Re: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario

Hello Keycloak Community I am looking for some assistance on how to pass a Keycloak bearer token in the multi-hop scenario, where the keycloak instance is inside a proxy environment, the next hop is within the proxy, and the original request came from outside of that environment. For instance, the original request goes to http://external-hostname/auth, where external-hostname is a proxy system. Login is successful, and I receive a Bearer Token with Token issuer - http://external-hostname/auth/realms/My_Realm. Now i need to take that token from the HTTP request, and attach it to a new request from inside the proxy. I do so, redirecting to http://interior-hostname/API, secured by the same Keycloak. Using "external-hostname" as host once more is not an option, as we are within the proxied environment. However, submitting the hop HTTP request, i am met with the error: *Failed to verify token: org.keycloak.common.VerificationException: Token audience doesn't match domain. Token issuer is http://external-hostname/auth/realms/My_Realm <http://external-hostname/auth/realms/My_Realm>;, but URL from configuration is http://internal-hostname/auth/realms/My_Realm <http://internal-hostname/auth/realms/My_Realm>* The token is rejected (Since the hostnames are not the exact same), however external-hostname and internal-hostname are the same machine. Is there a way that Keycloak can identify these hostnames as equivalent to accept the token, or another policy that should be followed in this situation? Thanks, Joe _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user