Keycloak + Docker stack + Node.js REST API server seemingly impossible to get working

Getting advice
1

Hi,

We’re running Keycloak successfully locally as well in AWS to secure our web portal and its backend’s REST API server (written in Node.js, using the js keycloak connector).

When we’ve run it locally we’ve had a small docker-compose stack consisting of only the jboss keycloak image together with the PostgreSQL db image.

We have a web app client for user authentication and a web app backend client with bearer-only.

So far, nothing that 99% of the guides and help pages we find on the internet can’t help us out with.

BUT we’ve tried to expand the docker-compose stack we use for local development to also include the web app frontend + backend. And we just can’t get it to work:

A. Authenticating using curl (from the host computer (running Windows 10)) to the Keycloak server within the Docker stack works, we get a token as expected.

B. Using this token when invoking the REST API server which is in the same docker-compose stack (again using curl from the host computer), the API server gets ‘access denied’ from the Keycloak server. (No diagnostics / error information are given.)

C. If I run both of the curl commands above from a terminal inside the docker-compose stack, it works!

Conclusion - in this setup, Keycloak server denies usage of the bearer token when the validation request from the REST API server comes from a different network source than the original authentication request that created the bearer token. Or something along those lines…

Does anyone have any tips? I’ve spent too many hours on this already.

(Additionally, tips on how to get some useful diagnostics information from the Keycloak Node.js connector would be very welcome.)

Thanks!
/ Christer

2

Hello! I’m not sure if you’ve already solved the problem, but in this days I was facing a similar issue:

I were developing a Client-Server application with Flutter+Dart for the front-end and NodeJS+MongoDB for the Back-End.

The NodeJS’s exposed APIs were protected by Keycloak using the Keycloak-Connect module.

My issue was the following:
When running the all the services as individual containers, everything seems working and, of course, when sending the Bearer all the role-based access was working properly.

Then when building the project with Docker Compose, so all the services started at the same time all the protected APIs responds with a 403 HTTP Status Code.

Solution:
The problem was within the JWT token issuer.

From the front-end I was referring the Keycloak server as “127.0.0.1”, but within the containers, NodeJS was connected to the “http://keycloak:/auth”.
So the front-end JWT token was a valid JWT token but with issuer “127.0.0.1” than, the back-end was testing the JWT issuer as “keycloak”.

To solve this problem, I just needed to edit the /etc/hosts/ file by adding the entry:

127.0.0.1 keycloak

So that the front-end communicate with the “keycloak” issuer.

So, maybe your problem could be also related to the issuer name which from the “outside-world” is different than the one that you’re using for keycloak-connect’s config.

Hope this could help!