When using an Azure APIM with Keycloak OAuth provider and multiple realms how do we create a single config for OAuth on APIs rather than 1/realm

Question

We are using Azure API Management to host our API's and we use Keycloak as an Auth provider. We provide this service to customers and each customer has its own Keycloak Realm.

For each realm, we are having to add a configuration to Azure APIM in the OAuth blade.

Then we are having to clone our APIs just to link the auth provider to it.

Is there a way anyone knows of that we can have a single Auth provider config that we link to a single API and it routes to the correct realm or some other way of handling this auth a bit smoother?

Answer 1

Is there a way anyone knows of that we can have a single Auth provider config that we link to a single API and it routes to the correct realm or some other way of handling this auth a bit smoother?

AFAIK, there is no such build-in feature in APIM but you can make use of policies to map the Keycloak Realm to each customers.

You can use the below policy as per the customerId.

<inbound>
    <base />
    <choose>
        <when condition="@(context.Request.Headers.GetValueOrDefault("CustomerID") == "{First_CustomerID}")">
            <validate-jwt  header-name="Authorization"  failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
                <openid-config  url="{Keyclock url}"/>
            </validate-jwt>
        </when>
        <when condition="@(context.Request.Headers.GetValueOrDefault("CustomerID") == "{Second_CustomerID}")">
            <validate-jwt  header-name="Authorization"  failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
                <openid-config  url="{Keyclock url}"/>
            </validate-jwt>
        </when>
    </choose>
</inbound>

You can refer to Validate-JWT policy to know more about it.

You can also refer to my answer in this SO-Thread.