Keycloak Invalid token issuer
Solution 1
The "iss" claim vary in function of the request. The variable KEYCLOAK_FRONTEND_URL can change this behavior. So try do as follow in your docker-compose file:
KEYCLOAK_FRONTEND_URL: http://10.0.2.2:8060/auth
Solution 2
You need to configure access from your Spring Boot app to the Auth server in an external fashion, not localhost:
keycloak:
realm: sau
resource: photo-service
bearer-only: false
auth-server-url: http://10.0.2.2:8060/auth
credentials:
secret: 69a3e80c-8360-42df-bcec-b6575a6949dc
This way the token issuers will match. This will probably require either to disable SSL requirement for external request in keycloak or to configure proper SSL communication. If this is meant for production, do the right way.
See also:
Solution 3
What if you can not access the auth server using the external address? This will not work. Check https://issues.redhat.com/browse/KEYCLOAK-6984 One workaround is to set the reaml public key. But it's not recommended as the adapter will not check for new key if the key is rotated.
Comments
-
Muhammed Ozdogan almost 2 years
I have a mobile app(react-native), a resource service(spring boot) and Keycloak Authenticatioin Service(Auth-Service).
Client makes authentication directly with Auth-Service and gets the access token. When I do a request to the resource service, the resource service checks the access token by asking to the Auth-Service. But token obtained by the client app and iss field is http://10.0.2.2:8060/auth/realms/sau and my resource service at http://localhost:8110.
Keycloak says:
error="invalid_token", error_description="Invalid token issuer. Expected 'http://localhost:8060/auth/realms/sau', but was 'http://10.0.2.2:8060/auth/realms/sau'"
My question is how can I make authentication in resource service behalf my client?
Mobile App:
export const prepareRequestBody = credentials => { const params = new URLSearchParams(); params.append('username', credentials.username); params.append('password', credentials.password); params.append('client_id', "nasilim-mobile-app"); params.append('grant_type', "password"); return params; }; export const login = credentials => { const params = prepareRequestBody(credentials); return axios.post(LOGIN, params); };
Resource-Service:
application.yml
keycloak: realm: sau resource: photo-service bearer-only: false auth-server-url: http://localhost:8060/auth credentials: secret: 69a3e80c-8360-42df-bcec-b6575a6949dc
Note: I have checked this question and I have tried to set "X-Forwarded-For" : "http://localhost:8060/" but It didn't work Keycloak returns:
{ "error": "invalid_request", "error_description": "HTTPS required" }
Here is a Sample Access Token that obtained by mobile client.