Failed to verify token: org.keycloak.common.VerificationException: Invalid token issuer after upgrade
by Darrell Wu
Hi,
I've upgraded from keycloak 1.9.8 to keycloak 3.2.1 and now i'm getting the
following error when i access my protected application.
Failed to verify token: org.keycloak.common.VerificationException: Invalid
token issuer. Expected 'http://localhost:8180/realms/1Place', but was '
https://192.168.10.19:8543/realms/1Place'
I've configured keycloak to use a self signed certificate against by PC ip
address. The admin console is using the address.
https://192.168.10.19:8543/
I'm not sure where it is picking up http://localhost:8180/realms/1Place
since you can't access the admin console against that address and i
couldn't find anywhere in the console where
http://localhost:8180/realms/1Place is used.
Does anyone have any ideas?
Thanks in Advance
Darrell
Here is the stack trace
Failed to verify token: org.keycloak.common.VerificationException: Invalid
token issuer. Expected 'http://localhost:8180/realms
/1Place', but was 'https://192.168.10.19:8543/realms/1Place'
at org.keycloak.TokenVerifier$RealmUrlCheck.test(TokenVerifier.java:109)
at org.keycloak.TokenVerifier.verify(TokenVerifier.java:371)
at org.keycloak.RSATokenVerifier.verify(RSATokenVerifier.java:89)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:56)
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:37)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)
at
org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
--
Darrell Wu
1Place International Limited
P.O. Box 125152, St Heliers, Auckland 1740, New Zealand
Level 5, 1 Queen Street, Auckland 1010, New Zealand
Phone: +64 9 5200612 ext 521 | Mob: +64 21 262 4898 | Fax: +64 9 5246203
Email: darrell(a)1placeonline.com | Web: www.1placeonline.com
6 years, 7 months
Help Needed on X509 Certificate Authentication with keycloak behind Nginx reverse proxy
by FOUTREIN Thomas
?Hello,
I'm trying to use authentication wiht X509 client certificate with Keycloak.
I've put the configuration on a specific realm like explained in the keycloak Documentation (http://www.keycloak.org/docs/3.3/server_admin/topics/authentication/x509....)
All is ok on my dev environment without reverse proxy. When i put the same configuration on integration environnement with NGINX reverse proxy, the certificate never reach keycloak ?
i've succeded to verifiy the client cert with nginx but keycloak nevere succeed to control the Client CN
Could you help me with the configuration of both nginx et wildfly ?
here is my Nginx conf try & Standalone.xml keycloak conf in attachement
Thank you in advance for the help
Regards
Thomas Foutrein
Imprimerie Nationale
6 years, 7 months
How to redirect user back to original application from account management pages
by Robert Parker
I am using the keycloak javascript adapter and have a Profile link in my main application which makes a call to the adapter's `accountManagement()` function to redirect to the keycloak account management screens for the logged in user.
What I can't figure out is how to redirect back to my main application after changes have been saved or when the user cancels the account management screens.
Looking inside the account.ftl template for the themed user account screen, I see the following:
<#if url.referrerURI??><a href="${url.referrerURI}">${msg("backToApplication")}/a></#if>
This link does not appear for me, so this referrerURI property is clearly not present on the url object being passed to the form. How can I set this? Is there an argument I need to be passing into the `accountManagement()` adapter call?
Thanks
________________________________
Robert Parker - Front End Developer
Applied Card Technologies Ltd
Cardiff Office
14 St Andrews Crescent
Caerdydd
Cardiff
CF10 3DD
+44 (0) 2922 331860
Robert.Parker(a)weareACT.com
www.weareACT.com<http://www.weareact.com>
Registered in England : 04476799
________________________________
The information contained in or attached to this email is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are not authorised to and must not disclose, copy, distribute, or retain this message or any part of it. It may contain information which is confidential and/or covered by legal professional or other privilege (or other rules or laws with similar effect in jurisdictions outside Northern Ireland, England and Wales).
The views expressed in this email are not necessarily the views of Applied Card Technologies Ltd. The company, its directors, officers or employees make no representation or accept any liability for its accuracy or completeness unless expressly stated to the contrary.
[http://www.weareact.com/media/11610/email_footer_tree.gif]Please consider the environment before printing this email.
________________________________
6 years, 7 months
Admin API omitting user client roles from groups
by Fernando Mora
I need to retrieve all client roles a user has in every client in kecloak
to update them in my app in order to check authorization for different
features.
I am able to get both realm and client roles using the following endpoint
*GET /admin/realms/{realmId}/users/{userId}/role-mappings*
But the response is omitting the client roles from the groups users belong
to.
Is there some way I can retrieve all client roles of a user, including
roles assigned by groups?
I realized *GET
/admin/realms/{realmId}/users/{userId}/role-mappings/clients/{cliendId}/composite*
includes
group client roles for one client but I need roles for all clients not for
individual one.
--
This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views or
opinions expressed are solely those of the author and do not necessarily
represent those of Intent HQ Ltd.
If you are not the intended recipient of this email, you must neither take
any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error.
6 years, 7 months
missing docker keycloak tags
by Aritz Maeztu
We're missing the docker tags for keycloak 2.5.6 and higher in the
docker hub, it would be nice to have them added and also the ones for
the related variations keycloak-mysql, and so on..
Thanks!
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
6 years, 7 months
![http://www.weareact.com/media/11610/email_footer_tree.gif]Please](http://www.weareact.com/media/11610/email_footer_tree.gif]Please){kind=link}