I am new to Keycloak and am trying to setup issuer validation for a personal project that I am creating. I want to make sure that I am configuring Keycloak to use issuer validation correctly. From my understanding the issuer is validated based on the auth-server-url field in the application.yml file. Is this assumption correct or is there another setting that specifically checks the issuer claim in an incoming JWT token.
It depends on what client side (in your app) lib you are using to authenticate against Keycloak, but the issuer for keycloak tokens is the keycloak url plus /realm/realm_name.
Something like https://mykeycloak.company.com/realm/realm_name
Thanks for the quick reply. I am using the Spring boot adapter.
I guess what I really need is a pointer to the Keycloak documentation that discusses validation of the issuer claim. For example, if I have two realms configured and I want to ensure that tokens stamped with an issuer claim of realm A cannot be used to access realm B. In other applications (not using Keycloak) I have used custom code to validate that the issuer claim matches the expected issuer. If I am using Spring boot will Keycloak automatically ensure that the issuer claim is valid for the realm? Or do I need to write custom code?
The token validation is part of oidc spec, so a proper lib knows how to do it.
If you are using spring boot adapter it definitively knows how to do it given a keycloak server url and a realm name.
If you are using spring security, you just need to give it the full url like in https://keycloakserver.domain.com/realm/my_realm_name as the authentication server url.