Hi, I have a containerized config with nginx
keycloak
and ontoserver
used to test smart backend authentication.
On the token request call, I got error response:
Unable to obtain an access token:
invalid_client Client authentication with signed JWT failed: Token audience doesn't match domain.
Expected audiences are any of [
http://onto.local/realms/ontoserver,
http://onto.local/realms/ontoserver/protocol/openid-connect/token,
http://onto.local/realms/ontoserver/protocol/openid-connect/token/introspect,
http://onto.local/realms/ontoserver/protocol/openid-connect/ext/par/request,
http://onto.local/realms/ontoserver/protocol/openid-connect/ext/ciba/auth]
but audience from token is
'[https://onto.local/realms/ontoserver/protocol/openid-connect/token]'
How can I configure keycloak (nginx?) to have the https schema endponts included in the accepted audiences?
If no other way, how can I add them manually in the keycloak client configuration?
Thanks in advance
/Juan
docker config:
version: "3"
volumes:
postgres_data:
driver: local
services:
# db:
# image: postgres-ontoserver
# container_name: onto-db
# build:
# context: ./postgres
# volumes:
# - pgdata:/var/lib/postgresql/data
# environment:
# - POSTGRES_HOST_AUTH_METHOD=trust
db:
container_name: onto-db
image: postgres:15
environment:
- POSTGRES_HOST_AUTH_METHOD=trust
volumes:
- postgres_data:/var/lib/postgresql/data
ontoserver:
# image: quay.io/aehrc/ontoserver:latest
image: quay.io/aehrc/ontoserver:ctsa-6.19.2
container_name: onto-onto
depends_on:
- db
environment:
# TLS is handled by nginx
- ONTOSERVER_INSECURE=true
# what is the FHIR base url of your Ontoserver? Used to generate links and is featured in the conformance statement
- conformance.fhir.base=https://onto.local/fhir # <== CHANGE THIS SETTING
# enables the OAuth sub-system, required
- ontoserver.security.enabled=true
# is read-only access to FHIR allowed? if false, only /fhir/metadata is allowed without authentication
- ontoserver.security.readOnly.fhir=false # change?
- ontoserver.security.readOnly.api=false # change?
- ontoserver.security.readOnly.synd=false # change?
# can also be Basic, but the documentation does not state how Basic credentials are verified
- conformance.security.kinds=SMART-on-FHIR
# this is the text that displays in the conformance statement
- conformance.security.description=This server uses OpenID Connect to
authorize requests. Read-Only FHIR requests are NOT allowed.
# this is featured in the machine-readable ConformanceStatement and should point to the "authorize" url of your keycloak installation
- conformance.security.authorize=https://onto.local/realms/ontoserver/protocol/openid-connect/auth
# dito, point to your token endpoit
- conformance.security.token=https://onto.local/realms/ontoserver/protocol/openid-connect/token # <== CHANGE THIS SETTING
# keycloak does not really support symmetric signing keys for JWTs using HS256 (rather, the key can not be extracted),
# so that RS256 asymmetric crypto is used for key signing. The public key for RS256 can be obtained in the 'Realm Settings'
# section for the chosen Realm, and then go to "Keys" and copy the Public Key via the button in the RS256 row.
# Replace the public key in the line below, keeping the markers intact (with 5 leading and trailing dashes!).
- ontoserver.security.token.secret=-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAolXTFhA8IcYz7vq3gxzem88DUQK3q7rdOtHPJCpC7BRwV4qsOvDdR74D76mb2OceApbAtTAja18ajitvNJ0M31AEG5eD8RGhdwnHgxksLFeoEkY9tCPSCYu1O2EH2FnDSYj/3a2nR6rqanDpzpNJqgn3yX9mL1LQp7fzxD5SsIR3EHBdffSI69dq0tPQ1Cjy7NgQFDThTZcvIxlga3mCJUPsYjoRFdVL84sjgAkSrnQbd8XZaeXJdfckfeT50TpvLm9wMQbha0STfKAxA577FXQq5CSzEoSL0CjB8/bKj1UPbQRgAB5BfZ/DidRSpQOFPST7kMRTBL0uDWNV8gIFnQIDAQAB
-----END PUBLIC KEY----- # CHANGE THIS SETTING
- JAVA_OPTS=-Xmx2G # 2G mimimum, 8G optimum
keycloak:
image: ontoserver-keycloak
container_name: onto-keycloak
depends_on:
- db
build:
context: ./keycloak
ports:
- "8080:8080"
environment:
# - KEYCLOAK_USER_FILE=/opt/secrets/username.secret #<== CREATE THIS FILE
# - KEYCLOAK_PASSWORD_FILE=/opt/secrets/password.secret #<== CREATE THIS FILE
# - DB_VENDOR=postgres
# - DB_ADDR=db
# - DB_DATABASE=keycloak-orig
# -
# - KC_LOG_LEVEL=DEBUG
# -
- KEYCLOAK_FRONTEND_URL=https://onto.local/realms/ontoserver
# -
# - KC_DB=postgres
# - KC_DB_USERNAME=cdr
# - KC_DB_PASSWORD=smile
# - KC_DB_URL=jdbc:postgresql://host.docker.internal/kc-tls
- KC_HOSTNAME=onto.local
# - DB_VENDOR=postgres
# - DB_ADDR=jdbc:postgresql://db:5432/keycloak
# - DB_DATABASE=kc-tls
# -
- KC_HTTP-ENABLED=true
# -
# - KEYCLOAK_ADMIN=admin
# - KEYCLOAK_ADMIN_PASSWORD=admin
- KC_BOOTSTRAP_ADMIN_USERNAME=admin
- KC_BOOTSTRAP_ADMIN_PASSWORD=admin
# -
- PROXY_ADDRESS_FORWARDING=true # essential for operating behind proxy!
- KC_PROXY=edge
command:
- start-dev
# - --import-realm
# - --optimized
nginx:
image: ontoserver-nginx
container_name: onto-nginx
# command: [nginx-debug, '-g', 'daemon off;']
command:
- nginx
build:
context: ./nginx
ports:
- "80:80"
- "443:443"
depends_on:
- ontoserver
- keycloak
nginx config:
events { worker_connections 1024; }
error_log stderr debug;
http {
server {
listen 80;
listen [::]:80;
server_name onto.local;
access_log /dev/stdout;
client_max_body_size 600M;
include ssl.conf;
# enforce HSTS, this may make debugging harder and is not active during testing!
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# resolve relative file names (index.html) from this dir
root /usr/share/nginx/html;
# handle index.html, bypassing Ontoserver
location /index.html {
try_files index.html =404;
# if the file is missing, serve a 404.
}
# pass keycloak to keycloak container
location /keycloak/ {
proxy_pass http://keycloak:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
# redirect auth separately (http://<server>/keycloak will redirect to /realms)
location /realms/ {
proxy_pass http://keycloak:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
}
# everything else (notably: /fhir/, /css/ and /js/) will be handled by ontoserver
location / {
proxy_http_version 1.1;
proxy_pass http://ontoserver:8080/;
proxy_set_header Host $host;
proxy_read_timeout 300s;
include cors_support;
}
}
}