Hi
My configurations is as follows:
angular frontend App (keycloak public client)
spring boot backend app (keycloak confidentail client)
keycloak server
these all run behind an nginx in cloud foundry
what id like to achieve that communication between backend app and keycloak server happens through an internal route.
I assigned 1 public 1 internal route to my keycloak server:
https://XXXX.YYYY.ZZZZ.com/auth (this is for user authenticaiton)
https://XXXX.YYYY-internal.ZZZZ.com/auth (this is for backendapp)
i assigned below in my backend app
keycloak.auth-server-url: https://XXXX.YYYY-internal.XXXX.com/auth
and property in my realm settings
frontendUrl = https://XXXX.YYYY.ZZZZ.com/auth
(i tried setting it also in standalone.xml)
with above config user authenticaiton succeeds but afterwards when rest requests are sent to retrieve data from backend i get âinvalid token issuerâ error. It says:
Expected âhttps://XXXX.YYYY-internal.ZZZZ.com/auth/realms/myrealmnameâ, but was âhttps://XXXX.YYYY.ZZZZ.com/auth/realms/myrealmnameâ
How can i make this work, what is missing or wrong here?
thanks a lot
Servet
ok i found out how
keycloak is assigned only internal route https://XXXX.YYYY-internal.ZZZZ.com/auth
frontendUrl property is set public route https://XXXX.YYYY.ZZZZ.com/auth
backends (microservices) keycloak.auth-server-url: https://XXXX.YYYY-internal.XXXX.com/auth
thats all for keycloak
now a reverse proxy must be placed in front and it should proxy the call
https://XXXX.YYYY.ZZZZ.com/auth to https://XXXX.YYYY-internal.ZZZZ.com/auth
while proxying, the headers must also be set
this way, all keycloak calls from microservices to keycloak for token validaiton stays in private network.
I always had the feeling that a Reverse Proxy is required, even though I havenât tried the âfrontendUrlâ option yet.
However, I figured out that the âX-Forwarded-Hostâ header of the forwarded request has to be rewritten which is not the default behavior for reverse proxies.
The same is possible for the âX-Forwarded-Protoâ header, if the reverse proxy is simple HTTP.
Have you experienced the same or similar?
Finally,
When back-end and front-end endpoints are different, which is quite sensible and expected
with back-end being private and front-end public
-
A reverse proxy is genuinely required, to forward the real clientâs IP
see https://www.keycloak.org/docs/10.0/server_installation/#identifying-client-ip-addresses
This implies use of proxy-address-forwarding=true which is controlled by PROXY_ADDRESS_FORWARDING=true environment variable in official Docker image
see https://hub.docker.com/r/jboss/keycloak
-
frontendUrl property is also required, to correctly generate the page redirects
see https://www.keycloak.org/docs/10.0/server_installation/index.html#default-provider
This is controlled by the KEYCLOAK_FRONTEND_URLenvironment variable in official Docker image
see https://hub.docker.com/r/jboss/keycloak
Unfortunately, with both a reverse proxy and frontendUrl set Keycloak is still getting confused about the issuer.
Invalid token issuer. Expected "internal endpoint/auth/realms/realmâ, but was âpublic endpoint/auth/realms/realmâ
Correction, this works.
Both a reverse proxy and âfrontendUrlâ are required.
Forwarded reverse proxy request headers change is only required for the last proxy in a chain of reverse proxies with âX-Forwarded-Hostâ, âX-Forwarded-Protoâ headers of the forwarded request having to match âfrontendUrlâ
yes, with reverse proxy, headers must be set then it works. Keycloak adapter version for backends must be higher than 8 i remember
Indeed, if I am not mistaken, these features were introduced during the life of Keycloak 8.x, so, any version later than 8 is expected to have them.
I am using 10.0.1 at the moment.
i think this is a crucial feature. Without this feature, all token confirmation calls from backends to keycloak are unnecessarily going thru public internet. with this feature, all token confirmation calls stay in private network which is way more secure
I cannot agree more.
Indeed, this is crucial.
Back-end token verification must be private.
Front-end token acquisition must be public.
I fear many people havenât realized the importance.
But, I am glad it works.
Also, I believe, back-end has to use confidential clients and front-end has to use public, which is what I have done for my project.
HTTPS is very much necessary as well, for security and proper cookies decoration in JavaScript adapter and others.
Application cookies must also be decorated properly, with samesite=none and httponly=true for 3rd party front-end.
It is all demanding and requires special handling but it is worth the effort.
Ilias Balasis
Mob: 07702019628
1 Like