Issue description
I am trying to use Keycloak behind an API gateway (Apache APISIX).
I use minikube to run Keycloak and my API gateway.
The gateway is working right and Keycloak too :
With Keycloak, I can use the different end-point (use the discovery end-point (http://127.0.0.1:7070/auth/realms/myrealm/.well-known/uma2-configuration), ask an access token and verify it).
With APISIX, and a simple route, I can join a backend microservice on my minikube.
(typically : http://127.0.0.1:80/greeting is served by the gateway which routes the request to the right backend microservice)
The problem occurs when I try to use the two tools together. I have used the APISIX Keycloak integration, in order to force the user to use a valid token when he is using a route served by the gateway.
In this case, when I use a valid bearer token (I get it and verify it with the end-point of keycloak), and I try to request the backend via the api gateway with the verified bearer token, I obtain systematically an “Invalid bearer token” exception.
{"error":"invalid_grant","error_description":"Invalid bearer token"}
I think the settings of the integration is well set because I am sure that te gateway call Keycloak to verify the token (when I voluntarily set a bad url to the discovery end-point in the authz-keycloak plugin, the error is clear and the gateway say that it can’t join the discovery end-point).
Here are the keycloak I have used to get and verify the token :
Get token :
curl --location --request POST 'http://127.0.0.1:7070/auth/realms/myrealm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=user' \
--data-urlencode 'password=password' \
--data-urlencode 'client_id=apisix' \
--data-urlencode 'client_secret=******' \
--data-urlencode 'grant_type=password'
Verify token :
curl --location --request POST 'http://127.0.0.1:7070/auth/realms/myrealm/protocol/openid-connect/token/introspect' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic YXBpc2l4OmY3ZTYyMDAxLTI0MTMtNDE2MC04Y2Y4LWZiYmVjYjVkMzU2Nw==' \
--data-urlencode 'token_type_hint=requesting_party_token' \
--data-urlencode 'token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJyNGRmWEFFaVhOMHE2TkNzMHdmVGtJdnJHT2oyMDdSZUdrT0VOeG9oYndNIn0.eyJleHAiOjE2MjY0NTQ0OTQsImlhdCI6MTYyNjQ1MDg5NCwianRpIjoiYmFiODA5ODItZDdmZi00YWYzLWIxOGItNGE4NWFkZDkwOGYwIiwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo5MDgwL2F1dGgvcmVhbG1zL215cmVhbG0iLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZmY3YmJiNzEtYmIxMC00ZDk3LThjOTQtNTU0NmFiZDQ1Y2I2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYXBpc2l4Iiwic2Vzc2lvbl9zdGF0ZSI6IjNmNjgxM2ZjLTIzZWQtNDMzNy1hZjFjLWQ0MzY5ODcxYTE3MSIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1teXJlYWxtIiwiZ3JlZXRpbmciLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciJ9.NRm5tYSL4ewQNYIEOBTO9WIZD18yjH61QiR3lTRpyAWOeYvPebVc8GTfytwPX0Sw93YoSfLvKLn0EsrKWolj2wPkPb9ly77wpI93V6yztf9bQrnxMHXv2iC-vvWSeqXbYsbr_9bQIRgui5hAzEhX47q9LcN8lrX_gZ_SSRGK-NEZWUOG_fGJ0czQJ-jxjeeJn1xodBXKqIvYXSylnQ65ucoOsi1_8oJzuKLC85r2b625peo5DhwMrNkQxRqwNh01W4gVYjwYZrZpU9iH5FyNHDz56A_cbhTm_o6XYDEx2iErc1WkFbBacvEG33jzrqutLnOlkkpauE-kia8a9TFQHg'
I have seen some posts about problem when Keycloak is behind a reverse proxy, but I don’t find a clear solution to my case.
Thanks for any help you can bring to me.
Regards
CG