Issuer advertised by the auto-discovery should be formed with the backend url?
257 views
Skip to first unread message
Pascal Trovatelli
Jan 16, 2024, 8:11:50 AM1/16/24
to Keycloak User
Hello,
Sumup:
relying party says "issuer did not match the issuer returned by provider" when frontend and backend url differ
Details:
I'm using keycloak to authenticate users to hashicorp vault.
- Vault reaches keycloak through a private network (backend url)
- end users reach keycloak from a public network (frontend url)
The front-end url is forced in keycloak with KC_HOSTNAME_URL so that users are not redirected to the backend URL
Keycloak considers that the "issuer" is a frontend element: with this setup, we can see in the .well-known/openid-configuration URL that the issuer is built using the frontend URL (even when the well-known url is accessed from the backend channel)
When initializing the oidc configuration, vault makes a check to verify that the issuer advertised in the well-known URL matches the domain vault uses to access keycloak : the backend URL.
Vault refuses the setup with:
unable to create provider: oidc: issuer did not match the issuer returned by provider,
expected \"<backend_host>/auth/realms/ <realm> \"
got \" <frontend_host>/auth/realms/<realm>\"
expected \"<backend_host>/auth/realms/ <realm> \"
got \" <frontend_host>/auth/realms/<realm>\"
As discussed in this conversation https://issues.redhat.com/browse/KEYCLOAK-6984 , shouldn't the issuer be a backend element? end-users don't need to access the well-known url do they?
The only solution i've found is for the relying party to go out of the private network and and in again through the public URL to be able to reach keycloak. It not very reliable from a network point of view (we regularly have network issues when switching networks)
Yet another solution would be to force DNS resolution from the relying party to reach keycloak through the private network when using the public url (through /etc/hosts for example). Real dirty...
Any advise appreciated
Thanks
Pascal Trovatelli
Jan 16, 2024, 8:20:54 AM1/16/24
to Keycloak User
Tested with
- keycloak 20.0.3
- hashicorp vault 1.15.4+ent
Václav “Vašek” Muzikář
Jan 23, 2024, 3:11:01 AM1/23/24
to Keycloak User
Hello,
you mention that:
> vault makes a check to verify that the issuer advertised in the well-known URL matches the domain vault uses to access keycloak : the backend URL
I don't think this is correct. The vault should be comparing the issuer against whatever is configured/fetched from the .well-known endpoint, see specs.
Reply all
Reply to author
Forward
0 new messages