8

Let's say we have several micro-services. Each of them uses Keycloak authentication. We have also load balancer based on for ex. nginx which has external URLs and different routes to keycloak (for ex. in OpenShift it can be https://keycloak.rhel-cdk.10.1.2.2.xip.io). But internally this address can be inaccessible. Also having micro-service configuration dependent on the load balancer URL is a bit weird. What what be more appropriate is to use internal keycloak auth URL inside of the micro-services or even short URI. But in this case token will not be validated because of issuer validation problem. How to configure this in good and flexible manner? Can I simply override realmInfoUrl in order to change the validation? Can I define what issuer will be used for client based token.

Another problem is how to better handle multi-tenant scenario? First on the client side I guess we don't have any specific support for multi-tenancy. I should handle this manually by switching between different URLs/headers and use proper Config Resolver. On the server side I need to dynamically provide a proper KeycloakDeployment instance for each case. Any other recommendations?

Alexander Kalinovski
  • 1,409
  • 1
  • 13
  • 19

2 Answers2

6

Unfortunately Keycloak is too restrictive with its token validation according to the issuer ("iss") field in the token. It requires that the URL used to validate the token matches the URL in the "iss" field.

A while ago I have opened a JIRA ticket for that problem (vote for it!): https://issues.jboss.org/browse/KEYCLOAK-5045

Boomer
  • 3,360
  • 20
  • 28
  • @Boomar, is there any workaround for setting the custom issuer today? – aryan Mar 10 '20 at 12:21
  • @Boomar Hi 3 years has passed. So is there any updates? Thanks! – ch271828n Oct 28 '20 at 06:15
  • I'm looking for the solution too – Kostanos Aug 28 '21 at 17:53
  • 1
    Yes, there is a solution. You can set the __frontendUrl__ parameter to the Keycloak URL in your reverse proxy / load balancer. The will make Keycloak internally treating direct calls to the backend URL as if they were send against the frontend URL. See https://www.keycloak.org/docs/latest/server_installation/index.html#default-provider – Boomer Aug 30 '21 at 04:45
3

In case this helps anyone out during the early stages of development, you can set the Host header to the keycloak url that your backend service will use during the validation of the token. This way, the generated token will contain your Host header url in the issuer field. In my sandbox, I had keycloak running on docker at keycloack:8080 and a functional test calling keycloack via localhost:8095 to request a token (direct grant). Before setting the Host header to keycloack:8080, the issuer field was being set to localhost:8095 and the token was failing the validation with the "Invalid token issuer" error, since the backend service connects to keycloak on keycloak:8080 and TokenVerifier.java does the following check.

        public boolean test(JsonWebToken t) throws VerificationException {
            if (this.realmUrl == null) {
                throw new VerificationException("Realm URL not set");
            } else if (!this.realmUrl.equals(t.getIssuer())) {
                throw new VerificationException("Invalid token issuer. Expected '" + this.realmUrl + "', but was '" + t.getIssuer() + "'");
            } else {
                return true;
            }
        }

Reference: https://github.com/keycloak/keycloak-community/blob/master/design/hostname-default-provider.md

Ulises Ortiz
  • 41
  • 3