[keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario
Stian Thorgersen
sthorger at redhat.com
Wed Jan 20 03:22:14 EST 2016
Assuming you are using our adapters there are two separate urls to
configure: "auth-server-url" is the external
one, auth-server-url-for-backend-requests is the internal one. See
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config
for more details.
On 19 January 2016 at 22:20, Joe Strathern <jstrathern at gmail.com> wrote:
> Hello Keycloak Community
>
> I am looking for some assistance on how to pass a Keycloak bearer token in
> the multi-hop scenario, where the keycloak instance is inside a proxy
> environment, the next hop is within the proxy, and the original request
> came from outside of that environment.
>
> For instance, the original request goes to http://external-hostname/auth,
> where external-hostname is a proxy system. Login is successful, and I
> receive a Bearer Token with Token issuer -
> http://external-hostname/auth/realms/My_Realm.
>
> Now i need to take that token from the HTTP request, and attach it to a
> new request from inside the proxy. I do so, redirecting to
> http://interior-hostname/API, secured by the same Keycloak. Using
> "external-hostname" as host once more is not an option, as we are within
> the proxied environment. However, submitting the hop HTTP request, i am
> met with the error:
>
> *Failed to verify token: org.keycloak.common.VerificationException: Token
> audience doesn't match domain. Token issuer
> is http://external-hostname/auth/realms/My_Realm
> <http://external-hostname/auth/realms/My_Realm>, but URL from configuration
> is http://internal-hostname/auth/realms/My_Realm
> <http://internal-hostname/auth/realms/My_Realm>*
>
> The token is rejected (Since the hostnames are not the exact same),
> however external-hostname and internal-hostname are the same machine.
>
> Is there a way that Keycloak can identify these hostnames as equivalent to
> accept the token, or another policy that should be followed in this
> situation?
>
> Thanks,
> Joe
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160120/641897c9/attachment.html
More information about the keycloak-user
mailing list