Stian
Thank you for your response.
{
...
<auth-server-url>/auth</auth-server-url>
<auth-server-url-for-backend-requests>http:/internal-hostname/auth</auth-server-url-for-backend-requests>
...
}
The auth-server-url is still working as expected for the external request, however i am still getting the same 401 error, caused by the mismatching Token audience and Domain when I try to make the hop with my new HTTP request.
As i'm using Keycloak 1.7.0.Final currently, i downloaded the source and debugged, looking for a bit more insight as to what may be occurring.
I noticed that the URL Keycloak is retrieving to compare against the token, is retrieving it from the realmInfoUrl variable of the KeyCloakDeployment object. This variable is unaffected by the auth-server-url-for-backend-requests option. (Instead it affects numerous other URL variabled stored). Therefore, the realmInfoURL remains
http://external-hostname/auth.
Then the error occurs as (in this case), the RSATokenVerifier directly compares this Realm URL against the Token Issuer, which differ due hostname (external vs internal, as before).
Is there an additional configuration, or concept I am missing to correct this workflow?
Thanks,
Joe