On 14/10/15 20:27, Rafael Coutinho wrote:
Hi,
I have an environment with an AngularJS app client, which
authenticates user and keeps its data, and a server app that receive
some requests for Webservices resources.
For some webservices I need, on the server side, to translate the
token into the user information. For that I use the url:
auth/realms/MYREAL/protocol/openid-connect/userinfo
with the Authorization token.
The problem is that the server is behind a load balance and access
keycloak thru port 8080. While AngularJS access the same server thru
port 80.
Keycloak complains that the Token was issued from a different url than
I'm querying on the server side. Forcing me to use the same hostname
and port on the server and on the client.
Is that correct? How will I deploy on a distribuited environment?
We don't
handle this scenario ideally. Feel free to create JIRA for it.
Currently the "iss" (issuer) field on accessToken is filled from the URL
of request to the auth-server, which in your case is something like
yourHost:80 . Then UserInfo endpoint always compare this value with the
uriInfo from current request, so it doesn't work when requests to
auth-server is send via yourHost:8080 .
IMO it will be nice if accessToken can have more values for "iss" field
. Then we can have protocolMapper, which will be able to add any
configured values to "iss" field in accessToken in addition to the
"iss"
from current request. The adapter/endpoint will reject just if uriInfo
doesn't match any of the "iss" values.
As of now, I suggest to invoke UserInfo endpoint directly from your
AngularJS instead of from your webservice. The user info then needs to
be send to the webservices.
Marek
ps. I'm using my own HTTP client to make that request to userinfo.
ps2. I have added "auth-server-url-for-backend-requests" however I
don't see any difference.
Rafael Coutinho
Software Engineer
Professional profile:
www.linkedin.com/in/rafaelcoutinho
<
http://www.linkedin.com/in/rafaelcoutinho>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user