<div dir="ltr">It can't be done. What you are asking for is that the adapter when receiving the request on the internal IP is somehow going to be able to resolve the relative auth-server-url which is using the external domain. Unless you tell it what the external domain is it won't know.</div><div class="gmail_extra"><br><div class="gmail_quote">On 27 January 2016 at 02:51, Doug Szeto <span dir="ltr"><<a href="mailto:DSzeto@investlab.com" target="_blank">DSzeto@investlab.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>+1 Joe’s request.</div>
<div>In larger deployments with reverse proxies, we control the request url and hostname and ip visible to the keycloak server, so internal IP address concerns are less of an issue.</div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span><<a href="mailto:keycloak-user-bounces@lists.jboss.org" target="_blank">keycloak-user-bounces@lists.jboss.org</a>> on behalf of Stian Thorgersen <<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>><br>
<span style="font-weight:bold">Reply-To: </span>"<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>" <<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, January 26, 2016 at 6:43 PM<br>
<span style="font-weight:bold">To: </span>Joe Strathern <<a href="mailto:jstrathern@gmail.com" target="_blank">jstrathern@gmail.com</a>><br>
<span style="font-weight:bold">Cc: </span>keycloak-user <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario<br>
</div><div><div class="h5">
<div><br>
</div>
<div>
<div>
<div dir="ltr">You can't. Relative url uses the request url, and when it's using an internal IP address/domain that'll end up being the request url, which will be wrong in your case.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 25 January 2016 at 23:27, Joe Strathern <span dir="ltr">
<<a href="mailto:jstrathern@gmail.com" target="_blank">jstrathern@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>Stian,
<div><br>
</div>
<div>Thank you for the reply.</div>
<div>While changing the auth-server-url to an absolute URL (<a href="http://external-hostname/auth" style="font-size:12.8px" target="_blank">http://external-hostname/auth</a>) for all adapters allowed the token to be passed successfully, the relative URI optimization
(<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization</a>)
for the auth-server-url is very important functionality I need access to.</div>
<div>By leaving <b>/auth</b> as the auth-server-url, I can access the secured resources by case-insensitive host name, host ip address, http vs https and more, all of which are lost by having to switch to an absolute URL.</div>
<div><br>
</div>
</div>
<div>How can I retain the relative URL for auth-server-url, allowing my required external requests to pass through keycloak, while allowing the internal requests and hops to use the auth-server-url-for-backend-requests absolute URL to authenticate?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Joe</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Jan 25, 2016 at 1:08 AM, Stian Thorgersen <span dir="ltr">
<<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">You'd need to make sure all adapters are configured with the same. <a href="http://external-hostname/auth" style="font-size:12.8px" target="_blank">http://external-hostname/auth</a><span style="font-size:12.8px"> needs to be the auth-server-url
on all adapters.</span></div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 21 January 2016 at 23:00, Joe Strathern <span dir="ltr">
<<a href="mailto:jstrathern@gmail.com" target="_blank">jstrathern@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Stian
<div>Thank you for your response.</div>
<div>I am using your Wildfly adapter to secure my WAR. As it is contained in a cluster enviroment with a load balancing proxy, I updated my adapter to have the following settings, much like the example provided at
<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization" target="_blank">
http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization</a> :</div>
<div>{</div>
<div> ...</div>
<div> <auth-server-url>/auth</auth-server-url></div>
<div> <auth-server-url-for-backend-requests>http:/internal-hostname/auth</auth-server-url-for-backend-requests></div>
<div> ...</div>
<div>}</div>
<div><br>
</div>
<div>The auth-server-url is still working as expected for the external request, however i am still getting the same 401 error, caused by the mismatching Token audience and Domain when I try to make the hop with my new HTTP request.</div>
<div>As i'm using Keycloak 1.7.0.Final currently, i downloaded the source and debugged, looking for a bit more insight as to what may be occurring.</div>
<div><br>
</div>
<div>I noticed that the URL Keycloak is retrieving to compare against the token, is retrieving it from the realmInfoUrl variable of the KeyCloakDeployment object. This variable is unaffected by the auth-server-url-for-backend-requests option. (Instead it affects
numerous other URL variabled stored). Therefore, the realmInfoURL remains <a href="http://external-hostname/auth" target="_blank">
http://external-hostname/auth</a>.</div>
<div><br>
</div>
<div>Then the error occurs as (in this case), the RSATokenVerifier directly compares this Realm URL against the Token Issuer, which differ due hostname (external vs internal, as before).</div>
<div><br>
</div>
<div>Is there an additional configuration, or concept I am missing to correct this workflow?</div>
<div><br>
</div>
<div>Thanks,<br>
Joe</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen <span dir="ltr">
<<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Assuming you are using our adapters there are two separate urls to configure: "auth-server-url" is the external one, auth-server-url-for-backend-requests is the internal one. See <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config</a>
for more details.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">
<div>
<div>On 19 January 2016 at 22:20, Joe Strathern <span dir="ltr"><<a href="mailto:jstrathern@gmail.com" target="_blank">jstrathern@gmail.com</a>></span> wrote:<br>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div dir="ltr"><span style="font-size:12.8px">Hello Keycloak Community</span>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">I am looking for some assistance on how to pass a Keycloak bearer token in the multi-hop scenario, where the keycloak instance is inside a proxy environment, the next hop is within the proxy, and the original request came from
outside of that environment.</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">For instance, the original request goes to <a href="http://external-hostname/auth" target="_blank">http://external-hostname/auth</a>, where external-hostname is a proxy system. Login is successful, and I receive a Bearer Token
with Token issuer - <a href="http://external-hostname/auth/realms/My_Realm" target="_blank">http://external-hostname/auth/realms/My_Realm</a>.</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">Now i need to take that token from the HTTP request, and attach it to a new request from inside the proxy. I do so, redirecting to <a href="http://interior-hostname/API" target="_blank">http://interior-hostname/API</a>, secured
by the same Keycloak. Using "external-hostname" as host once more is not an option, as we are within the proxied environment. However, submitting the hop HTTP request, i am met with the error:</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px"><b>Failed to verify token: org.keycloak.common.VerificationException: Token audience doesn't match domain. Token issuer is <a href="http://external-hostname/auth/realms/My_Realm" target="_blank">http://external-hostname/auth/realms/My_Realm</a>,
but URL from configuration is <a href="http://internal-hostname/auth/realms/My_Realm" target="_blank">http://internal-hostname/auth/realms/My_Realm</a></b><br>
</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">The token is rejected (Since the hostnames are not the exact same), however external-hostname and internal-hostname are the same machine.</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">Is there a way that Keycloak can identify these hostnames as equivalent to accept the token, or another policy that should be followed in this situation?</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">Thanks,</div>
<div style="font-size:12.8px">Joe</div>
</div>
<br>
</div>
</div>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div></div></span>
</div>
</blockquote></div><br></div>