<div dir="ltr">Assuming you are using our adapters there are two separate urls to configure: "auth-server-url" is the external one, auth-server-url-for-backend-requests is the internal one. See <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config">http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config</a> for more details.</div><div class="gmail_extra"><br><div class="gmail_quote">On 19 January 2016 at 22:20, Joe Strathern <span dir="ltr"><<a href="mailto:jstrathern@gmail.com" target="_blank">jstrathern@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span style="font-size:12.8px">Hello Keycloak Community</span><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">I am looking for some assistance on how to pass a Keycloak bearer token in the multi-hop scenario, where the keycloak instance is inside a proxy environment, the next hop is within the proxy, and the original request came from outside of that environment.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">For instance, the original request goes to <a href="http://external-hostname/auth" target="_blank">http://external-hostname/auth</a>, where external-hostname is a proxy system. Login is successful, and I receive a Bearer Token with Token issuer - <a href="http://external-hostname/auth/realms/My_Realm" target="_blank">http://external-hostname/auth/realms/My_Realm</a>.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Now i need to take that token from the HTTP request, and attach it to a new request from inside the proxy. I do so, redirecting to <a href="http://interior-hostname/API" target="_blank">http://interior-hostname/API</a>, secured by the same Keycloak. Using "external-hostname" as host once more is not an option, as we are within the proxied environment. However, submitting the hop HTTP request, i am met with the error:</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><b>Failed to verify token: org.keycloak.common.VerificationException: Token audience doesn't match domain. Token issuer is <a href="http://external-hostname/auth/realms/My_Realm" target="_blank">http://external-hostname/auth/realms/My_Realm</a>, but URL from configuration is <a href="http://internal-hostname/auth/realms/My_Realm" target="_blank">http://internal-hostname/auth/realms/My_Realm</a></b><br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">The token is rejected (Since the hostnames are not the exact same), however external-hostname and internal-hostname are the same machine.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Is there a way that Keycloak can identify these hostnames as equivalent to accept the token, or another policy that should be followed in this situation?</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Thanks,</div><div style="font-size:12.8px">Joe</div></div>
<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>