Re: [keycloak-user] Keycloak: Failed to verify token - Invalid token issuer [RESOLVED]

Hi all. Using KC 4.0.0.Final behind a Apache https proxy, we have the following issue with OIDC tokens as logged in the Keycloak server.log: 2018-06-21 13:59:47,626 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-41) Verifying access_token 2018-06-21 13:59:47,628 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-41) Failed to verify token: org.keycloak.common.VerificationException: Invalid token issuer. Expected 'http://nak/auth/realms/NAK', but was 'https://nak.xxx.de/auth/realms/NAK' at org.keycloak.TokenVerifier$RealmUrlCheck.test(TokenVerifier.java:108) --- The URL "https://nak.xxx.de/auth/realms/NAK/.well-known/openid-configuration" looks fine, all endpoints have the right format, e.g. > issuer: "https://nak.xxx.de/auth/realms/NAK" > authorization_endpoint: "https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/auth" > token_endpoint : "https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/token" The X-Forward Headers also look fine, I have enabled header logging in Wildfly, and we have the following headers for example: header=X-Forwarded-For=80.242.xx.xx, 10.10.51.5 header=X_FORWARDED_PROTO=https header=Host=nak.xxx.de header=X-Forwarded-Host=nak.xxx.de, nak.xxx.de header=X-Forwarded-Server=nak.xxx.de, xxx.dip0.t-ipconnect.de header=X-Forwarded-Proto=https In my KC standlone.xml config I have set the "proxy-address-forwarding" parameter for the http-listener to "true". So why is KC still expecting the token issuer to be "http://nak/..." instead of "https://nak.xxx.de/..."? Thanks & greetings Henning