Is it possible to use jwt token retrieved using javascript adapter in the server side using internal network

[Oleksandr Andriienko]

Hello. I'm working on application which used javascript keycloak adapters to retrieve jwt keycloak token. This token front-end sends to back-end. Back-end uses this jwt token to get openshift 4 auth provider token. When back-end uses host public keycloak url for request - request works great(keycloak provides openshift oauth token). Example with curl:

curl -k -H "Authorization: bearer ${jwt-token}" https://keycloak-app.apps-crc.testing/auth/realms/che/broker/openshift-v4/token

But when back-end uses keycloak internal CoreDNS service url, then request fails with an error: Invalid token:

 curl -k -H "Authorization: bearer ${jwt-token}" http://keycloak.app.svc.cluster.local:8080/auth/realms/che/broker/openshift-v4/token 

When I enabled log level debug I see:

[0m [32m10:14:10,201 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-2) Failed to verify identity token: Invalid token issuer. Expected 'http://keycloak.che.svc.cluster.local:8080/auth/realms/che', but was 'https://keycloak-che.apps-crc.testing/auth/realms/che'

Is it possible to use internal keycloak url for this case? In my case internal url - it's a CoreDNS url.

P.S.: we are working on operator which should install our application. One of the component of our application - is keycloak. And we want to provide ability to use internal network for all application services(back-ends). For now keycloak is it the last component which we can't to cover with internal network. Thanks for any hints...

[Pedro Igor Craveiro e Silva]

Hi,

I think the problem is related to the hostname provider configuration.

This is a provider that allows you to statically set both front and back end URLs of Keycloak. See https://www.keycloak.org/docs/latest/server_installation/#_hostname. You should try to set the `frontendUrl` option to your internal. IIRC, our container image supports a `KEYCLOAK_FRONTEND_URL` env var for this too.

What I think is happening is that your frontend obtains token through the public URL and, by default, the token issuer claim would be based on it. Afterward, when your backend tries to send this token using the internal URL, you have an issuer mismatch because now the issuer is calculated based on the internal URL whereas the token was issued for the public one.

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/e936251f-6aea-4c70-bd07-a41bdb764a42n%40googlegroups.com.

[Oleksandr Andriienko]

Hello. Thanks a lot for your feedback. For keycloak 7 we set up KEYCLOAK_FRONTEND_URL. After that: when our application requests openId configuration using internal url - keycloak 7 returns json with urls with internal url host, when we request openId configuration using public url - keycloak returns json with urls  with public url hostname. I guess it works like expected for keycloak 7. But also we have another version of our application - it uses keycloak 6.0.1. Keycloak 6.0.1 doesn't support KEYCLOAK_FRONTEND_URL. We tried to use a fixed hostname adapter for this version. Fixed hostname adapter doesn't fail, when we request token or openId configuration using internal network, but it has another behavior: when we request openId configuration using internal network it returns json with urls with "PUBLIC" hostname. Do we have any options to align this behavior between KEYCLOAK_FRONTEND_URL on the keycloak 7 and the fixed hostname provider on the keycloak 6.0.1? I guess there is an option to write a custom hostname provider for keycloak 6.0.1, but first off all It would be nice to get Your opinion or any advice before further actions. Thanks a lot and best regards!