[keycloak-user] Keycloak: Failed to verify token - Invalid token issuer
Henning Waack
henning.waack at codecentric.de
Thu Jun 21 09:31:42 EDT 2018
Hi all.
Using KC 4.0.0.Final behind a Apache https proxy, we have the following issue with OIDC tokens as logged in the Keycloak server.log:
2018-06-21 13:59:47,626 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-41) Verifying access_token
2018-06-21 13:59:47,628 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-41) Failed to verify token: org.keycloak.common.VerificationException: Invalid token issuer. Expected 'http://nak/auth/realms/NAK', but was 'https://nak.xxx.de/auth/realms/NAK'
at org.keycloak.TokenVerifier$RealmUrlCheck.test(TokenVerifier.java:108)
---
The URL "https://nak.xxx.de/auth/realms/NAK/.well-known/openid-configuration" looks fine, all endpoints have the right format, e.g.
> issuer: "https://nak.xxx.de/auth/realms/NAK"
> authorization_endpoint: "https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/auth"
> token_endpoint : "https://nak.xxx.de/auth/realms/NAK/protocol/openid-connect/token"
The X-Forward Headers also look fine, I have enabled header logging in Wildfly, and we have the following headers for example:
header=X-Forwarded-For=80.242.xx.xx, 10.10.51.5
header=X_FORWARDED_PROTO=https
header=Host=nak.xxx.de
header=X-Forwarded-Host=nak.xxx.de, nak.xxx.de
header=X-Forwarded-Server=nak.xxx.de, xxx.dip0.t-ipconnect.de
header=X-Forwarded-Proto=https
In my KC standlone.xml config I have set the "proxy-address-forwarding" parameter for the http-listener to "true".
So why is KC still expecting the token issuer to be "http://nak/..." instead of "https://nak.xxx.de/..."?
Thanks & greetings
Henning
More information about the keycloak-user
mailing list