+1 Joe’s request.
In larger deployments with reverse proxies, we control the request url and hostname and ip
visible to the keycloak server, so internal IP address concerns are less of an issue.
From:
<keycloak-user-bounces@lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>>
on behalf of Stian Thorgersen
<sthorger@redhat.com<mailto:sthorger@redhat.com>>
Reply-To: "stian@redhat.com<mailto:stian@redhat.com>"
<stian@redhat.com<mailto:stian@redhat.com>>
Date: Tuesday, January 26, 2016 at 6:43 PM
To: Joe Strathern <jstrathern@gmail.com<mailto:jstrathern@gmail.com>>
Cc: keycloak-user
<keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in
Multi-Hop scenario
You can't. Relative url uses the request url, and when it's using an internal IP
address/domain that'll end up being the request url, which will be wrong in your
case.
On 25 January 2016 at 23:27, Joe Strathern
<jstrathern@gmail.com<mailto:jstrathern@gmail.com>> wrote:
Stian,
Thank you for the reply.
While changing the auth-server-url to an absolute URL (
http://external-hostname/auth) for
all adapters allowed the token to be passed successfully, the relative URI optimization
(
http://keycloak.github.io/docs/userguide/keycloak-server/html/application...)
for the auth-server-url is very important functionality I need access to.
By leaving /auth as the auth-server-url, I can access the secured resources by
case-insensitive host name, host ip address, http vs https and more, all of which are lost
by having to switch to an absolute URL.
How can I retain the relative URL for auth-server-url, allowing my required external
requests to pass through keycloak, while allowing the internal requests and hops to use
the auth-server-url-for-backend-requests absolute URL to authenticate?
Thanks,
Joe
On Mon, Jan 25, 2016 at 1:08 AM, Stian Thorgersen
<sthorger@redhat.com<mailto:sthorger@redhat.com>> wrote:
You'd need to make sure all adapters are configured with the same.
http://external-hostname/auth needs to be the auth-server-url on all adapters.
On 21 January 2016 at 23:00, Joe Strathern
<jstrathern@gmail.com<mailto:jstrathern@gmail.com>> wrote:
Stian
Thank you for your response.
I am using your Wildfly adapter to secure my WAR. As it is contained in a cluster
enviroment with a load balancing proxy, I updated my adapter to have the following
settings, much like the example provided at
http://keycloak.github.io/docs/userguide/keycloak-server/html/application...
:
{
...
<auth-server-url>/auth</auth-server-url>
<auth-server-url-for-backend-requests>http:/internal-hostname/auth</auth-server-url-for-backend-requests>
...
}
The auth-server-url is still working as expected for the external request, however i am
still getting the same 401 error, caused by the mismatching Token audience and Domain when
I try to make the hop with my new HTTP request.
As i'm using Keycloak 1.7.0.Final currently, i downloaded the source and debugged,
looking for a bit more insight as to what may be occurring.
I noticed that the URL Keycloak is retrieving to compare against the token, is retrieving
it from the realmInfoUrl variable of the KeyCloakDeployment object. This variable is
unaffected by the auth-server-url-for-backend-requests option. (Instead it affects
numerous other URL variabled stored). Therefore, the realmInfoURL remains
http://external-hostname/auth.
Then the error occurs as (in this case), the RSATokenVerifier directly compares this Realm
URL against the Token Issuer, which differ due hostname (external vs internal, as
before).
Is there an additional configuration, or concept I am missing to correct this workflow?
Thanks,
Joe
On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen
<sthorger@redhat.com<mailto:sthorger@redhat.com>> wrote:
Assuming you are using our adapters there are two separate urls to configure:
"auth-server-url" is the external one, auth-server-url-for-backend-requests is
the internal one. See
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#a... for
more details.
On 19 January 2016 at 22:20, Joe Strathern
<jstrathern@gmail.com<mailto:jstrathern@gmail.com>> wrote:
Hello Keycloak Community
I am looking for some assistance on how to pass a Keycloak bearer token in the multi-hop
scenario, where the keycloak instance is inside a proxy environment, the next hop is
within the proxy, and the original request came from outside of that environment.
For instance, the original request goes to
http://external-hostname/auth, where
external-hostname is a proxy system. Login is successful, and I receive a Bearer Token
with Token issuer -
http://external-hostname/auth/realms/My_Realm.
Now i need to take that token from the HTTP request, and attach it to a new request from
inside the proxy. I do so, redirecting to
http://interior-hostname/API, secured by the
same Keycloak. Using "external-hostname" as host once more is not an option, as
we are within the proxied environment. However, submitting the hop HTTP request, i am met
with the error:
Failed to verify token: org.keycloak.common.VerificationException: Token audience
doesn't match domain. Token issuer is
http://external-hostname/auth/realms/My_Realm,
but URL from configuration is
http://internal-hostname/auth/realms/My_Realm
The token is rejected (Since the hostnames are not the exact same), however
external-hostname and internal-hostname are the same machine.
Is there a way that Keycloak can identify these hostnames as equivalent to accept the
token, or another policy that should be followed in this situation?
Thanks,
Joe
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user