[keycloak-user] Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario

Joe Strathern jstrathern at gmail.com
Mon Jan 25 17:27:19 EST 2016 

Stian,

Thank you for the reply.
While changing the auth-server-url to an absolute URL (
http://external-hostname/auth) for all adapters allowed the token to be
passed successfully, the relative URI optimization (
http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization)
for the auth-server-url is very important functionality I need access to.
By leaving */auth* as the auth-server-url, I can access the secured
resources by case-insensitive host name, host ip address, http vs https and
more, all of which are lost by having to switch to an absolute URL.

How can I retain the relative URL for auth-server-url, allowing my required
external requests to pass through keycloak, while allowing the internal
requests and hops to use the auth-server-url-for-backend-requests absolute
URL to authenticate?

Thanks,
Joe

On Mon, Jan 25, 2016 at 1:08 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> You'd need to make sure all adapters are configured with the same.
> http://external-hostname/auth needs to be the auth-server-url on all
> adapters.
>
> On 21 January 2016 at 23:00, Joe Strathern <jstrathern at gmail.com> wrote:
>
>> Stian
>> Thank you for your response.
>> I am using your Wildfly adapter to secure my WAR. As it is contained in a
>> cluster enviroment with a load balancing proxy, I updated my adapter to
>> have the following settings, much like the example provided at
>> http://keycloak.github.io/docs/userguide/keycloak-server/html/applicationClustering.html#relative-uri-optimization
>> :
>> {
>>    ...
>>    <auth-server-url>/auth</auth-server-url>
>>
>>  <auth-server-url-for-backend-requests>http:/internal-hostname/auth</auth-server-url-for-backend-requests>
>>    ...
>> }
>>
>> The auth-server-url is still working as expected for the external
>> request, however i am still getting the same 401 error, caused by the
>> mismatching Token audience and Domain when I try to make the hop with my
>> new HTTP request.
>> As i'm using Keycloak 1.7.0.Final currently, i downloaded the source and
>> debugged, looking for a bit more insight as to what may be occurring.
>>
>> I noticed that the URL Keycloak is retrieving to compare against the
>> token, is retrieving it from the realmInfoUrl variable of the
>> KeyCloakDeployment object. This variable is unaffected by the
>> auth-server-url-for-backend-requests option. (Instead it affects numerous
>> other URL variabled stored). Therefore, the realmInfoURL remains
>> http://external-hostname/auth.
>>
>> Then the error occurs as (in this case), the RSATokenVerifier directly
>> compares this Realm URL against the Token Issuer, which differ due hostname
>> (external vs internal, as before).
>>
>> Is there an additional configuration, or concept I am missing to correct
>> this workflow?
>>
>> Thanks,
>> Joe
>>
>> On Wed, Jan 20, 2016 at 1:22 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> Assuming you are using our adapters there are two separate urls to
>>> configure: "auth-server-url" is the external
>>> one, auth-server-url-for-backend-requests is the internal one. See
>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config
>>> for more details.
>>>
>>> On 19 January 2016 at 22:20, Joe Strathern <jstrathern at gmail.com> wrote:
>>>
>>>> Hello Keycloak Community
>>>>
>>>> I am looking for some assistance on how to pass a Keycloak bearer token
>>>> in the multi-hop scenario, where the keycloak instance is inside a proxy
>>>> environment, the next hop is within the proxy, and the original request
>>>> came from outside of that environment.
>>>>
>>>> For instance, the original request goes to
>>>> http://external-hostname/auth, where external-hostname is a proxy
>>>> system. Login is successful, and I receive a Bearer Token with Token issuer
>>>> - http://external-hostname/auth/realms/My_Realm.
>>>>
>>>> Now i need to take that token from the HTTP request, and attach it to a
>>>> new request from inside the proxy. I do so, redirecting to
>>>> http://interior-hostname/API, secured by the same Keycloak. Using
>>>> "external-hostname" as host once more is not an option, as we are within
>>>> the proxied environment. However, submitting the hop HTTP request,  i am
>>>> met with the error:
>>>>
>>>> *Failed to verify token: org.keycloak.common.VerificationException:
>>>> Token audience doesn't match domain. Token issuer
>>>> is http://external-hostname/auth/realms/My_Realm
>>>> <http://external-hostname/auth/realms/My_Realm>, but URL from configuration
>>>> is http://internal-hostname/auth/realms/My_Realm
>>>> <http://internal-hostname/auth/realms/My_Realm>*
>>>>
>>>> The token is rejected (Since the hostnames are not the exact same),
>>>> however external-hostname and internal-hostname are the same machine.
>>>>
>>>> Is there a way that Keycloak can identify these hostnames as equivalent
>>>> to accept the token, or another policy that should be followed in this
>>>> situation?
>>>>
>>>> Thanks,
>>>> Joe
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160125/eaaea949/attachment.html

More information about the keycloak-user mailing list