1. 技术文章
  2. Invalid token issuer when running keycloak behind proxy

Invalid token issuer when running keycloak behind proxy

拈花ヽ惹草 提交于 2020-07-02 09:15:55

问题


I've placed my keycloak server behind apache proxy:

ProxyRequests On
ProxyVia On
ProxyPreserveHost On
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
<LocationMatch "/auth/">
    ProxyPass http://keycloak:8090/auth/ Keepalive=On
</LocationMatch>
ProxyPassReverse "/auth/" "http://keycloak:8090/auth/"

I've succesfully told my keycloak on javascript side to use /auth for authentication:

{
  "realm" : "local",
  "auth-server-url" : "/auth",
  "ssl-required" : "external",
  "resource" : "client-local",
  "public-client" : true
}

I've managed to log in, but after making server request, the filter (org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl from keycloak-jaxrs-oath-client-4.0.0.FINAL) is throwing exception:

WWW-Authenticate: Bearer realm="local", error="invalid_token", error_description="Invalid token issuer. Expected 'http://keycloak:8090/auth/realms/local', but was 'http://localhost/auth/realms/local'"

What I'm missing here? I've expected, that the reverse proxy would be transparent for the keycloak... I can't find the option to add localhost to valid issuers in keycloak administration panel either...

How can I bring that setup to work?


回答1:


Your proxy should add forwarding headers on the proxy such as X-Forwarded-For, X-Forwarded-Proto and X-Forwarded-Host, this will allow keycloak to retrieve the client's (not the reverse proxy's) original IP which is important for security reasons. Also Keycloak can retrieve it's host name as it appears outside the proxy which should help with the Invalid token issuer problem.

Also you should configure Keycloak such that is uses the proxy headers, if you're using the Docker image do this with the environment variable PROXY_ADDRESS_FORWARDING=true.

Have a look at the documentation [1], you'll find more answeres there. [1] https://www.keycloak.org/docs/4.8/server_installation/#_setting-up-a-load-balancer-or-proxy




回答2:


This has been a common problem as Keycloak verifies the issuer of the placed token with the issuer that generated token. And in your case, the token was generated by http://keycloak:8090/auth/realms/local but in the given token issuer is your proxy server FQDN i.e. http://localhost/auth/realms/local



来源:https://stackoverflow.com/questions/51554178/invalid-token-issuer-when-running-keycloak-behind-proxy

标签
apache
reverse-proxy
keycloak
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!