<div dir="ltr">In light of this, i have found an acceptable solution on my end that will hopefully help other users who encounter this issue.<div>When the request comes in from <a href="http://external-hostname">http://external-hostname</a>, i grab the token from it as before, however i also look at the HTTP session and take the external hostname, port, and scheme (http vs https). </div><div>I then use those values instead of <a href="http://internal-hostname/.">http://internal-hostname/.</a>.. for my next hop.</div><div>In this way, I essentially reach "outside" the proxy for the next jump, retrieve the external values from inside the proxy, and redirect the token with the same host to pass through keycloak.</div><div>While it requires that external-hostname is able to be resolved from inside the proxy, it prevents the need to store the host name value(s) in order to make the next hop, and allows some flexibility in host name granted by a relative auth-server-url.</div><div><br></div><div>Thanks,</div><div>Joe</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 27, 2016 at 3:08 AM, Stian Thorgersen <span dir="ltr"><<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">It can't be done. What you are asking for is that the adapter when receiving the request on the internal IP is somehow going to be able to resolve the relative auth-server-url which is using the external domain. Unless you tell it what the external domain is it won't know.</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 27 January 2016 at 02:51, Doug Szeto <span dir="ltr"><<a href="mailto:DSzeto@investlab.com" target="_blank">DSzeto@investlab.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>+1 Joe’s request.</div>
<div>In larger deployments with reverse proxies, we control the request url and hostname and ip visible to the keycloak server, so internal IP address concerns are less of an issue.</div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span><<a href="mailto:keycloak-user-bounces@lists.jboss.org" target="_blank">keycloak-user-bounces@lists.jboss.org</a>> on behalf of Stian Thorgersen <<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>><br>
<span style="font-weight:bold">Reply-To: </span>"<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>" <<a href="mailto:stian@redhat.com" target="_blank">stian@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday, January 26, 2016 at 6:43 PM<br>
<span style="font-weight:bold">To: </span>Joe Strathern <<a href="mailto:jstrathern@gmail.com" target="_blank">jstrathern@gmail.com</a>><br>
<span style="font-weight:bold">Cc: </span>keycloak-user <<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario<br>
</div><div><div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">You can't. Relative url uses the request url, and when it's using an internal IP address/domain that'll end up being the request url, which will be wrong in your case.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 25 January 2016 at 23:27, Joe Strathern <span dir="ltr">
<<a href="mailto:jstrathern@gmail.com" target="_blank">jstrathern@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>Stian,
<div><br>
</div>
<div>Thank you for the reply.</div>
<div>While changing the auth-server-url to an absolute URL (<a href="http://external-hostname/auth" style="font-size:12.8px" target="_blank">http://external-hostname/auth</a>) for all adapters allowed the token to be passed successfully, the relative URI optimization
(<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization</a>)
for the auth-server-url is very important functionality I need access to.</div>
<div>By leaving <b>/auth</b> as the auth-server-url, I can access the secured resources by case-insensitive host name, host ip address, http vs https and more, all of which are lost by having to switch to an absolute URL.</div>
<div><br>
</div>
</div>
<div>How can I retain the relative URL for auth-server-url, allowing my required external requests to pass through keycloak, while allowing the internal requests and hops to use the auth-server-url-for-backend-requests absolute URL to authenticate?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Joe</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Jan 25, 2016 at 1:08 AM, Stian Thorgersen <span dir="ltr">
<<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">You'd need to make sure all adapters are configured with the same. <a href="http://external-hostname/auth" style="font-size:12.8px" target="_blank">http://external-hostname/auth</a><span style="font-size:12.8px"> needs to be the auth-server-url
on all adapters.</span></div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 21 January 2016 at 23:00, Joe Strathern <span dir="ltr">
<<a href="mailto:jstrathern@gmail.com" target="_blank">jstrathern@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Stian
<div>Thank you for your response.</div>
<div>I am using your Wildfly adapter to secure my WAR. As it is contained in a cluster enviroment with a load balancing proxy, I updated my adapter to have the following settings, much like the example provided at
<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization" target="_blank">
http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization</a> :</div>
<div>{</div>
<div> ...</div>
<div> <auth-server-url>/auth</auth-server-url></div>
<div> <auth-server-url-for-backend-requests>http:/internal-hostname/auth</auth-server-url-for-backend-requests></div>
<div> ...</div>
<div>}</div>
<div><br>
</div>
<div>The auth-server-url is still working as expected for the external request, however i am still getting the same 401 error, caused by the mismatching Token audience and Domain when I try to make the hop with my new HTTP request.</div>
<div>As i'm using Keycloak 1.7.0.Final currently, i downloaded the source and debugged, looking for a bit more insight as to what may be occurring.</div>
<div><br>
</div>
<div>I noticed that the URL Keycloak is retrieving to compare against the token, is retrieving it from the realmInfoUrl variable of the KeyCloakDeployment object. This variable is unaffected by the auth-server-url-for-backend-requests option. (Instead it affects
numerous other URL variabled stored). Therefore, the realmInfoURL remains <a href="http://external-hostname/auth" target="_blank">
http://external-hostname/auth</a>.</div>
<div><br>
</div>
<div>Then the error occurs as (in this case), the RSATokenVerifier directly compares this Realm URL against the Token Issuer, which differ due hostname (external vs internal, as before).</div>
<div><br>
</div>
<div>Is there an additional configuration, or concept I am missing to correct this workflow?</div>
<div><br>
</div>
<div>Thanks,<br>
Joe</div>
</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen <span dir="ltr">
<<a href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Assuming you are using our adapters there are two separate urls to configure: "auth-server-url" is the external one, auth-server-url-for-backend-requests is the internal one. See <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config</a>
for more details.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">
<div>
<div>On 19 January 2016 at 22:20, Joe Strathern <span dir="ltr"><<a href="mailto:jstrathern@gmail.com" target="_blank">jstrathern@gmail.com</a>></span> wrote:<br>
</div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div dir="ltr"><span style="font-size:12.8px">Hello Keycloak Community</span>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">I am looking for some assistance on how to pass a Keycloak bearer token in the multi-hop scenario, where the keycloak instance is inside a proxy environment, the next hop is within the proxy, and the original request came from
outside of that environment.</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">For instance, the original request goes to <a href="http://external-hostname/auth" target="_blank">http://external-hostname/auth</a>, where external-hostname is a proxy system. Login is successful, and I receive a Bearer Token
with Token issuer - <a href="http://external-hostname/auth/realms/My_Realm" target="_blank">http://external-hostname/auth/realms/My_Realm</a>.</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">Now i need to take that token from the HTTP request, and attach it to a new request from inside the proxy. I do so, redirecting to <a href="http://interior-hostname/API" target="_blank">http://interior-hostname/API</a>, secured
by the same Keycloak. Using "external-hostname" as host once more is not an option, as we are within the proxied environment. However, submitting the hop HTTP request, i am met with the error:</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px"><b>Failed to verify token: org.keycloak.common.VerificationException: Token audience doesn't match domain. Token issuer is <a href="http://external-hostname/auth/realms/My_Realm" target="_blank">http://external-hostname/auth/realms/My_Realm</a>,
but URL from configuration is <a href="http://internal-hostname/auth/realms/My_Realm" target="_blank">http://internal-hostname/auth/realms/My_Realm</a></b><br>
</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">The token is rejected (Since the hostnames are not the exact same), however external-hostname and internal-hostname are the same machine.</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">Is there a way that Keycloak can identify these hostnames as equivalent to accept the token, or another policy that should be followed in this situation?</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">Thanks,</div>
<div style="font-size:12.8px">Joe</div>
</div>
<br>
</div>
</div>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div></div></span>
</div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>