Re: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario

Stian, Thank you for the reply. While changing the auth-server-url to an absolute URL ( http://external-hostname/auth) for all adapters allowed the token to be passed successfully, the relative URI optimization ( http://keycloak.github.io/docs/userguide/keycloak-server/html/application...) for the auth-server-url is very important functionality I need access to. By leaving */auth* as the auth-server-url, I can access the secured resources by case-insensitive host name, host ip address, http vs https and more, all of which are lost by having to switch to an absolute URL. How can I retain the relative URL for auth-server-url, allowing my required external requests to pass through keycloak, while allowing the internal requests and hops to use the auth-server-url-for-backend-requests absolute URL to authenticate? Thanks, Joe On Mon, Jan 25, 2016 at 1:08 AM, Stian Thorgersen <sthorger(a)redhat.com&gt; wrote: > You'd need to make sure all adapters are configured with the same. > http://external-hostname/auth needs to be the auth-server-url on all > adapters. > > On 21 January 2016 at 23:00, Joe Strathern <jstrathern(a)gmail.com&gt; wrote: > >> Stian >> Thank you for your response. >> I am using your Wildfly adapter to secure my WAR. As it is contained in >> a cluster enviroment with a load balancing proxy, I updated my adapter to >> have the following settings, much like the example provided at >> http://keycloak.github.io/docs/userguide/keycloak-server/html/application... >> : >> { >> ... >> <auth-server-url>/auth</auth-server-url> >> >> <auth-server-url-for-backend-requests>http:/internal-hostname/auth</auth-server-url-for-backend-requests> >> ... >> } >> >> The auth-server-url is still working as expected for the external >> request, however i am still getting the same 401 error, caused by the >> mismatching Token audience and Domain when I try to make the hop with my >> new HTTP request. >> As i'm using Keycloak 1.7.0.Final currently, i downloaded the source and >> debugged, looking for a bit more insight as to what may be occurring. >> >> I noticed that the URL Keycloak is retrieving to compare against the >> token, is retrieving it from the realmInfoUrl variable of the >> KeyCloakDeployment object. This variable is unaffected by the >> auth-server-url-for-backend-requests option. (Instead it affects numerous >> other URL variabled stored). Therefore, the realmInfoURL remains >> http://external-hostname/auth. >> >> Then the error occurs as (in this case), the RSATokenVerifier directly >> compares this Realm URL against the Token Issuer, which differ due hostname >> (external vs internal, as before). >> >> Is there an additional configuration, or concept I am missing to correct >> this workflow? >> >> Thanks, >> Joe >> >> On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen <sthorger(a)redhat.com&gt; >> wrote: >> >>> Assuming you are using our adapters there are two separate urls to >>> configure: "auth-server-url" is the external >>> one, auth-server-url-for-backend-requests is the internal one. See >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#a... >>> for more details. >>> >>> On 19 January 2016 at 22:20, Joe Strathern <jstrathern(a)gmail.com&gt; >>> wrote: >>> >>>> Hello Keycloak Community >>>> >>>> I am looking for some assistance on how to pass a Keycloak bearer >>>> token in the multi-hop scenario, where the keycloak instance is inside a >>>> proxy environment, the next hop is within the proxy, and the original >>>> request came from outside of that environment. >>>> >>>> For instance, the original request goes to >>>> http://external-hostname/auth, where external-hostname is a proxy >>>> system. Login is successful, and I receive a Bearer Token with Token issuer >>>> - http://external-hostname/auth/realms/My_Realm. >>>> >>>> Now i need to take that token from the HTTP request, and attach it to >>>> a new request from inside the proxy. I do so, redirecting to >>>> http://interior-hostname/API, secured by the same Keycloak. Using >>>> "external-hostname" as host once more is not an option, as we are within >>>> the proxied environment. However, submitting the hop HTTP request, i am >>>> met with the error: >>>> >>>> *Failed to verify token: org.keycloak.common.VerificationException: >>>> Token audience doesn't match domain. Token issuer >>>> is http://external-hostname/auth/realms/My_Realm >>>> <http://external-hostname/auth/realms/My_Realm>;, but URL from configuration >>>> is http://internal-hostname/auth/realms/My_Realm >>>> <http://internal-hostname/auth/realms/My_Realm>* >>>> >>>> The token is rejected (Since the hostnames are not the exact same), >>>> however external-hostname and internal-hostname are the same machine. >>>> >>>> Is there a way that Keycloak can identify these hostnames as >>>> equivalent to accept the token, or another policy that should be followed >>>> in this situation? >>>> >>>> Thanks, >>>> Joe >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >