[Hawkular-dev] Token errors with WebSockets and other backend calls
Juraci Paixão Kröhling
jpkroehling at redhat.com
Thu Sep 17 11:37:05 EDT 2015
All,
I've seen some problems lately that are hard to debug and may cause you
to waste valuable time.
In short, if you face "strange" issues related to authentication,
specially when trying features that make use of WebSockets (ie: add
deployment), make sure you are accessing the web UI via 127.0.0.1 , and
not localhost .
In case you are interested in the details, keep reading.
Upon login, Keycloak issues a token for the client, taking the auth
server host into consideration (as the "issuer authority"). If you use
localhost, then that's the hostname that Keycloak will use inside the
token. This value is later used to validate the incoming token. Ideally,
all the hostnames would be a match, and that's usually the case if you
use the "-b" switch when starting Wildfly. But if you don't specify, we
fall back to 127.0.0.1 [1] , causing the "backend call" to be 127.0.0.1,
while the "frontend call" came via localhost.
I have a couple of ideas on how to solve this in our side, but until a
fix is done, tested and merged, please use 127.0.0.1 on the UI.
1 - http://git.io/vnJfx
- Juca.
More information about the hawkular-dev
mailing list