Keaycloak behind api gateway - invalid bearer token

Issue description

I am trying to use Keycloak behind an API gateway (Apache APISIX).

I use minikube to run Keycloak and my API gateway.

The gateway is working right and Keycloak too :

With Keycloak, I can use the different end-point (use the discovery end-point (http://127.0.0.1:7070/auth/realms/myrealm/.well-known/uma2-configuration), ask an access token and verify it).

With APISIX, and a simple route, I can join a backend microservice on my minikube.
(typically : http://127.0.0.1:80/greeting is served by the gateway which routes the request to the right backend microservice)

The problem occurs when I try to use the two tools together. I have used the APISIX Keycloak integration, in order to force the user to use a valid token when he is using a route served by the gateway.

In this case, when I use a valid bearer token (I get it and verify it with the end-point of keycloak), and I try to request the backend via the api gateway with the verified bearer token, I obtain systematically an “Invalid bearer token” exception.

{"error":"invalid_grant","error_description":"Invalid bearer token"}

I think the settings of the integration is well set because I am sure that te gateway call Keycloak to verify the token (when I voluntarily set a bad url to the discovery end-point in the authz-keycloak plugin, the error is clear and the gateway say that it can’t join the discovery end-point).

Here are the keycloak I have used to get and verify the token :

Get token :

curl --location --request POST 'http://127.0.0.1:7070/auth/realms/myrealm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=user' \
--data-urlencode 'password=password' \
--data-urlencode 'client_id=apisix' \
--data-urlencode 'client_secret=******' \
--data-urlencode 'grant_type=password'

Verify token :

curl --location --request POST 'http://127.0.0.1:7070/auth/realms/myrealm/protocol/openid-connect/token/introspect' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic YXBpc2l4OmY3ZTYyMDAxLTI0MTMtNDE2MC04Y2Y4LWZiYmVjYjVkMzU2Nw==' \
--data-urlencode 'token_type_hint=requesting_party_token' \
--data-urlencode 'token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJyNGRmWEFFaVhOMHE2TkNzMHdmVGtJdnJHT2oyMDdSZUdrT0VOeG9oYndNIn0.eyJleHAiOjE2MjY0NTQ0OTQsImlhdCI6MTYyNjQ1MDg5NCwianRpIjoiYmFiODA5ODItZDdmZi00YWYzLWIxOGItNGE4NWFkZDkwOGYwIiwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo5MDgwL2F1dGgvcmVhbG1zL215cmVhbG0iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZmY3YmJiNzEtYmIxMC00ZDk3LThjOTQtNTU0NmFiZDQ1Y2I2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYXBpc2l4Iiwic2Vzc2lvbl9zdGF0ZSI6IjNmNjgxM2ZjLTIzZWQtNDMzNy1hZjFjLWQ0MzY5ODcxYTE3MSIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1teXJlYWxtIiwiZ3JlZXRpbmciLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciJ9.NRm5tYSL4ewQNYIEOBTO9WIZD18yjH61QiR3lTRpyAWOeYvPebVc8GTfytwPX0Sw93YoSfLvKLn0EsrKWolj2wPkPb9ly77wpI93V6yztf9bQrnxMHXv2iC-vvWSeqXbYsbr_9bQIRgui5hAzEhX47q9LcN8lrX_gZ_SSRGK-NEZWUOG_fGJ0czQJ-jxjeeJn1xodBXKqIvYXSylnQ65ucoOsi1_8oJzuKLC85r2b625peo5DhwMrNkQxRqwNh01W4gVYjwYZrZpU9iH5FyNHDz56A_cbhTm_o6XYDEx2iErc1WkFbBacvEG33jzrqutLnOlkkpauE-kia8a9TFQHg'

I have seen some posts about problem when Keycloak is behind a reverse proxy, but I don’t find a clear solution to my case.

Thanks for any help you can bring to me.
Regards
CG

When inspecting your JWT, it is issued to

"iss": "http://127.0.0.1:9080/auth/realms/myrealm",

but you are talking to Keycloak via http://127.0.0.1:7070/auth/...

So, most likely, you’ll have to set the frontend URI in your realm properly. See docs for further explanation.

Hello, thanks for your response.

The token I have provided is one of the mutiple tries I have made and effectively the is a problem with it.

I reproduce the problem with the request with the following token (you can see that the iis has the value : “http://127.0.0.1:7070/auth/realms/myrealm”)

curl --location --request POST 'http://127.0.0.1:7070/auth/realms/myrealm/protocol/openid-connect/token/introspect' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic YXBpc2l4OmY3ZTYyMDAxLTI0MTMtNDE2MC04Y2Y4LWZiYmVjYjVkMzU2Nw==' \
--data-urlencode 'token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJyNGRmWEFFaVhOMHE2TkNzMHdmVGtJdnJHT2oyMDdSZUdrT0VOeG9oYndNIn0.eyJleHAiOjE2MjY3MDQyNTUsImlhdCI6MTYyNjcwMDY1NSwianRpIjoiYWRlNzFiYjctZDQ4OS00ZjIyLThmMDEtMWE0OTEwNzYxMjgwIiwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo3MDcwL2F1dGgvcmVhbG1zL215cmVhbG0iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZmY3YmJiNzEtYmIxMC00ZDk3LThjOTQtNTU0NmFiZDQ1Y2I2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYXBpc2l4Iiwic2Vzc2lvbl9zdGF0ZSI6IjhmMTBmNGZkLTM4MzUtNDhlNC04YzFkLWI0ZGJiNzgxZWM5ZCIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1teXJlYWxtIiwiZ3JlZXRpbmciLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciJ9.hlWai_qWzsZ9A3J7YUCF0kKocM8EbjaCCE-cnXgTu4v4NZLJZvq5b2DMIEZ_Lt877GoGWR7093LAAl__xaNI5QwYeqBRIt-RddE2yRUwN9wVsxiOO2TvPOiW-XYmCTOjJnRWnW1o9swe0jzfe_U-kNiDhRMt82jblK5sexLICOhMOicWLqTqmKi1bvEqYoN391afjGYAb4ihu7MTH9FTriT5kBcxSJpeTjl70VNKlYfn0z56DQJy9FjOaQmaICKyTsSDun9F6VJqKX-uVLZ-JywpjJXpgLx0fS66X1Yq0tFBBd10-dpmzjFq2s6jABwXUHY_VkDnH9KbchqqH3x3Uw'

Regards
CG