Authorisation code flow

Token acquisition

Token Verification Flow (API Gateway's Role)

Token Refresh Flow

Key Takeaways:

✅ API Gateway IS Involved In:

Validating access tokens on every API request
Verifying JWT signatures using Keycloak's public keys
Checking token expiration and claims
Extracting user information from token claims
Enforcing rate limits based on user identity
Routing requests to appropriate backend services
Adding user context headers for backend services

❌ API Gateway IS NOT Involved In:

Initial login (authorization code flow)
Token generation (Keycloak handles this)
Token refresh (direct client-to-Keycloak)
Token revocation (direct client-to-Keycloak)
User registration (direct to Keycloak or via dedicated service)
Password reset (Keycloak handles this)
Social login callbacks (Keycloak handles OAuth with providers)

Why This Separation?

Security: Keycloak is specialized for identity management - don't duplicate sensitive logic
Scalability: Gateway validates stateless JWTs without hitting Keycloak every time
Performance: Local JWT validation is much faster than network calls
Separation of Concerns: Gateway focuses on API traffic, Keycloak on identity
Reduced Coupling: Clients can get tokens even if gateway is down
Standards Compliance: Follows OAuth 2.0/OIDC specifications correctly

The API Gateway acts as a stateless validator rather than an authentication provider. It trusts tokens signed by Keycloak and focuses on fast, scalable validation of those tokens.

PreviousOAuth 2.0 NextService-to-Service Authentication Patterns

Last updated 19 days ago

hashtagToken acquisition

hashtagOption A: WITH Consent Screen (Third-Party Apps)

hashtagOption B: WITHOUT Consent Screen (First-Party/Trusted Apps)

hashtagConsent Revocation Flow

hashtagToken Verification Flow (API Gateway's Role)

hashtagToken Refresh Flow

hashtagKey Takeaways:

hashtag✅ API Gateway IS Involved In:

hashtag❌ API Gateway IS NOT Involved In:

hashtagWhy This Separation?