In your Apache log I see "Token audience doesn't match domain. Token issuer is http://URL/auth/realms/aerogear, but URL from configuration is https://URL/auth/realms/aerogear" , have you changed something around httpS ? Basically keycloak does not accept the token because it has not the same domain origin.