Is keycloak behind api gateway a good practice?

Question

What are good arguments in favor to use or not to use Keycloak behind Api gateway (Kong)?

Answer 1

It is not good practice, in fact I would suggest to put it outside, in the DMZ. In this way that IDP can be leveraged by all APIs that you want to publish and authenticate using the API gateway. This is an example of applying such authentication flow with Keycloak: https://www.slideshare.net/YuichiNakamura10/implementing-security-requirements-for-banking-api-system-using-open-source-software-oss

Your concern might be then: how do I protect such a critical resource like an IDP authenticating all my services? Reasonable concern which you can address by:

• ensuring autoscaling of the IDP based on authentication request
• configuring all the needed threat mitigation options on Keycloak (https://www.keycloak.org/docs/latest/server_admin/#password-guess-brute-force-attacks)
• add a WAF in front of the IDP with feature such as DDOS prevention and Intelligent Threat Mitigation based on traffic patterns
• IP or Domain whitelisting, if you know where all your customers are connecting from
• restrict port exposure for the IDP