Re: [keycloak-user] Reverse proxy calling admin API

Hi I'm trying to call the /admin/* API endpoints through a reverse proxy. The access token is granted to a JavaScript application, and the issuer of the token is therefore the reverse proxy. (This is actually a regular app that just happens to forward/create some requests to Keycloak.) The proxy makes a call to Keycloak with a Bearer token and the correct X-Forwarded-* headers. Keycloak/Wildfly is configured with proxy-address-forwarding=true. The request is authenticated in Keycloak with this line in AuthenticationManager.java: AccessToken token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()), checkActive, checkTokenType); This assumes that the "configured issuer" of a token is the JAX-RS UriInfo#getBaseUri() and fails with: 2016-05-21 23:52:37,109 DEBUG [org.keycloak.services] (default task-16) Failed to verify identity token: org.keycloak.common.VerificationException: Token audience doesn't match domain. Token issuer is http://localhost:8080/auth/realms/master, but URL from configuration is http://192.168.99.100:8081/auth/realms/master The UriInfo#getBaseUri() does not take the X-Forwarded-* headers into account. How can I call the API with a token obtained through a reverse proxy? Thanks, Christian _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user