4:27 p.m.
Stian,
Thank you for the reply.
While changing the auth-server-url to an absolute URL (
http://external-hostname/auth) for all adapters allowed the token to be
passed successfully, the relative URI optimization (
http://keycloak.github.io/docs/userguide/keycloak-server/html/application...)
for the auth-server-url is very important functionality I need access to.
By leaving */auth* as the auth-server-url, I can access the secured
resources by case-insensitive host name, host ip address, http vs https and
more, all of which are lost by having to switch to an absolute URL.
How can I retain the relative URL for auth-server-url, allowing my required
external requests to pass through keycloak, while allowing the internal
requests and hops to use the auth-server-url-for-backend-requests absolute
URL to authenticate?
Thanks,
Joe
On Mon, Jan 25, 2016 at 1:08 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
You'd need to make sure all adapters are configured with the
same.
http://external-hostname/auth needs to be the auth-server-url on all
adapters.
On 21 January 2016 at 23:00, Joe Strathern <jstrathern(a)gmail.com> wrote:
> Stian
> Thank you for your response.
> I am using your Wildfly adapter to secure my WAR. As it is contained in a
> cluster enviroment with a load balancing proxy, I updated my adapter to
> have the following settings, much like the example provided at
>
http://keycloak.github.io/docs/userguide/keycloak-server/html/application...
> :
> {
> ...
> <auth-server-url>/auth</auth-server-url>
>
>
<auth-server-url-for-backend-requests>http:/internal-hostname/auth</auth-server-url-for-backend-requests>
> ...
> }
>
> The auth-server-url is still working as expected for the external
> request, however i am still getting the same 401 error, caused by the
> mismatching Token audience and Domain when I try to make the hop with my
> new HTTP request.
> As i'm using Keycloak 1.7.0.Final currently, i downloaded the source and
> debugged, looking for a bit more insight as to what may be occurring.
>
> I noticed that the URL Keycloak is retrieving to compare against the
> token, is retrieving it from the realmInfoUrl variable of the
> KeyCloakDeployment object. This variable is unaffected by the
> auth-server-url-for-backend-requests option. (Instead it affects numerous
> other URL variabled stored). Therefore, the realmInfoURL remains
> http://external-hostname/auth.
>
> Then the error occurs as (in this case), the RSATokenVerifier directly
> compares this Realm URL against the Token Issuer, which differ due hostname
> (external vs internal, as before).
>
> Is there an additional configuration, or concept I am missing to correct
> this workflow?
>
> Thanks,
> Joe
>
> On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> Assuming you are using our adapters there are two separate urls to
>> configure: "auth-server-url" is the external
>> one, auth-server-url-for-backend-requests is the internal one. See
>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#a...
>> for more details.
>>
>> On 19 January 2016 at 22:20, Joe Strathern <jstrathern(a)gmail.com> wrote:
>>
>>> Hello Keycloak Community
>>>
>>> I am looking for some assistance on how to pass a Keycloak bearer token
>>> in the multi-hop scenario, where the keycloak instance is inside a proxy
>>> environment, the next hop is within the proxy, and the original request
>>> came from outside of that environment.
>>>
>>> For instance, the original request goes to
>>> http://external-hostname/auth, where external-hostname is a proxy
>>> system. Login is successful, and I receive a Bearer Token with Token issuer
>>> - http://external-hostname/auth/realms/My_Realm.
>>>
>>> Now i need to take that token from the HTTP request, and attach it to a
>>> new request from inside the proxy. I do so, redirecting to
>>> http://interior-hostname/API, secured by the same Keycloak. Using
>>> "external-hostname" as host once more is not an option, as we are
within
>>> the proxied environment. However, submitting the hop HTTP request, i am
>>> met with the error:
>>>
>>> *Failed to verify token: org.keycloak.common.VerificationException:
>>> Token audience doesn't match domain. Token issuer
>>> is http://external-hostname/auth/realms/My_Realm
>>> <http://external-hostname/auth/realms/My_Realm>;, but URL from
configuration
>>> is http://internal-hostname/auth/realms/My_Realm
>>> <http://internal-hostname/auth/realms/My_Realm>*
>>>
>>> The token is rejected (Since the hostnames are not the exact same),
>>> however external-hostname and internal-hostname are the same machine.
>>>
>>> Is there a way that Keycloak can identify these hostnames as equivalent
>>> to accept the token, or another policy that should be followed in this
>>> situation?
>>>
>>> Thanks,
>>> Joe
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>