[keycloak-user] Zuul (Gateway) -> Keycloak Adapters Missing pieces

Mauricio Salatino salaboy at gmail.com
Thu Sep 7 06:14:19 EDT 2017


Hi everyone,
We using Keycloak behind a gateway (Zuul) and we are having issues with
keycloak adapters not being able to validate the JWT token issued on behalf
of an external client. Our Gateway is forwarding all the X-FORWARDED-*
headers correctly so the token is issued correctly but the problem is that
our adapters (in our services) contains the following configuration:

keycloak.auth-server-url=*<local ip of keycloak server>:<port>/auth*

Now the problem that we are facing is that the token will not be able to be
validated by the adapter, because it was issued for the external IP and the
adapter is pointing to the local ip, so the token validation fails.

I've seen several threads and jira issues about this problem without a
clear solution and it sounds like the adapter's code can be easily extended
to support this scenario. Now the question is where that information should
live:
1) It can be set to the realm configuration so the adapter picks that up on
start up and then use that information for the token validation
2) I can be picked up by the service that is getting the external IP in the
X-FORWARDED-* headers (this might cause a security issue ??? )

We can provide the code for the solution but before start coding we want to
know what are your opinions on the matter and if this have been solved
before.

Cheers

Mauricio


-- 
 - MyJourney @ http://salaboy.com <http://salaboy.wordpress.com>
 - Co-Founder @ http://www.jugargentina.org
 - Co-Founder @ http://www.jbug.com.ar

 - Salatino "Salaboy" Mauricio -


More information about the keycloak-user mailing list