Consumer identification from OpenId/Keycloak access token

[singhjoga]

Hi Guys,
I have an existing API which uses Keycloak to authenticate requests using Bearer tokens (generated using Client Credentials flow). I want to use APISIX to implement Rate Limits for certain consumers. Is there a way to identify the consumer (client id used for token generation) from the access token generated by Keycloak?

Thanks in advance.
Best Regards,

Joga Singh

[spacewander]

The consumer needs to be configured in APISIX. Since the access token is generated by Keycloak, how can we match it with the consumer?

[singhjoga]

@spacewander thanks for your reply. I thought maybe there is some way using Keycloak plugin or something. From your answer now I know that it is not possible.

[juzhiyuan]

After searching through docs and codes, Apache APISIX cannot verify consumers by accesstoken from outside Keycloack for now IMO, why not have a try to ask in the mailing list? Here is the subscription guide: https://apisix.apache.org/docs/general/subscribe-guide

Maybe there have some community users who have the same requirements and find your answer 😄

[juzhiyuan]

I want to use APISIX to implement Rate Limits for certain consumers.

Hi @singhjoga, after reading the concepts here[1], here is my understanding:

1. Create Consumers with different usernames;
2. Create a Route with Traffic Limit plugin and also Consumer Restriction plugin[2]

I'm not sure if this meets your needs? and also cc @bzp2010 to have a confirmation 😄

[1] https://apisix.apache.org/docs/apisix/architecture-design/consumer
[2] https://apisix.apache.org/docs/apisix/plugins/consumer-restriction/

[singhjoga]

@juzhiyuan thanks for your answer. I knew this already. I was thinking to find something using the access tokens itself.

[starsz]

Hi @singhjoga

I want to use APISIX to implement Rate Limits for certain consumers

It's a little difficult now, but implement Rate Limits for each consumers is not difficult.
You can try to write some variables (like name, sub id) into ctx.var at here:

apisix/apisix/plugins/openid-connect.lua

Lines 301 to 320 in 8f0b066

	if response then
	-- If the openidc module has returned a response, it may contain,
	-- respectively, the access token, the ID token, and the userinfo.
	-- Add respective headers to the request, if so configured.
	-- Add configured access token header, maybe.
	add_access_token_header(ctx, conf, response.access_token)
	-- Add X-ID-Token header, maybe.
	if response.id_token and conf.set_id_token_header then
	local token = core.json.encode(response.id_token)
	core.request.set_header(ctx, "X-ID-Token", ngx.encode_base64(token))
	end
	-- Add X-Userinfo header, maybe.
	if response.user and conf.set_userinfo_header then
	core.request.set_header(ctx, "X-Userinfo",
	ngx_encode_base64(core.json.encode(response.user)))
	end
	end

And then we can add a limit-* plugin with the config of those variables.

As for implement Rate Limits for certain consumers

I create issue here: #5634
If we can support get the key from function in limit-* plugins, then we can add function to get the key of consumer and limit for certain consumers.