[keycloak-user] Token issuer validation fails (internal vs external, NATed environments, etc.)

Juan José Díaz Montaña juanjo.diaz at intopalo.com
Sat May 27 08:41:42 EDT 2017


Hi everyone,

I'm currently using Keycloak to authenticate  a bunch of applications in a
private network. I'm using the Javascript, node.js, spring security and
spring boot adapters, Some using bearer token and some not.

Everything works nicely except that our support engineers need to connect
sometimes over a NAT gateway. The problem is that the IP/URL used by the
support engineers is different than the one seen by the internal network
users. So I get error validating the jwt issuer, specially when using
bearer token that are generated by external users and pass back to internal
services.

I've seen that there use to be the `*auth-server-url-for-backend-requests*`
property just for this use case but it was removed.
I've also seen many questions online about this matter but no solution
apart from using a DNS which is not an option for me because of certain
restrictions I have.
Finally, I've recently seen someone with the same problem proposing
setting checkRealmUrl
to false to skip the issuer validator (http://lists.jboss.
org/pipermail/keycloak-user/2017-May/010640.html). Is that possible??? I
haven't found how without modifying the adapter's code.

Is there any other workaround?
Solutions I could think are:

   - Include a config option to make issuer validation optional
(setting checkRealmUrl
   to false)
   - Modify the `*auth-server-url*` to allow partial URLs that are resolved
   based on the calling host.
   - Modify the `*auth-server-url*`, to be a list so several URLs are
   accepted or to allow regexs so all the URLs that match are accepted. This
   probably requires separating the valid URLs from the URL use for
   redirections.

This is a deciding factor of whether we can use Keycloak or not, and I'm
sure that other people is having the same problem. So if there is no
existing workaround, I 'm happy to discuss and contribute any changes to
the adapters that could help me with this.

-- 
*Juanjo Díaz*
Software Architect  @Intopalo Oy <https://intopalo.com>


More information about the keycloak-user mailing list