Invalid token issuer when running keycloak behind proxy

Question

I've placed my keycloak server behind apache proxy:

ProxyRequests On
ProxyVia On
ProxyPreserveHost On
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
<LocationMatch "/auth/">
    ProxyPass http://keycloak:8090/auth/ Keepalive=On
</LocationMatch>
ProxyPassReverse "/auth/" "http://keycloak:8090/auth/"

I've succesfully told my keycloak on javascript side to use /auth for authentication:

{
  "realm" : "local",
  "auth-server-url" : "/auth",
  "ssl-required" : "external",
  "resource" : "client-local",
  "public-client" : true
}

I've managed to log in, but after making server request, the filter (org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl from keycloak-jaxrs-oath-client-4.0.0.FINAL) is throwing exception:

WWW-Authenticate: Bearer realm="local", error="invalid_token", error_description="Invalid token issuer. Expected 'http://keycloak:8090/auth/realms/local', but was 'http://localhost/auth/realms/local'"

What I'm missing here? I've expected, that the reverse proxy would be transparent for the keycloak... I can't find the option to add localhost to valid issuers in keycloak administration panel either...

How can I bring that setup to work?

Answer 1

Your proxy should add forwarding headers on the proxy such as X-Forwarded-For, X-Forwarded-Proto and X-Forwarded-Host, this will allow keycloak to retrieve the client's (not the reverse proxy's) original IP which is important for security reasons. Also Keycloak can retrieve it's host name as it appears outside the proxy which should help with the Invalid token issuer problem.

Also you should configure Keycloak such that is uses the proxy headers, if you're using the Docker image do this with the environment variable PROXY_ADDRESS_FORWARDING=true.

Have a look at the documentation [1], you'll find more answeres there. [1] https://www.keycloak.org/docs/4.8/server_installation/#_setting-up-a-load-balancer-or-proxy