Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Keycloak Invalid token issuer

Tags:

openid-connect

oauth-2.0

keycloak

keycloak-services

keycloak-rest-api

I have a mobile app(react-native), a resource service(spring boot) and Keycloak Authenticatioin Service(Auth-Service).

Client makes authentication directly with Auth-Service and gets the access token. When I do a request to the resource service, the resource service checks the access token by asking to the Auth-Service. But token obtained by the client app and iss field is http://10.0.2.2:8060/auth/realms/sau and my resource service at http://localhost:8110.

Keycloak says: error="invalid_token", error_description="Invalid token issuer. Expected 'http://localhost:8060/auth/realms/sau', but was 'http://10.0.2.2:8060/auth/realms/sau'"

My question is how can I make authentication in resource service behalf my client?

Mobile App:

 export const prepareRequestBody = credentials => {
  const params = new URLSearchParams();
  params.append('username', credentials.username);
  params.append('password', credentials.password);
  params.append('client_id', "nasilim-mobile-app");
  params.append('grant_type', "password");
  return params;
};

export const login = credentials => {
  const params = prepareRequestBody(credentials);
  return axios.post(LOGIN, params);
};

enter image description here

Resource-Service:

application.yml

keycloak:
  realm: sau
  resource: photo-service
  bearer-only: false
  auth-server-url: http://localhost:8060/auth
  credentials:
     secret: 69a3e80c-8360-42df-bcec-b6575a6949dc

enter image description here

Note: I have checked this question and I have tried to set "X-Forwarded-For" : "http://localhost:8060/" but It didn't work Keycloak returns: { "error": "invalid_request", "error_description": "HTTPS required" }

Here is a Sample Access Token that obtained by mobile client.

like image 224
Muhammed Ozdogan Avatar asked May 23 '20 01:05

Muhammed Ozdogan

2 Answers

The "iss" claim vary in function of the request. The variable KEYCLOAK_FRONTEND_URL can change this behavior. So try do as follow in your docker-compose file:

KEYCLOAK_FRONTEND_URL: http://10.0.2.2:8060/auth
like image 97
Canatto Filipe Avatar answered Oct 19 '22 08:10

Canatto Filipe

You need to configure access from your Spring Boot app to the Auth server in an external fashion, not localhost:

keycloak:
  realm: sau
  resource: photo-service
  bearer-only: false
  auth-server-url: http://10.0.2.2:8060/auth
  credentials:
     secret: 69a3e80c-8360-42df-bcec-b6575a6949dc

This way the token issuers will match. This will probably require either to disable SSL requirement for external request in keycloak or to configure proper SSL communication. If this is meant for production, do the right way.

See also:

  • https://stackoverflow.com/a/42504805/1199132
like image 3
Xtreme Biker Avatar answered Oct 19 '22 10:10

Xtreme Biker
Sign in to Comment

Related questions

Error: OAuth 2 parameters can only have a single value: hd
Welcome back, you've already connected with this app via Google+ Sign-In as *
How to store bearer tokens when MVC and Web API are in different projects
How to replace the Camunda Authentication with OAuth2 provider
Laravel Passport token length
REST API multi-tenant security
What context.DeserializeTicket(token) does?
Best practices for handling access tokens and scopes for OAuth2 implementation?
All-in-one solution for using OAuth2 with Compojure
How to setup OAuth 2.0 server using loopback
Youtube API request credentials
How should I implement OAuth for an application? [closed]
Return error on invalid or expired token
Use Windows Authentication with OAuth 2.0
OpenID Connect Provider in Python
OAuth token expiration in MVC6 app
Clock skew and tokens
IDW10201: Neither scope or roles claim was found in the bearer token
Step by step Google SSO (java)?
How to use both Devise and Doorkeeper gems?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!