, but out of desperation i'd have a question, that maybe someone could answer me quite quickly.
I have a setup with Kong and Keycloak and i use that Plugin since it seems to be the only available that is free and works atm. I configured multiple services with it, and here is what i want to achieve i have a frontend path web/app, that is protected by oidc, so when accessing this path unauthenticated, the login ui is fired and the user can login, great, thats what i want. Then i have backend runnign under /api/private... that one should of course also be secured. So when sending requests there with the sessioncookie activated all works well, in the backend auth-headers are received and all that. But when the session expires, and the fe is sending a request to the backend because it doenst know yet, it gets redirected to the keycloak-login ui. Thats actually not the behaviour i want for a rest-api request. I would like it to respond with a 401, and only do the redirect to the login ui when i actually visit web/app in the browser. So i tried to configure that backend service with bearer_only, to avoid that redirect, and only introspect the tokens and then pass or deny my request. But it seems this is expecting an authorization header with the accesstoken, which make it quite useless for me, since i have all this to avoid the frontend from managing the tokenflow. Is this really the intended behaviour or is there a setup i could configure, that does what i want, so only when an unauthenticated request goes to web/app i want to see the login-ui, and in any other case i want a 401. Authenticated requests with proper sessioncookie, should be passed in both cases
Would be great if i could get some hint, since i would expect that to be a pretty standard use case, and i cant imagine there is no option for that :) Thanks
here's the config