Sure, you could use a certificated issued to an IP address. However, in
that case all nodes would have to use the same IP address. If you use a
hostname you can have different machines use different IP addresses based
on different dns servers or settings in hosts file.
On 12 October 2016 at 14:00, Mátyás Bachorecz <bachoreczm(a)gmail.com> wrote:
You wrote, that:
"You need to use the HTTPs domain name when you are contacting Keycloak."
- I'm just asking why? Why can't I use e.g.
https://10.xx.xx.xx:<keycloak_port>/auth/....?
Why do I have to use DNS name?
Br,
M
On 12 October 2016 at 13:45, Stian Thorgersen <sthorger(a)redhat.com> wrote:
> I'm not sure what you are asking.
>
> On 12 October 2016 at 08:28, Mátyás Bachorecz <bachoreczm(a)gmail.com>
> wrote:
>
>> Actually I got your solution, but don't really understand what is the
>> purpose of this feature? Why should I use DNS? I know that HTTPS is so
>> important, but I can configure my realm to require HTTPS, so in the above
>> mentioned situation I wouldn't like to use DNS names.
>> So my main question is: what is the purpose of this feature?
>>
>> Br,
>> Matyi
>>
>> On 12 October 2016 at 07:48, Mátyás Bachorecz <bachoreczm(a)gmail.com>
>> wrote:
>>
>>> I understand, thank you for your answer.
>>>
>>> On 12 October 2016 at 07:00, Stian Thorgersen <sthorger(a)redhat.com>
>>> wrote:
>>>
>>>> You can obviously use DNS settings and the machines hosts file to
>>>> change what IP address the name resolves to.
>>>>
>>>>
https://machine.local could resolve to 10.0.0.12 or 192.168.1.12
>>>> depending on where it's called from.
>>>>
>>>> On 12 October 2016 at 06:59, Stian Thorgersen
<sthorger(a)redhat.com>
>>>> wrote:
>>>>
>>>>> [Adding list again]
>>>>>
>>>>> Token based security relies on HTTPS for security. You need to use
>>>>> the HTTPs domain name when you are contacting Keycloak. The HTTPs
domain
>>>>> should match the issuer of the domain.
>>>>>
>>>>> On 11 October 2016 at 18:56, Mátyás Bachorecz
<bachoreczm(a)gmail.com>
>>>>> wrote:
>>>>>
>>>>>> My token audience does not match, because we request for a token
via
>>>>>> floating ip (openstack, like 10.xx.xx.xx), and would like to
validate via
>>>>>> private ip (like 192.168.xx.xx). So my question is how to solve
this
>>>>>> problem?
>>>>>>
>>>>>> There are two machines, one belongs to user, and on the other we
>>>>>> running keycloak, and a client, which can validate token. But
client only
>>>>>> nows the private ip, and user can't access keycloak on
private ip, cause
>>>>>> he/she is not in that network.
>>>>>>
>>>>>> Br,
>>>>>> Matyi
>>>>>>
>>>>>> On 11 October 2016 at 18:45, Stian Thorgersen
<sthorger(a)redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Rather than hacking Keycloak you should figure out why your
token
>>>>>>> audience doesn't match. For a token to be valid it has to
been issued by
>>>>>>> the same server URL and realm. It's an important check
and we wouldn't
>>>>>>> accept a feature that prevents it.
>>>>>>>
>>>>>>> On 11 October 2016 at 17:07, Mátyás Bachorecz
<bachoreczm(a)gmail.com
>>>>>>> > wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> we have a multi-component project, and all components
running in
>>>>>>>> one
>>>>>>>> machine, also Keycloak.
>>>>>>>> We would like to obtain token via curl, and our
components would
>>>>>>>> like to
>>>>>>>> validate it, but they can't, because we've got:
>>>>>>>> "Token audience doesn't match domain. Token
issuer is " +
>>>>>>>> token.getIssuer()
>>>>>>>> + ", but URL from configuration is " +
realmUrl
>>>>>>>> (RSATokenVerifier.java)
>>>>>>>>
>>>>>>>> I would like to implement a new feature: a new checkbox
or
>>>>>>>> something else
>>>>>>>> to realm settings page, which can switch off the above
mentioned
>>>>>>>> feature.
>>>>>>>> I've read that I should write an email here if I
would like to
>>>>>>>> implement
>>>>>>>> something. Is it ok, or how it works?
>>>>>>>>
>>>>>>>> Br,
>>>>>>>> Matyi
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-dev mailing list
>>>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>