0

I am trying to secure my application using keycloak.
I use angular for my frontend and spring boot for my backend.

Using only http, everything works fine, the problem is, if I want to use HTTPS along side HTTP, I am having a problem with the backend throwing an error like:

o.k.a.BearerTokenRequestAuthenticator : Failed to verify token
org.keycloak.common.VerificationException: Invalid token issuer. Expected 'http://myDomain/auth/realms/realmName', but was 'https://myDomain/auth/realms/realmName'

in my properties file I do have the: keycloak.auth-server-url and it is pointing to the http://my-keycloak/auth

Is there a way to support http and https with keycloak ?

Mihai
  • 1,212
  • 16
  • 25
  • 1
    How do you configure HTTPS? In case you're using a reverse proxy (I do it with NGINX) I guess it's only a matter of configuring the proxy not to require HTTPS and configure keycloak with SSL required in `none`. In my case, the communication between NGINX and keycloak is not encrypted. – Aritz Mar 01 '18 at 10:34

2 Answers2

2

I don't think this is feasible if you are using keycloak libs. When I was using keycloak I came across the same flow. Some one argued that why even use http on your security modules. I mean when you passing along tokens you just need to have https. Agreed, but then often the service need to initiate a call themselves and make a call to keycloak from within(secure Zone) and they could do it without https (can make it just a bit faster.).

But then I was not able find my way through. We ended up using https only.

Why is it failing?

As your token gets signed with the protocol information if you decode the token you will find the iss field. Keycloak Token validator puts a check on this field. So you can have a server running on both HTTP and HTTPS but application can be configured for one of the two.

What can we do to possible fix this

You can however make changes in the token validator module to ignore the check on the protocol. This should help you validate the token. All you will need is JWT library and the public key.

Anunay
  • 1,823
  • 2
  • 18
  • 25
  • This is my use case also, I am calling the keycloak server trough my local secured network and using https here is an overhead. I do not want to touch the token validator. The hole point of using keycloak is for me to not implement my token signing process. After some reasearch, I think it will be possible to apply my use case(aka call keycloak from another URL, local in my case, to verify the token) starting from version 4 ( https://issues.jboss.org/browse/KEYCLOAK-6073 ) – Mihai Mar 06 '18 at 18:42
2

For now, token validations must be checked using the same URL as the URL that the token was issued for.

Support for different URLs, front and back channel requests in adapters, will be available starting from version 4.

Source

Mihai
  • 1,212
  • 16
  • 25