[keycloak-user] Keycloak: Failed to verify token - Invalid token issuer [RESOLVED]

Henning Waack henning.waack at codecentric.de
Thu Jun 21 11:48:37 EDT 2018 

Ok, resolved this issue. The problem was that I still had a wrong "keycloak.auth-server-url“ in my Spring Boot application.properties file.

The old config was:

 keycloak.auth-server-url=http://nak/auth

The new (working) config is:

 keycloak.auth-server-url=https://nak.xxx.de.net/auth

Since requesting the token was done against "https://nak.xxx.de.net/auth“ I had this mismatch. So the value of auth-server-url must match the endpoint URL to which requests for tokens are sent.

Greetings

Henning

Am 21. Juni 2018, 15:31 +0200 schrieb Henning Waack <henning.waack at codecentric.de>:
> Hi all.
>
> Using KC 4.0.0.Final behind a Apache https proxy, we have the following issue with OIDC tokens as logged in the Keycloak server.log:
>
> 2018-06-21 13:59:47,626 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-41) Verifying access_token
> 2018-06-21 13:59:47,628 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-41) Failed to verify token: org.keycloak.common.VerificationException: Invalid token issuer. Expected 'http://nak/auth/realms/NAK', but was 'https://nak.xxx.de/auth/realms/NAK'
> at org.keycloak.TokenVerifier$RealmUrlCheck.test(TokenVerifier.java:108)
> ---
>
> The URL "https://nak.xxx.de/auth/realms/NAK/.well-known/openid-configuration" looks fine, all endpoints have the right format, e.g.
>
> > issuer: "https://nak.xxx.de/auth/realms/NAK"
> > authorization_endpoint: "https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/auth"
> > token_endpoint : "https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/token"
>
> The X-Forward Headers also look fine, I have enabled header logging in Wildfly, and we have the following headers for example:
>
> header=X-Forwarded-For=80.242.xx.xx, 10.10.51.5
> header=X_FORWARDED_PROTO=https
> header=Host=nak.xxx.de
> header=X-Forwarded-Host=nak.xxx.de, nak.xxx.de
> header=X-Forwarded-Server=nak.xxx.de, xxx.dip0.t-ipconnect.de
> header=X-Forwarded-Proto=https
>
> In my KC standlone.xml config I have set the "proxy-address-forwarding" parameter for the http-listener to "true".
>
> So why is KC still expecting the token issuer to be "http://nak/..." instead of "https://nak.xxx.de/..."?
>
> Thanks & greetings
>
> Henning

More information about the keycloak-user mailing list