3

I'm having some issues with configuring keycloak to run on our server. Locally it works great but on on our test environment, after login, on any call using the received access token, we get "Invalid token issuer. Expected "http://keycloak:8080/auth/realms/{realmnName}" but was "http://{our-test-server-IP}/auth/realms/{realmName}"" So basically, our backend connects to the internal keycloak docker image but when the request comes it expects that the issuer is the configured external IP so even though the issuers are basically the same service keycloak sees them as being different and responds with a 401.

docker-compose.yml:

keycloak:
    image: jboss/keycloak:12.0.4
    restart: on-failure
    environment:
        PROXY_ADDRESS_FORWARDING: "true"
        KEYCLOAK_USER: admin
        KEYCLOAK_PASSWORD: password
        KEYCLOAK_LOGLEVEL: DEBUG
        KEYCLOAK_IMPORT: /etc/settings/realm.json -Dkeycloak.profile.feature.upload_scripts=enabled
        TZ: Europe/Bucharest
        DB_VENDOR: POSTGRES
        DB_ADDR: db
        DB_DATABASE: user
        DB_SCHEMA: keycloak
        DB_USER: user
        DB_PASSWORD: user
    ports:
        - 8090:8080
    volumes:
        - ./settings:/etc/settings
    depends_on:
        - db

Spring application.yml:

keycloak:
  cors: true
  realm: Realm-Name
  resource: back-office
  auth-server-url: http://keycloak:8080/auth/
  public-client: false
  credentials:
    secret: 8401b642-0ae9-4dc8-87a6-2f494b388a49

keycloak-client:
  id: bcc94ed5-0099-40e0-b460-572eba3f0214

If we change the backend properties auth-server-url to connect to the exposed endpoint and no to the internal docker container we get a timeout, seems like it doesn't want to connect to it. I understand that the main issue is that we are running both the keycloak instance and our backend application on the same server but I don't see why it shouldn't work and why they can not connect to each other.

We tried setting up the FRONTEND_URL in the environment when running the container and in Keycloak admin console but nothing has changed. We've also tried to set forceBackendUrlToFrontendUrl to true in standalone.xml/standalone-ha.xml(./jboss-cli.sh --connect "/subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.forceBackendUrlToFrontendUrl, value=true)") files and reset the keycloak instance inside the docker container using ./jboss-cli.sh --connect command=:reload but nothing has changed.

I understand that basically by setting up the FRONTEND_URL all tokens should be signed by the keycloak instance and we would not have this issue but I've tried everything I've found so far on this issue regarding the keycloak configuration and nothing seems to change things. How can I make sure that the issuer that signs the access token and the one that the backend service expects are the same(hopefully the frontend)? And how can I configure this, is there some property I'm missing or was there something I did wrong while configuring it?

Olaru Vlad
  • 267
  • 1
  • 6
  • 13
  • Have you masked your real domain name with "keycloak", or where is this coming from? – Niklas Mar 19 '21 at 14:11
  • The keycloak:8080 refers to the docker image. The backend runs in the same network so it can refer to it by the docker image name – Olaru Vlad Mar 19 '21 at 14:21
  • 1
    Did find the solution for this issue ? – William Apr 17 '21 at 00:26
  • 1
    @William not really, nothing of what was suggested worked for me. At one point we just restarted the backend server and all out of sudden it worked again - so probably it was something a lot easier than I first thought. We made plans to deploy on different servers in the future in order to avoid this problem – Olaru Vlad Apr 18 '21 at 07:52

2 Answers2

2

Might be related to this answer on here: https://stackoverflow.com/a/64095482/13494285

You could set Host header value to be the expected url.

To override this behavior, you might try to set KEYCLOAK_HOSTNAME environment variable to be the expected url.

Seems like documentation might not be up-to-date (it suggests KEYCLOAK_FRONTEND_URL variable on here), but instead KEYCLOAK_HOSTNAME is used to set fixed provider, as seen on here.

On this context, also the KEYCLOAK_HTTP_PORT is required to set the port to be 8080

Niklas
  • 1,480
  • 4
  • 10
  • I already tried changing the properties that are in the Jira ticket hoping both the issuer and the realmUrl sent will be the frontendUrl but I either didn't do it properly or it doesn't work. You mean to override the Host http header on every request with keycloak:8080 one? – Olaru Vlad Mar 19 '21 at 14:45
  • Seems like that variable is named as `KEYCLOAK_FRONTEND_URL` in these days, you tried that? https://github.com/keycloak/keycloak-containers/blob/12.0.4/server/README.md#misc – Niklas Mar 19 '21 at 14:52
  • Yes, to your question about overriding. – Niklas Mar 19 '21 at 14:55
  • yes, already tried setting KEYCLOAK_FRONTEND_URL and it did nothing at all :( – Olaru Vlad Mar 19 '21 at 14:57
  • Hmm. `KEYCLOAK_HOSTNAME` variable is still used based on the code, if you haven't tried that. https://github.com/keycloak/keycloak-containers/blob/f2bd49492771a792a27b5e608364e31d531b2306/server/tools/docker-entrypoint.sh#L51 – Niklas Mar 19 '21 at 15:00
  • That would be the correct variable to override header usage. – Niklas Mar 19 '21 at 15:02
0

Setting the KEYCLOAK_HOSTNAME to the external hostname (as defined in the KEYCLOAK_FRONTEND_URL) definitly worked for my case (eclipse che installation on a vanilla kubernetes cluster)

snoopfab
  • 1