401 iss invalid iss claim

Adebola Omoboya

unread,

Feb 15, 2022, 6:45:33 AM2/15/22

to Keycloak User

We have been battling with this problem for so long, we are almost on the verge of dumping keycloak altogether, after so much investment in the technology

we have a java spring boot application (microservices) with an angular client, we created a public client in on the keycloak server for the angular client, however on the spring boot app in application.properties / docker environment we have the following settings

spring.security.oauth2.resourceserver.jwt.issuer-uri=https://auth01.factorialsystems.io/auth/realms/onecard
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://auth01.factorialsystems.io/auth/realms/onecard/protocol/openid-connect/certs

so typically the angular client logs on gets a token and attempts to access to resources on the dockerized services all on AWS, Keycloak also on AWS EC2 instance.

Keycloak on AWS EC2 is behind a reverse proxy (nginx) with a letsencrypt certificate, Keycloak

The environment is not run in docker, nginx runs as a unix daemon and keycloak runs on the server (standalone.sh). The nginx file config file is shown below

server {

include /etc/nginx/mime.types;

server_name auth01.factorialsystems.io;

location / {

#proxy_pass https://127.0.0.1:8443;

proxy_pass http://localhost:8080;

proxy_set_header X-Forwarded-For $proxy_protocol_addr; # To forward the original client's IP address

proxy_set_header X-Forwarded-Proto $scheme; # to forward the original protocol (HTTP or HTTPS)

proxy_set_header Host $host; # to forward the original host requested by the client

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection ‘upgrade’;

proxy_set_header X-Real-IP $remote_addr;

}

listen [::]:443 ssl ipv6only=on; # managed by Certbot

listen 443 ssl; # managed by Certbot

ssl_certificate /etc/letsencrypt/live/auth01.factorialsystems.io/fullchain.pem; # managed by Certbot

ssl_certificate_key /etc/letsencrypt/live/auth01.factorialsystems.io/privkey.pem; # managed by Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {

if ($host = auth01.factorialsystems.io) {

return 301 https://$host$request_uri;

} # managed by Certbot

listen 80 default_server;

listen [::]:80 default_server;

server_name auth01.factorialsystems.io;

return 404; # managed by Certbot

}

we have set proxy_address_forwarding inside the standalone.xml file, tried running the application with frontendUrl as shown below

./standalone.sh -Dkeycloak.frontendUrl=http://auth01.factorialsystems.io:8080/auth

We can log onto the keycloak server and interact with it fine, we can also log onto the angular application, however once we try to access a protected resource on any of the servers we get a 401 error, when we inspect further in Google dev tools the message is as follows

Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: The iss claim is not valid", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

SOS

Thomas Darimont

unread,

Feb 15, 2022, 6:56:15 AM2/15/22

to Adebola Omoboya, Keycloak User

Hello Adebola,

Take a look at https://www.keycloak.org/docs/latest/server_installation/#_hostname

I think your keycloak frontend url should be

-Dkeycloak.frontendUrl=https://auth01.factorialsystems.io

Take a look at the issuer of the generated access token. Your service expects the iss claim to be https://auth01.factorialsystems.io/auth/realms/onecard

Cheers,

Thomas

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/aec8c199-a6f6-41dd-bcff-999772cbf912n%40googlegroups.com.