[keycloak-dev] disable url check on introspection

Aron Bustya aron.bustya.js at gmail.com
Tue Mar 6 13:59:23 EST 2018


Hello!

We are operating keycloak and an API gateway which protects our resource
servers, the gateway uses the token introspection feature of keycloak to
validate requests.

Our problem is that keycloak only accepts introspection request when called
with the same fqdn as the token was issued for, so the gateway cannot call
keycloak using its internal address.
I know this is a 'solvable' problem, but solutions raise further questions,
and it would be simpler to just allow the introspection call without the
url check.
I see others have encountered the problem also:
https://issues.jboss.org/browse/KEYCLOAK-5045

The RSATokenVerifier used for introspection actually has a checkRealmUrl
setting, but it can't be influenced from any server configuration.
So my question is: if I made the checkRealmUrl setting configurable using a
realm attribute or client attribute, would that be an acceptable feature
for a pull request?

Best regards,
Áron Bustya


More information about the keycloak-dev mailing list