Re: [keycloak-dev] feature request

I'm not sure what you are asking. On 12 October 2016 at 08:28, Mátyás Bachorecz <bachoreczm(a)gmail.com&gt; wrote: > Actually I got your solution, but don't really understand what is the > purpose of this feature? Why should I use DNS? I know that HTTPS is so > important, but I can configure my realm to require HTTPS, so in the above > mentioned situation I wouldn't like to use DNS names. > So my main question is: what is the purpose of this feature? > > Br, > Matyi > > On 12 October 2016 at 07:48, Mátyás Bachorecz <bachoreczm(a)gmail.com&gt; > wrote: > >> I understand, thank you for your answer. >> >> On 12 October 2016 at 07:00, Stian Thorgersen <sthorger(a)redhat.com&gt; >> wrote: >> >>> You can obviously use DNS settings and the machines hosts file to >>> change what IP address the name resolves to. >>> >>> https://machine.local could resolve to 10.0.0.12 or 192.168.1.12 >>> depending on where it's called from. >>> >>> On 12 October 2016 at 06:59, Stian Thorgersen <sthorger(a)redhat.com&gt; >>> wrote: >>> >>>> [Adding list again] >>>> >>>> Token based security relies on HTTPS for security. You need to use the >>>> HTTPs domain name when you are contacting Keycloak. The HTTPs domain should >>>> match the issuer of the domain. >>>> >>>> On 11 October 2016 at 18:56, Mátyás Bachorecz <bachoreczm(a)gmail.com&gt; >>>> wrote: >>>> >>>>> My token audience does not match, because we request for a token via >>>>> floating ip (openstack, like 10.xx.xx.xx), and would like to validate via >>>>> private ip (like 192.168.xx.xx). So my question is how to solve this >>>>> problem? >>>>> >>>>> There are two machines, one belongs to user, and on the other we >>>>> running keycloak, and a client, which can validate token. But client only >>>>> nows the private ip, and user can't access keycloak on private ip, cause >>>>> he/she is not in that network. >>>>> >>>>> Br, >>>>> Matyi >>>>> >>>>> On 11 October 2016 at 18:45, Stian Thorgersen <sthorger(a)redhat.com&gt; >>>>> wrote: >>>>> >>>>>> Rather than hacking Keycloak you should figure out why your token >>>>>> audience doesn't match. For a token to be valid it has to been issued by >>>>>> the same server URL and realm. It's an important check and we wouldn't >>>>>> accept a feature that prevents it. >>>>>> >>>>>> On 11 October 2016 at 17:07, Mátyás Bachorecz <bachoreczm(a)gmail.com&gt; >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> we have a multi-component project, and all components running in one >>>>>>> machine, also Keycloak. >>>>>>> We would like to obtain token via curl, and our components would >>>>>>> like to >>>>>>> validate it, but they can't, because we've got: >>>>>>> "Token audience doesn't match domain. Token issuer is " + >>>>>>> token.getIssuer() >>>>>>> + ", but URL from configuration is " + realmUrl >>>>>>> (RSATokenVerifier.java) >>>>>>> >>>>>>> I would like to implement a new feature: a new checkbox or >>>>>>> something else >>>>>>> to realm settings page, which can switch off the above mentioned >>>>>>> feature. >>>>>>> I've read that I should write an email here if I would like to >>>>>>> implement >>>>>>> something. Is it ok, or how it works? >>>>>>> >>>>>>> Br, >>>>>>> Matyi >>>>>>> _______________________________________________ >>>>>>> keycloak-dev mailing list >>>>>>> keycloak-dev(a)lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >