Keycloak Invalid token issuer

oauth-2.0 keycloak openid-connect keycloak-services keycloak-rest-api

14,080

Solution 1

The "iss" claim vary in function of the request. The variable KEYCLOAK_FRONTEND_URL can change this behavior. So try do as follow in your docker-compose file:

KEYCLOAK_FRONTEND_URL: http://10.0.2.2:8060/auth

Solution 2

You need to configure access from your Spring Boot app to the Auth server in an external fashion, not localhost:

keycloak:
  realm: sau
  resource: photo-service
  bearer-only: false
  auth-server-url: http://10.0.2.2:8060/auth
  credentials:
     secret: 69a3e80c-8360-42df-bcec-b6575a6949dc

This way the token issuers will match. This will probably require either to disable SSL requirement for external request in keycloak or to configure proper SSL communication. If this is meant for production, do the right way.

See also:

https://stackoverflow.com/a/42504805/1199132

Solution 3

What if you can not access the auth server using the external address? This will not work. Check https://issues.redhat.com/browse/KEYCLOAK-6984 One workaround is to set the reaml public key. But it's not recommended as the adapter will not check for new key if the key is rotated.

14,080

Author by

Muhammed Ozdogan

Java developer at Gittigidiyor aka Ebay Turkey.

Updated on June 10, 2022

Comments

Muhammed Ozdogan almost 2 years
I have a mobile app(react-native), a resource service(spring boot) and Keycloak Authenticatioin Service(Auth-Service).

Client makes authentication directly with Auth-Service and gets the access token. When I do a request to the resource service, the resource service checks the access token by asking to the Auth-Service. But token obtained by the client app and iss field is http://10.0.2.2:8060/auth/realms/sau and my resource service at http://localhost:8110.

Keycloak says: error="invalid_token", error_description="Invalid token issuer. Expected 'http://localhost:8060/auth/realms/sau', but was 'http://10.0.2.2:8060/auth/realms/sau'"

My question is how can I make authentication in resource service behalf my client?

Mobile App:
```
 export const prepareRequestBody = credentials => {
  const params = new URLSearchParams();
  params.append('username', credentials.username);
  params.append('password', credentials.password);
  params.append('client_id', "nasilim-mobile-app");
  params.append('grant_type', "password");
  return params;
};

export const login = credentials => {
  const params = prepareRequestBody(credentials);
  return axios.post(LOGIN, params);
};
```
Resource-Service:

application.yml
```
keycloak:
  realm: sau
  resource: photo-service
  bearer-only: false
  auth-server-url: http://localhost:8060/auth
  credentials:
     secret: 69a3e80c-8360-42df-bcec-b6575a6949dc
```
Note: I have checked this question and I have tried to set "X-Forwarded-For" : "http://localhost:8060/" but It didn't work Keycloak returns: { "error": "invalid_request", "error_description": "HTTPS required" }

Here is a Sample Access Token that obtained by mobile client.