On 14/10/15 20:27, Rafael Coutinho wrote:
Hi,

I have an environment with an AngularJS app client, which authenticates user and keeps its data, and a server app that receive some requests for Webservices resources. 
For some webservices I need, on the server side, to translate the token into the user information. For that I use the url:

auth/realms/MYREAL/protocol/openid-connect/userinfo 

with the Authorization token.

The problem is that the server is behind a load balance and access keycloak thru port 8080. While AngularJS access the same server thru port 80.

Keycloak complains that the Token was issued from a different url than I'm querying on the server side. Forcing me to use the same hostname and port on the server and on the client.

Is that correct? How will I deploy on a distribuited environment?
We don't handle this scenario ideally. Feel free to create JIRA for it.

Currently the "iss" (issuer) field on accessToken is filled from the URL of request to the auth-server, which in your case is something like yourHost:80 . Then UserInfo endpoint always compare this value with the uriInfo from current request, so it doesn't work when requests to auth-server is send via yourHost:8080 .

IMO it will be nice if accessToken can have more values for "iss" field . Then we can have protocolMapper, which will be able to add any configured values to "iss" field in accessToken in addition to the "iss" from current request. The adapter/endpoint will reject just if uriInfo doesn't match any of the "iss" values.

As of now, I suggest to invoke UserInfo endpoint directly from your AngularJS instead of from your webservice. The user info then needs to be send to the webservices.

Marek


ps. I'm using my own HTTP client to make that request to userinfo. 
ps2. I have added   "auth-server-url-for-backend-requests" however I don't see any difference.

Rafael Coutinho
Software Engineer
Professional profile: www.linkedin.com/in/rafaelcoutinho



_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user