API verification token failing from Public IP but working from private IP

Hi Guys,
We have set up the keycloak for securing all rest API in the microservice environment. This is working very much fine with the private IP of the server under SSL VPN.
In the Production environment, we need to go without SSL VPN. Prod environment is built at nextgen cloud VMs.

  1. Login is successful.
  2. verification token of API access getting “Access Denied.”

Please suggest, what are we missing.

Very likely issuer in the token is not matching expected issuer (very likely you have configured “frontend URL” so keycloak returns that for private/public IP access).

You should to have IDP under one domain and protocol (https is required for OIDC) - instead of mixing private/public IPs/domains. So it should be always “https://keycloak-domain.com” and your environment can resolve it to the public/private IP accordingly.

1 Like