Invalid token when using nginx proxy

Hello :slightly_smiling_face:

I’m trying to set up Keycloak using nginx as proxy.

The idea is to log in to web app using javascript adapter and then for each API request, nginx should ask Keycloak if token is valid (session could be revoked, etc.).

I’ve set it up without nginx locally - I have keycloak on my VM and I used Keycloak Gatekeeper to proxy API requests. It worked with no issues whatsoever.

Then, I deployed Keycloak and web app that uses js adapter on cluster and in nginx I proxied URLs required for login. Next, I configured auth module to call /auth/realms/cerulean-magnolia/protocol/openid-connect/token with grant_type=urn:ietf:params:oauth:grant-type:uma-ticket. There could be better endpoint to call but I’m always getting invalid_grant Invalid bearer token anyway.

Login works but when I try to use generated token, it becomes invalid and I can’t use it anymore.

I’ve set PROXY_ADDRESS_FORWARDING to true and here’s what I did in nginx:

    location /api/v1/login {
        rewrite /api/v1/login/(.*) /auth/$1 break;
        proxy_pass {{ .Values.nginx.keycloakUrl }};

    location /auth/resources {
        proxy_pass {{ .Values.nginx.keycloakUrl }};

    location /auth/realms {
        proxy_set_header X-Forwarded-For $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_pass {{ .Values.nginx.keycloakUrl }};

And then for API requests auth module: auth_request /_auth; and:

    location = /_auth {

        proxy_method                  POST;
        proxy_set_header            X-Original-Method          $request_method;
        proxy_set_header            X-Original-Scheme         $scheme;
        proxy_set_header            X-Original-Request         $request;
        proxy_set_header            X-Original-Request-URI  $request_uri;

        proxy_set_header Content-Type "application/x-www-form-urlencoded";
        proxy_set_body "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=lei-api&respnose_mode=decision";

        rewrite /_auth /auth/realms/cerulean-magnolia/protocol/openid-connect/token break;
        proxy_pass {{ .Values.nginx.keycloakUrl }};

Like I’m mentioned - any attempt of using this token ends up in getting:

    "error": "invalid_grant",
    "error_description": "Invalid bearer token"

If I would generate this token manually (via forwarded port) using password:

curl -L -X POST 'https://localhost:8141/auth/realms/cerulean-magnolia/protocol/openid-connect/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=lei' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=openid' \
--data-urlencode 'username=...' \
--data-urlencode 'password=...' --insecure | jq

and then use this token to do:

http --verify=no -f https://localhost:8141/auth/realms/cerulean-magnolia/protocol/openid-connect/token grant_type=urn:ietf:params:oauth:grant-type:uma-ticket audience=lei-api response_mode=decision  authorization:"Bearer ..."

It works fine. But if I use token generated via web app, I always get 401.

I’d be grateful for any help or hints.
Kind Regards,

Hi Patryk,
'm facing same problem. Did you fix it?