This is just one out of several issues you'll encounter if you have clients
reaching Keycloak through an internal IP address.
I believe you can probably use Undertow filters to map the internal IP to a
fqdn so Keycloak will use the proper domain name regardless. That would
probably be the way we'd support this if/when we get around to doing it as
we need the ability to map an internal IP address to a domain name.
Keycloak always needs to know its domain name.
On 6 March 2018 at 19:59, Aron Bustya <aron.bustya.js(a)gmail.com> wrote:
Hello!
We are operating keycloak and an API gateway which protects our resource
servers, the gateway uses the token introspection feature of keycloak to
validate requests.
Our problem is that keycloak only accepts introspection request when called
with the same fqdn as the token was issued for, so the gateway cannot call
keycloak using its internal address.
I know this is a 'solvable' problem, but solutions raise further questions,
and it would be simpler to just allow the introspection call without the
url check.
I see others have encountered the problem also:
https://issues.jboss.org/browse/KEYCLOAK-5045
The RSATokenVerifier used for introspection actually has a checkRealmUrl
setting, but it can't be influenced from any server configuration.
So my question is: if I made the checkRealmUrl setting configurable using a
realm attribute or client attribute, would that be an acceptable feature
for a pull request?
Best regards,
Áron Bustya
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev