[keycloak-user] Keycloak as OIDC provider to AWS ALB, any hints!

Max Allan max.allan+keycloak at surevine.com
Fri Jul 13 12:30:51 EDT 2018


The AWS ALB​ will allow you to authenticate to cognito or OIDC nowadays.

I thought "Great, I can connect it up to my KeyCloak".
Sadly not. Well, I can connect it to KeyCloak and see sensible looking
headers and JWTs flowing back and forth.
And then the ALB says "500 Internal Server Error" :-(

I can see a request to keycloak (from the client) :

And it 302 redirects back to the ALB :


On the KeyCloak server I can see the POST requests from the browser coming
in and hitting the authenticate URL, KC hands back a 302 (the URL above)
Then the ALB does a POST to the token endpoint and gets a 200 response with
a nice chunk of access token. I can decode it and see my details quite
happily. I even validated the signature. (Using jwt.io 's debugger.)
Although the ALB doesn't ask for the certificate at any stage, so I don't
think it even bothers validating it.

But it doesn't seem to like it. And gives me a 500 error.

(I can authenticate with Google OIDC without any trouble...)

(NB Any secrets in any of those strings won't get you very far, there is no
content yet :-) )

More information about the keycloak-user mailing list