Disabling token issuer check and consequences

I have the following setup,

  1. A single page client app which uses keycloak.js
  2. Keycloak running on https://.foobar.net/auth
  3. An API server running on https://.foobar.net/api

The single page app logins in to keycloak and upon success gets the authentication token from keycloak.

The single page app then passes the access token as a bearer token in the Authorization header to the API server.

The API server which is running spring boot with the KeycloakAdapter is configured to reach keycloak using an internal host name, let’s say http://keycloak-http/auth.

The problem I’m having is that when the API server receives the bearer token it checks the token issuer and finds that it does not match the keycloak url configured for internal access. This check fails with an exception.

I have two questions,
a. How do I disable the token issuer check?
b. If the token issuer check should not be disabled how can I set it up such that I do not run into this issue? Note that my app is a multitenant app so external access to keycloak has to be using a subdomain to access the login functionality, I cannot change that.


I have exactly same issue! What I did is fork the adaptor, in my case nodejs, and change it to take extra parameters: issuers. Then change the validation function to allow iss being any element in my issuers list.

Thanks @zodiac1214 - forking was something I wanted to avoid but if that is what needs to be done then I will do it.

hi…can you pls tell me how to fork the adaptor