[keycloak-dev] disable url check on introspection

Stian Thorgersen sthorger at redhat.com
Thu Mar 8 02:59:21 EST 2018


This is just one out of several issues you'll encounter if you have clients
reaching Keycloak through an internal IP address.

I believe you can probably use Undertow filters to map the internal IP to a
fqdn so Keycloak will use the proper domain name regardless. That would
probably be the way we'd support this if/when we get around to doing it as
we need the ability to map an internal IP address to a domain name.
Keycloak always needs to know its domain name.

On 6 March 2018 at 19:59, Aron Bustya <aron.bustya.js at gmail.com> wrote:

> Hello!
>
> We are operating keycloak and an API gateway which protects our resource
> servers, the gateway uses the token introspection feature of keycloak to
> validate requests.
>
> Our problem is that keycloak only accepts introspection request when called
> with the same fqdn as the token was issued for, so the gateway cannot call
> keycloak using its internal address.
> I know this is a 'solvable' problem, but solutions raise further questions,
> and it would be simpler to just allow the introspection call without the
> url check.
> I see others have encountered the problem also:
> https://issues.jboss.org/browse/KEYCLOAK-5045
>
> The RSATokenVerifier used for introspection actually has a checkRealmUrl
> setting, but it can't be influenced from any server configuration.
> So my question is: if I made the checkRealmUrl setting configurable using a
> realm attribute or client attribute, would that be an acceptable feature
> for a pull request?


> Best regards,
> Áron Bustya
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


More information about the keycloak-dev mailing list