Keycloak: Invalid token issuer when running from internal docker container

Question

I'm having some issues with configuring keycloak to run on our server. Locally it works great but on on our test environment, after login, on any call using the received access token, we get "Invalid token issuer. Expected "http://keycloak:8080/auth/realms/{realmnName}" but was "http://{our-test-server-IP}/auth/realms/{realmName}"" So basically, our backend connects to the internal keycloak docker image but when the request comes it expects that the issuer is the configured external IP so even though the issuers are basically the same service keycloak sees them as being different and responds with a 401.

docker-compose.yml:

keycloak:
    image: jboss/keycloak:12.0.4
    restart: on-failure
    environment:
        PROXY_ADDRESS_FORWARDING: "true"
        KEYCLOAK_USER: admin
        KEYCLOAK_PASSWORD: password
        KEYCLOAK_LOGLEVEL: DEBUG
        KEYCLOAK_IMPORT: /etc/settings/realm.json -Dkeycloak.profile.feature.upload_scripts=enabled
        TZ: Europe/Bucharest
        DB_VENDOR: POSTGRES
        DB_ADDR: db
        DB_DATABASE: user
        DB_SCHEMA: keycloak
        DB_USER: user
        DB_PASSWORD: user
    ports:
        - 8090:8080
    volumes:
        - ./settings:/etc/settings
    depends_on:
        - db

Spring application.yml:

keycloak:
  cors: true
  realm: Realm-Name
  resource: back-office
  auth-server-url: http://keycloak:8080/auth/
  public-client: false
  credentials:
    secret: 8401b642-0ae9-4dc8-87a6-2f494b388a49

keycloak-client:
  id: bcc94ed5-0099-40e0-b460-572eba3f0214

If we change the backend properties auth-server-url to connect to the exposed endpoint and no to the internal docker container we get a timeout, seems like it doesn't want to connect to it. I understand that the main issue is that we are running both the keycloak instance and our backend application on the same server but I don't see why it shouldn't work and why they can not connect to each other.

We tried setting up the FRONTEND_URL in the environment when running the container and in Keycloak admin console but nothing has changed. We've also tried to set forceBackendUrlToFrontendUrl to true in standalone.xml/standalone-ha.xml(./jboss-cli.sh --connect "/subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.forceBackendUrlToFrontendUrl, value=true)") files and reset the keycloak instance inside the docker container using ./jboss-cli.sh --connect command=:reload but nothing has changed.

I understand that basically by setting up the FRONTEND_URL all tokens should be signed by the keycloak instance and we would not have this issue but I've tried everything I've found so far on this issue regarding the keycloak configuration and nothing seems to change things. How can I make sure that the issuer that signs the access token and the one that the backend service expects are the same(hopefully the frontend)? And how can I configure this, is there some property I'm missing or was there something I did wrong while configuring it?

Answer 1

Might be related to this answer on here: https://stackoverflow.com/a/64095482/13494285

You could set Host header value to be the expected url.

To override this behavior, you might try to set KEYCLOAK_HOSTNAME environment variable to be the expected url.

Seems like documentation might not be up-to-date (it suggests KEYCLOAK_FRONTEND_URL variable on here), but instead KEYCLOAK_HOSTNAME is used to set fixed provider, as seen on here.

On this context, also the KEYCLOAK_HTTP_PORT is required to set the port to be 8080

Answer 2

Setting the KEYCLOAK_HOSTNAME to the external hostname (as defined in the KEYCLOAK_FRONTEND_URL) definitly worked for my case (eclipse che installation on a vanilla kubernetes cluster)