[keycloak-user] Host header verification during introspect?
Dmitry Korchemkin
moon3854 at gmail.com
Tue Apr 11 14:24:19 EDT 2017
As i wrote a couple of days ago, i have an issue with introspection. When
sending an introspect request through proxy i get a pretty uninformative
{"active" : "false"} as a result.
I have two proxies, private and public and all the requests to keycloak go
through them. When i get a token from private proxy (http://private
.com/../protocol/openid-connect/token) and then try to access introspect
through public proxy (http://public/../
protocol/openid-connect/token/introspect) with this token, it fails with an
error i provided above. Token is issued to private proxy, obviously.
When i receive a token and use it to access introspect through the same
proxy, it works.
I've tried to modify my proxies to hack Host header and replace it with
whatever the token is issued to and it works when i manually do the steps
above with postman, but unfortunately it horribly breaks something else
within my code.
I get that it's more secure this way, but i did not have this issue when i
used 1.9.8.Final. Is there a way to disable this introspect host checking
with the 3.0.0.?
More information about the keycloak-user
mailing list