Error "Invalid bearer token" when client and server are on different sides of the firewall

huybanh · June 8, 2022, 7:28pm

Hi all,

I have my Keycloak server and app server behind a firewall. The web client (in browser) is in front of the firewall.

Because of the firewall, web client and app server talk to Keycloak using different addresses. Webclient sees Keyloak as “fw1”, while app server sees as “kc1”

Access token obtained by web client has issuer as “fw1”. When app server sends this token to Keycloak for authorization, Keycloak says “Invalid bearer token”.

How does Keycloak supposed to work in this situation? Can/should I turn off issuer validation?

Thanks in advance,
Huy.

dasniko · June 9, 2022, 3:51pm

Proper hostname configuration will be your friend, see docs about it. Depends on the distribution (Quarkus or Wildfly/Legacy) how you have to configure it.

huybanh · June 9, 2022, 7:33pm

Yes, thanks a lot, Niko, I set the frontendUrl in hostname spi in standalone.xml solved the issue.

Have a great day.

Topic		Replies	Views
Invalid token - invalid issuer when logging in with Keycloak Getting advice authentication	0	811	April 21, 2022
Keaycloak behind api gateway - invalid bearer token	2	2009	July 19, 2021
Keycloak-spring-boot-starter fails with Failed to verify token (Invalid token issuer) Securing applications	0	1851	October 19, 2020
Keycloak behind NAT.. Issuer problems Getting advice	2	1748	January 8, 2020
Disabling token issuer check and consequences Getting advice saml	3	3824	July 24, 2020

Error "Invalid bearer token" when client and server are on different sides of the firewall

Related Topics