[keycloak-user] Cluster configuration does not work

Marek Posolda mposolda at redhat.com
Tue Oct 20 10:24:21 EDT 2015


On 14/10/15 20:27, Rafael Coutinho wrote:
> Hi,
>
> I have an environment with an AngularJS app client, which 
> authenticates user and keeps its data, and a server app that receive 
> some requests for Webservices resources.
> For some webservices I need, on the server side, to translate the 
> token into the user information. For that I use the url:
>
> auth/realms/MYREAL/protocol/openid-connect/userinfo
>
> with the Authorization token.
>
> The problem is that the server is behind a load balance and access 
> keycloak thru port 8080. While AngularJS access the same server thru 
> port 80.
>
> Keycloak complains that the Token was issued from a different url than 
> I'm querying on the server side. Forcing me to use the same hostname 
> and port on the server and on the client.
>
> Is that correct? How will I deploy on a distribuited environment?
We don't handle this scenario ideally. Feel free to create JIRA for it.

Currently the "iss" (issuer) field on accessToken is filled from the URL 
of request to the auth-server, which in your case is something like 
yourHost:80 . Then UserInfo endpoint always compare this value with the 
uriInfo from current request, so it doesn't work when requests to 
auth-server is send via yourHost:8080 .

IMO it will be nice if accessToken can have more values for "iss" field 
. Then we can have protocolMapper, which will be able to add any 
configured values to "iss" field in accessToken in addition to the "iss" 
from current request. The adapter/endpoint will reject just if uriInfo 
doesn't match any of the "iss" values.

As of now, I suggest to invoke UserInfo endpoint directly from your 
AngularJS instead of from your webservice. The user info then needs to 
be send to the webservices.

Marek

>
> ps. I'm using my own HTTP client to make that request to userinfo.
> ps2. I have added   "auth-server-url-for-backend-requests" however I 
> don't see any difference.
>
> Rafael Coutinho
> Software Engineer
> Professional profile: www.linkedin.com/in/rafaelcoutinho 
> <http://www.linkedin.com/in/rafaelcoutinho>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151020/f4c0cd6d/attachment-0001.html 


More information about the keycloak-user mailing list