I am running the keycloak in docker compose
services:
postgres:
image: postgres:latest
container_name: postgres_db
volumes:
- keyclock_postgres_data:/var/lib/postgresql/data
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: password
keycloak_web:
image: keycloak/keycloak:latest
container_name: keycloak_web
environment:
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: password
KC_HOSTNAME: localhost
KC_HOSTNAME_STRICT: false
KC_HOSTNAME_STRICT_HTTPS: false
KC_LOG_LEVEL: info
KC_METRICS_ENABLED: true
KC_HEALTH_ENABLED: true
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
command: start-dev
depends_on:
- postgres
ports:
- "7080:8080"
- "3002:8443"
volumes:
keyclock_postgres_data:
then in browser I can access the dashboard from link http://localhost:7080
The problem arises when I try to to use keycloak
from within my dotnet
application, which also is running in docker… The config is self-explanatory. You can ignore the code itself. Just take a look at the links.
builder.Services.AddAuthentication()
.AddJwtBearer("KeycloakBearer", options =>
{
options.Authority = "http://host.docker.internal:7080/realms/master";
options.Audience = "account";
options.RequireHttpsMetadata = false;
options.MetadataAddress = "http://host.docker.internal:7080/realms/master/.well-known/openid-configuration";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidIssuers = new[]
{
"http://localhost:7080/realms/master",
"http://host.docker.internal:7080/realms/master"
}
};
});
see that I am using the host.docker.internal
as a hostname. I can confirm that the page http://host.docker.internal:7080/realms/master/.well-known/openid-configuration
is accessible by the web service in docker container… I cannot use the usual localhost
/
The problem is that the app is not able to perform the signing key verification!.
If you are curious about the error details, it’s the:
Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
Basically I think that it means that the service cannot properly access the public key when validating the JWT token.
After days of struggle I’ve found the culprit. It’s the
KC_HOSTNAME: localhost
environment variable. If I change the value to
KC_HOSTNAME: host.docker.internal
then the JWT validation in my service starts working just fine!
But then I have a problem that I can no longer access the keycloak dashboard using the localhost domain from host machine!
Could someone please clarify how to make both the dashboard accessible, as well as allowing the services running in docker to perform their JWT validations?
I was thinking of somehow allowing the keycloak to run on multiple hostnames at the same time but it seems like the environment variable is allowing a single value… Nor aliases are allowed…
Should I try configuring an nginx reverse proxy of some sort to make it all work?
Any help is appreciated.