[keycloak-dev] feature request

Wed Oct 12 08:36:44 EDT 2016

Sure, you could use a certificated issued to an IP address. However, in
that case all nodes would have to use the same IP address. If you use a
hostname you can have different machines use different IP addresses based
on different dns servers or settings in hosts file.

On 12 October 2016 at 14:00, Mátyás Bachorecz <bachoreczm at gmail.com> wrote:

> You wrote, that:
> "You need to use the HTTPs domain name when you are contacting Keycloak."
> - I'm just asking why? Why can't I use e.g. https://10.xx.xx.xx:<keycloak_port>/auth/....?
> Why do I have to use DNS name?
>
> Br,
> M
>
> On 12 October 2016 at 13:45, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> I'm not sure what you are asking.
>>
>> On 12 October 2016 at 08:28, Mátyás Bachorecz <bachoreczm at gmail.com>
>> wrote:
>>
>>> Actually I got your solution, but don't really understand what is the
>>> purpose of this feature? Why should I use DNS? I know that HTTPS is so
>>> important, but I can configure my realm to require HTTPS, so in the above
>>> mentioned situation I wouldn't like to use DNS names.
>>> So my main question is: what is the purpose of this feature?
>>>
>>> Br,
>>> Matyi
>>>
>>> On 12 October 2016 at 07:48, Mátyás Bachorecz <bachoreczm at gmail.com>
>>> wrote:
>>>
>>>> I understand, thank you for your answer.
>>>>
>>>> On 12 October 2016 at 07:00, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> You can obviously use DNS settings and the machines hosts file to
>>>>> change what IP address the name resolves to.
>>>>>
>>>>> https://machine.local could resolve to 10.0.0.12 or 192.168.1.12
>>>>> depending on where it's called from.
>>>>>
>>>>> On 12 October 2016 at 06:59, Stian Thorgersen <sthorger at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> [Adding list again]
>>>>>>
>>>>>> Token based security relies on HTTPS for security. You need to use
>>>>>> the HTTPs domain name when you are contacting Keycloak. The HTTPs domain
>>>>>> should match the issuer of the domain.
>>>>>>
>>>>>> On 11 October 2016 at 18:56, Mátyás Bachorecz <bachoreczm at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> My token audience does not match, because we request for a token via
>>>>>>> floating ip (openstack, like 10.xx.xx.xx), and would like to validate via
>>>>>>> private ip (like 192.168.xx.xx). So my question is how to solve this
>>>>>>> problem?
>>>>>>>
>>>>>>> There are two machines, one belongs to user, and on the other we
>>>>>>> running keycloak, and a client, which can validate token. But client only
>>>>>>> nows the private ip, and user can't access keycloak on private ip, cause
>>>>>>> he/she is not in that network.
>>>>>>>
>>>>>>> Br,
>>>>>>> Matyi
>>>>>>>
>>>>>>> On 11 October 2016 at 18:45, Stian Thorgersen <sthorger at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Rather than hacking Keycloak you should figure out why your token
>>>>>>>> audience doesn't match. For a token to be valid it has to been issued by
>>>>>>>> the same server URL and realm. It's an important check and we wouldn't
>>>>>>>> accept a feature that prevents it.
>>>>>>>>
>>>>>>>> On 11 October 2016 at 17:07, Mátyás Bachorecz <bachoreczm at gmail.com
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> we have a multi-component project, and all components running in
>>>>>>>>> one
>>>>>>>>> machine, also Keycloak.
>>>>>>>>> We would like to obtain token via curl, and our components would
>>>>>>>>> like to
>>>>>>>>> validate it, but they can't, because we've got:
>>>>>>>>> "Token audience doesn't match domain. Token issuer is " +
>>>>>>>>> token.getIssuer()
>>>>>>>>> + ", but URL from configuration is " + realmUrl
>>>>>>>>> (RSATokenVerifier.java)
>>>>>>>>>
>>>>>>>>> I would like to implement a new feature: a new checkbox or
>>>>>>>>> something else
>>>>>>>>> to realm settings page, which can switch off the above mentioned
>>>>>>>>> feature.
>>>>>>>>> I've read that I should write an email here if I would like to
>>>>>>>>> implement
>>>>>>>>> something. Is it ok, or how it works?
>>>>>>>>>
>>>>>>>>> Br,
>>>>>>>>> Matyi
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-dev mailing list
>>>>>>>>> keycloak-dev at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>