<div dir="ltr">Stian<div>Thank you for your response.</div><div>I am using your Wildfly adapter to secure my WAR. As it is contained in a cluster enviroment with a load balancing proxy, I updated my adapter to have the following settings, much like the example provided at <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization">http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization</a> :</div><div>{</div><div> ...</div><div> <auth-server-url>/auth</auth-server-url></div><div> <auth-server-url-for-backend-requests>http:/internal-hostname/auth</auth-server-url-for-backend-requests></div><div> ...</div><div>}</div><div><br></div><div>The auth-server-url is still working as expected for the external request, however i am still getting the same 401 error, caused by the mismatching Token audience and Domain when I try to make the hop with my new HTTP request.</div><div>As i'm using Keycloak 1.7.0.Final currently, i downloaded the source and debugged, looking for a bit more insight as to what may be occurring.</div><div><br></div><div>I noticed that the URL Keycloak is retrieving to compare against the token, is retrieving it from the realmInfoUrl variable of the KeyCloakDeployment object. This variable is unaffected by the auth-server-url-for-backend-requests option. (Instead it affects numerous other URL variabled stored). Therefore, the realmInfoURL remains <a href="http://external-hostname/auth">http://external-hostname/auth</a>.</div><div><br></div><div>Then the error occurs as (in this case), the RSATokenVerifier directly compares this Realm URL against the Token Issuer, which differ due hostname (external vs internal, as before).</div><div><br></div><div>Is there an additional configuration, or concept I am missing to correct this workflow?</div><div><br></div><div>Thanks,<br>Joe</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Assuming you are using our adapters there are two separate urls to configure: "auth-server-url" is the external one, auth-server-url-for-backend-requests is the internal one. See <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config</a> for more details.</div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On 19 January 2016 at 22:20, Joe Strathern <span dir="ltr"><<a href="mailto:jstrathern@gmail.com" target="_blank">jstrathern@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><span style="font-size:12.8px">Hello Keycloak Community</span><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">I am looking for some assistance on how to pass a Keycloak bearer token in the multi-hop scenario, where the keycloak instance is inside a proxy environment, the next hop is within the proxy, and the original request came from outside of that environment.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">For instance, the original request goes to <a href="http://external-hostname/auth" target="_blank">http://external-hostname/auth</a>, where external-hostname is a proxy system. Login is successful, and I receive a Bearer Token with Token issuer - <a href="http://external-hostname/auth/realms/My_Realm" target="_blank">http://external-hostname/auth/realms/My_Realm</a>.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Now i need to take that token from the HTTP request, and attach it to a new request from inside the proxy. I do so, redirecting to <a href="http://interior-hostname/API" target="_blank">http://interior-hostname/API</a>, secured by the same Keycloak. Using "external-hostname" as host once more is not an option, as we are within the proxied environment. However, submitting the hop HTTP request, i am met with the error:</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><b>Failed to verify token: org.keycloak.common.VerificationException: Token audience doesn't match domain. Token issuer is <a href="http://external-hostname/auth/realms/My_Realm" target="_blank">http://external-hostname/auth/realms/My_Realm</a>, but URL from configuration is <a href="http://internal-hostname/auth/realms/My_Realm" target="_blank">http://internal-hostname/auth/realms/My_Realm</a></b><br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">The token is rejected (Since the hostnames are not the exact same), however external-hostname and internal-hostname are the same machine.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Is there a way that Keycloak can identify these hostnames as equivalent to accept the token, or another policy that should be followed in this situation?</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Thanks,</div><div style="font-size:12.8px">Joe</div></div>
<br></div></div>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>
</blockquote></div><br></div>