[keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario

Joe Strathern jstrathern at gmail.com
Tue Jan 19 16:20:35 EST 2016


Hello Keycloak Community

I am looking for some assistance on how to pass a Keycloak bearer token in
the multi-hop scenario, where the keycloak instance is inside a proxy
environment, the next hop is within the proxy, and the original request
came from outside of that environment.

For instance, the original request goes to http://external-hostname/auth,
where external-hostname is a proxy system. Login is successful, and I
receive a Bearer Token with Token issuer -
http://external-hostname/auth/realms/My_Realm.

Now i need to take that token from the HTTP request, and attach it to a new
request from inside the proxy. I do so, redirecting to
http://interior-hostname/API, secured by the same Keycloak. Using
"external-hostname" as host once more is not an option, as we are within
the proxied environment. However, submitting the hop HTTP request,  i am
met with the error:

*Failed to verify token: org.keycloak.common.VerificationException: Token
audience doesn't match domain. Token issuer
is http://external-hostname/auth/realms/My_Realm
<http://external-hostname/auth/realms/My_Realm>, but URL from configuration
is http://internal-hostname/auth/realms/My_Realm
<http://internal-hostname/auth/realms/My_Realm>*

The token is rejected (Since the hostnames are not the exact same), however
external-hostname and internal-hostname are the same machine.

Is there a way that Keycloak can identify these hostnames as equivalent to
accept the token, or another policy that should be followed in this
situation?

Thanks,
Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160119/afd91b24/attachment.html 


More information about the keycloak-user mailing list