Re: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario

+1 Joe’s request. In larger deployments with reverse proxies, we control the request url and hostname and ip visible to the keycloak server, so internal IP address concerns are less of an issue. From: <keycloak-user-bounces(a)lists.jboss.org&gt; on behalf of Stian Thorgersen <sthorger(a)redhat.com&gt; Reply-To: &quot;stian(a)redhat.com&quot; <stian(a)redhat.com&gt; Date: Tuesday, January 26, 2016 at 6:43 PM To: Joe Strathern <jstrathern(a)gmail.com&gt; Cc: keycloak-user <keycloak-user(a)lists.jboss.org&gt; Subject: Re: [keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario You can't. Relative url uses the request url, and when it's using an internal IP address/domain that'll end up being the request url, which will be wrong in your case. On 25 January 2016 at 23:27, Joe Strathern <jstrathern(a)gmail.com&gt; wrote: > Stian, > > Thank you for the reply. > While changing the auth-server-url to an absolute URL ( > http://external-hostname/auth) for all adapters allowed the token to be > passed successfully, the relative URI optimization ( > http://keycloak.github.io/docs/userguide/keycloak-server/html/application...) > for the auth-server-url is very important functionality I need access to. > By leaving */auth* as the auth-server-url, I can access the secured > resources by case-insensitive host name, host ip address, http vs https and > more, all of which are lost by having to switch to an absolute URL. > > How can I retain the relative URL for auth-server-url, allowing my > required external requests to pass through keycloak, while allowing the > internal requests and hops to use the auth-server-url-for-backend-requests > absolute URL to authenticate? > > Thanks, > Joe > > On Mon, Jan 25, 2016 at 1:08 AM, Stian Thorgersen <sthorger(a)redhat.com&gt; > wrote: > >> You'd need to make sure all adapters are configured with the same. >> http://external-hostname/auth needs to be the auth-server-url on all >> adapters. >> >> On 21 January 2016 at 23:00, Joe Strathern <jstrathern(a)gmail.com&gt; wrote: >> >>> Stian >>> Thank you for your response. >>> I am using your Wildfly adapter to secure my WAR. As it is contained in >>> a cluster enviroment with a load balancing proxy, I updated my adapter to >>> have the following settings, much like the example provided at >>> http://keycloak.github.io/docs/userguide/keycloak-server/html/application... >>> : >>> { >>> ... >>> <auth-server-url>/auth</auth-server-url> >>> >>> <auth-server-url-for-backend-requests>http:/internal-hostname/auth</auth-server-url-for-backend-requests> >>> ... >>> } >>> >>> The auth-server-url is still working as expected for the external >>> request, however i am still getting the same 401 error, caused by the >>> mismatching Token audience and Domain when I try to make the hop with my >>> new HTTP request. >>> As i'm using Keycloak 1.7.0.Final currently, i downloaded the source >>> and debugged, looking for a bit more insight as to what may be occurring. >>> >>> I noticed that the URL Keycloak is retrieving to compare against the >>> token, is retrieving it from the realmInfoUrl variable of the >>> KeyCloakDeployment object. This variable is unaffected by the >>> auth-server-url-for-backend-requests option. (Instead it affects numerous >>> other URL variabled stored). Therefore, the realmInfoURL remains >>> http://external-hostname/auth. >>> >>> Then the error occurs as (in this case), the RSATokenVerifier directly >>> compares this Realm URL against the Token Issuer, which differ due hostname >>> (external vs internal, as before). >>> >>> Is there an additional configuration, or concept I am missing to >>> correct this workflow? >>> >>> Thanks, >>> Joe >>> >>> On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen <sthorger(a)redhat.com&gt; >>> wrote: >>> >>>> Assuming you are using our adapters there are two separate urls to >>>> configure: "auth-server-url" is the external >>>> one, auth-server-url-for-backend-requests is the internal one. See >>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#a... >>>> for more details. >>>> >>>> On 19 January 2016 at 22:20, Joe Strathern <jstrathern(a)gmail.com&gt; >>>> wrote: >>>> >>>>> Hello Keycloak Community >>>>> >>>>> I am looking for some assistance on how to pass a Keycloak bearer >>>>> token in the multi-hop scenario, where the keycloak instance is inside a >>>>> proxy environment, the next hop is within the proxy, and the original >>>>> request came from outside of that environment. >>>>> >>>>> For instance, the original request goes to >>>>> http://external-hostname/auth, where external-hostname is a proxy >>>>> system. Login is successful, and I receive a Bearer Token with Token issuer >>>>> - http://external-hostname/auth/realms/My_Realm. >>>>> >>>>> Now i need to take that token from the HTTP request, and attach it to >>>>> a new request from inside the proxy. I do so, redirecting to >>>>> http://interior-hostname/API, secured by the same Keycloak. Using >>>>> "external-hostname" as host once more is not an option, as we are within >>>>> the proxied environment. However, submitting the hop HTTP request, i am >>>>> met with the error: >>>>> >>>>> *Failed to verify token: org.keycloak.common.VerificationException: >>>>> Token audience doesn't match domain. Token issuer >>>>> is http://external-hostname/auth/realms/My_Realm >>>>> <http://external-hostname/auth/realms/My_Realm>;, but URL from configuration >>>>> is http://internal-hostname/auth/realms/My_Realm >>>>> <http://internal-hostname/auth/realms/My_Realm>* >>>>> >>>>> The token is rejected (Since the hostnames are not the exact same), >>>>> however external-hostname and internal-hostname are the same machine. >>>>> >>>>> Is there a way that Keycloak can identify these hostnames as >>>>> equivalent to accept the token, or another policy that should be followed >>>>> in this situation? >>>>> >>>>> Thanks, >>>>> Joe >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user(a)lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> >