[keycloak-user] Reverse proxy calling admin API

Bill Burke bburke at redhat.com
Sat May 21 18:10:56 EDT 2016


I think this is a wildfly issue:


https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html


set the proxy-address-forwarding="true" for the http-listener.


On 5/21/16 5:59 PM, Christian Bauer wrote:
> Hi
>
> I'm trying to call the /admin/* API endpoints through a reverse proxy. The access token is granted to a JavaScript application, and the issuer of the token is therefore the reverse proxy. (This is actually a regular app that just happens to forward/create some requests to Keycloak.)
>
> The proxy makes a call to Keycloak with a Bearer token and the correct X-Forwarded-* headers. Keycloak/Wildfly is configured with proxy-address-forwarding=true.
>
> The request is authenticated in Keycloak with this line in AuthenticationManager.java:
>
> AccessToken token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()), checkActive, checkTokenType);
>
> This assumes that the "configured issuer" of a token is the JAX-RS UriInfo#getBaseUri() and fails with:
>
> 2016-05-21 23:52:37,109 DEBUG [org.keycloak.services] (default task-16) Failed to verify identity token: org.keycloak.common.VerificationException: Token audience doesn't match domain. Token issuer is http://localhost:8080/auth/realms/master, but URL from configuration is http://192.168.99.100:8081/auth/realms/master
>
> The UriInfo#getBaseUri() does not take the X-Forwarded-* headers into account.
>
> How can I call the API with a token obtained through a reverse proxy?
>
> Thanks,
> Christian
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list