[keycloak-user] Allowing multiple JWT issuers in a devel environment

Jonathan Little rationull at gmail.com
Mon Jun 5 14:06:54 EDT 2017


Well, that's too bad. The Auth0 JWT library for Node.JS at least seems to
allow checking against an array of issuers which would be ideal, but I
don't think that library will automatically retrieve public keys for
signature verification (not a deal breaker but that is a nice feature of
the Keycloak library) and of course it's nice in theory to be using the
library maintained specifically to work with the Keycloak backend.

I just filed a feature request on Keycloak's Jira project covering this:
https://issues.jboss.org/browse/KEYCLOAK-5014. Hopefully it can gain some
traction.

On Mon, Jun 5, 2017 at 12:26 AM, Juan José Díaz Montaña <
juanjo.diaz at intopalo.com> wrote:

> Hi Jonathan,
>
> This is not only a development issue. Anyone running in NAT'd environments
> and/or more complex network setups will face this.
> I raised the same issue few days ago (http://lists.jboss.org/
> pipermail/keycloak-user/2017-May/010788.html) and there is plenty of
> previous post highlighting the issue dating even few years back.
> I even offered myself to implement whatever changes are necessary to
> Keycloak adapters since this is an important feature for one of my clients.
> Unfortunately, it doesn't seem that the Keycloak maintainers/community
> really care about this issue or have any intention of doing something about
> it :/
>
> Regards,
>
>
> --
> *Juanjo Díaz*
> Software Architect  @Intopalo Oy <https://intopalo.com>
> +358 50 4667571 <+358+50+4667571> | juanjo.diaz at intopalo.com
>
> On 3 June 2017 at 07:25, Jonathan Little <rationull at gmail.com> wrote:
>
>> I'm trying to set up a devel environment with Keycloak in a Docker
>> container, a back-end service in a separate linked Docker container, and a
>> front end web app that authenticates against Keycloak and then uses a
>> bearer token with the back end service. Bearer token validation is failing
>> in this case due to the JWT's iss field not matching the realm URL: the
>> realm URL is based on a hostname in the Docker network but the login
>> occurred against localhost from the browser running outside Docker via a
>> host port mapping.
>>
>> This is obviously a devel specific scenario and I'd like to be able to opt
>> in to multiple allowed issuers, an issuer regex, skipping issuer
>> verification, or some other workaround. AFAIKT there is no mechanism for
>> this and the options are:
>>
>> 1) Add an entry to the devel machine's hosts file so that the browser can
>> use the same hostname as the Keycloak container has in the Docker network.
>> This is simple but undesirable because I'd rather not have to globally
>> modify the devel machine configuration for this.
>>
>> 2) Run the devel Keycloak server outside of Docker at a known externally
>> accessible hostname. This is potentially the cleanest solution (although
>> it
>> may have redirect issues with locally hosted devel websites -- I haven't
>> tried yet) but I'd really like to be able to run Keycloak locally.
>>
>> 3) Somehow hack or customize the token validation code. The issuer check
>> is
>> fairly deep and I don't see any convenient or palatable hacks though.
>>
>>
>> This seems to me like it'd be a common situation but is it legitimate or
>> am
>> I thinking about this wrong? Does anyone else have any ideas or think this
>> would be a worthwhile addition to the library? Seems to me that multiple
>> issuers or an issuer regex would be clean solutions.
>>
>> If this makes sense I will file a feature request (not sure if PRs are
>> accepted on this project), but it seems like such an ordinary situation
>> that I feel like I must be missing something!
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


More information about the keycloak-user mailing list