[keycloak-dev] feature request

Mátyás Bachorecz bachoreczm at gmail.com
Wed Oct 12 01:48:11 EDT 2016


I understand, thank you for your answer.

On 12 October 2016 at 07:00, Stian Thorgersen <sthorger at redhat.com> wrote:

> You can obviously use DNS settings and the machines hosts file to change
> what IP address the name resolves to.
>
> https://machine.local could resolve to 10.0.0.12 or 192.168.1.12
> depending on where it's called from.
>
> On 12 October 2016 at 06:59, Stian Thorgersen <sthorger at redhat.com> wrote:
>
>> [Adding list again]
>>
>> Token based security relies on HTTPS for security. You need to use the
>> HTTPs domain name when you are contacting Keycloak. The HTTPs domain should
>> match the issuer of the domain.
>>
>> On 11 October 2016 at 18:56, Mátyás Bachorecz <bachoreczm at gmail.com>
>> wrote:
>>
>>> My token audience does not match, because we request for a token via
>>> floating ip (openstack, like 10.xx.xx.xx), and would like to validate via
>>> private ip (like 192.168.xx.xx). So my question is how to solve this
>>> problem?
>>>
>>> There are two machines, one belongs to user, and on the other we running
>>> keycloak, and a client, which can validate token. But client only nows the
>>> private ip, and user can't access keycloak on private ip, cause he/she is
>>> not in that network.
>>>
>>> Br,
>>> Matyi
>>>
>>> On 11 October 2016 at 18:45, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> Rather than hacking Keycloak you should figure out why your token
>>>> audience doesn't match. For a token to be valid it has to been issued by
>>>> the same server URL and realm. It's an important check and we wouldn't
>>>> accept a feature that prevents it.
>>>>
>>>> On 11 October 2016 at 17:07, Mátyás Bachorecz <bachoreczm at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> we have a multi-component project, and all components running in one
>>>>> machine, also Keycloak.
>>>>> We would like to obtain token via curl, and our components would like
>>>>> to
>>>>> validate it, but they can't, because we've got:
>>>>> "Token audience doesn't match domain. Token issuer is " +
>>>>> token.getIssuer()
>>>>> + ", but URL from configuration is " + realmUrl (RSATokenVerifier.java)
>>>>>
>>>>> I would like to implement a new feature: a new checkbox or something
>>>>> else
>>>>> to realm settings page, which can switch off the above mentioned
>>>>> feature.
>>>>> I've read that I should write an email here if I would like to
>>>>> implement
>>>>> something. Is it ok, or how it works?
>>>>>
>>>>> Br,
>>>>> Matyi
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>
>>>>
>>>
>>
>


More information about the keycloak-dev mailing list