8:31 a.m.
Hi all.
Using KC 4.0.0.Final behind a Apache https proxy, we have the following issue with OIDC
tokens as logged in the Keycloak server.log:
2018-06-21 13:59:47,626 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator]
(default task-41) Verifying access_token
2018-06-21 13:59:47,628 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
(default task-41) Failed to verify token: org.keycloak.common.VerificationException:
Invalid token issuer. Expected 'http://nak/auth/realms/NAK', but was
'https://nak.xxx.de/auth/realms/NAK'
at org.keycloak.TokenVerifier$RealmUrlCheck.test(TokenVerifier.java:108)
---
The URL "https://nak.xxx.de/auth/realms/NAK/.well-known/openid-configuration"
looks fine, all endpoints have the right format, e.g.
issuer: "https://nak.xxx.de/auth/realms/NAK"
authorization_endpoint:
"https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/auth"
token_endpoint :
"https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/token"
The X-Forward Headers also look fine, I have enabled header logging in Wildfly, and we
have the following headers for example:
header=X-Forwarded-For=80.242.xx.xx, 10.10.51.5
header=X_FORWARDED_PROTO=https
header=Host=nak.xxx.de
header=X-Forwarded-Host=nak.xxx.de, nak.xxx.de
header=X-Forwarded-Server=nak.xxx.de, xxx.dip0.t-ipconnect.de
header=X-Forwarded-Proto=https
In my KC standlone.xml config I have set the "proxy-address-forwarding"
parameter for the http-listener to "true".
So why is KC still expecting the token issuer to be "http://nak/..." instead of
"https://nak.xxx.de/..."?
Thanks & greetings
Henning
10:48 a.m.
New subject: Keycloak: Failed to verify token - Invalid token issuer [RESOLVED]
Ok, resolved this issue. The problem was that I still had a wrong
"keycloak.auth-server-url“ in my Spring Boot application.properties file.
The old config was:
keycloak.auth-server-url=http://nak/auth
The new (working) config is:
keycloak.auth-server-url=https://nak.xxx.de.net/auth
Since requesting the token was done against "https://nak.xxx.de.net/auth“ I had this
mismatch. So the value of auth-server-url must match the endpoint URL to which requests
for tokens are sent.
Greetings
Henning
Am 21. Juni 2018, 15:31 +0200 schrieb Henning Waack <henning.waack(a)codecentric.de>:
Hi all.
Using KC 4.0.0.Final behind a Apache https proxy, we have the following issue with OIDC
tokens as logged in the Keycloak server.log:
2018-06-21 13:59:47,626 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator]
(default task-41) Verifying access_token
2018-06-21 13:59:47,628 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
(default task-41) Failed to verify token: org.keycloak.common.VerificationException:
Invalid token issuer. Expected 'http://nak/auth/realms/NAK', but was
'https://nak.xxx.de/auth/realms/NAK'
at org.keycloak.TokenVerifier$RealmUrlCheck.test(TokenVerifier.java:108)
---
The URL "https://nak.xxx.de/auth/realms/NAK/.well-known/openid-configuration"
looks fine, all endpoints have the right format, e.g.
> issuer: "https://nak.xxx.de/auth/realms/NAK"
> authorization_endpoint:
"https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/auth"
> token_endpoint :
"https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/token"
The X-Forward Headers also look fine, I have enabled header logging in Wildfly, and we
have the following headers for example:
header=X-Forwarded-For=80.242.xx.xx, 10.10.51.5
header=X_FORWARDED_PROTO=https
header=Host=nak.xxx.de
header=X-Forwarded-Host=nak.xxx.de, nak.xxx.de
header=X-Forwarded-Server=nak.xxx.de, xxx.dip0.t-ipconnect.de
header=X-Forwarded-Proto=https
In my KC standlone.xml config I have set the "proxy-address-forwarding"
parameter for the http-listener to "true".
So why is KC still expecting the token issuer to be "http://nak/..." instead of
"https://nak.xxx.de/..."?
Thanks & greetings
Henning
2845
days inactive
2845
days old
1 comments
1 participants
participants (1)
-
Henning Waack