We’re running Keycloak successfully locally as well in AWS to secure our web portal and its backend’s REST API server (written in Node.js, using the js keycloak connector).
When we’ve run it locally we’ve had a small docker-compose stack consisting of only the jboss keycloak image together with the PostgreSQL db image.
We have a web app client for user authentication and a web app backend client with bearer-only.
So far, nothing that 99% of the guides and help pages we find on the internet can’t help us out with.
BUT we’ve tried to expand the docker-compose stack we use for local development to also include the web app frontend + backend. And we just can’t get it to work:
A. Authenticating using curl (from the host computer (running Windows 10)) to the Keycloak server within the Docker stack works, we get a token as expected.
B. Using this token when invoking the REST API server which is in the same docker-compose stack (again using curl from the host computer), the API server gets ‘access denied’ from the Keycloak server. (No diagnostics / error information are given.)
C. If I run both of the curl commands above from a terminal inside the docker-compose stack, it works!
Conclusion - in this setup, Keycloak server denies usage of the bearer token when the validation request from the REST API server comes from a different network source than the original authentication request that created the bearer token. Or something along those lines…
Does anyone have any tips? I’ve spent too many hours on this already.
(Additionally, tips on how to get some useful diagnostics information from the Keycloak Node.js connector would be very welcome.)