Hi All,
We recently migrated from keycloak 4 to keycloak 19, data migrated sucessfully (thanks to keycloak automatic migration), and can login to admin console and verify integrity.
The problem we are having is when we try to work with tokens we get a IssuerToken ValidationException: Expected “domainA” but was “domainB”.
I have tried going through community forums, but cannot figure out what is missing or something I may have missed.
Our setup is follows:
We have two domains: domainA and domainB which are both public facing URL’s and behind akamai.
Keycloak hostname is configured with domainB that is behind a nginx reverse proxy.
When I issue token using domainB, in iss claim from JWT I can see my iss reflects domainB
When I issue token using domainA, in iss claim from JWT, the iss reflects domainB.
In this scenario what is happening is in RealmUrlCheck validation, it fails as realm and issuer claim is different - and that makes sense.
The same behaviour we didnt had in previous version of keycloak though and that is confusing.
As in previous keycloak version, if I issue token
- using domainB, then iss would have domainB claim in it
- using domainA, then iss would have domainA claim in it
What configuration would I be missing ?
Old Keycloak v4 (jboss) had:
HOSTNAME: domainB
PROXY_FORWARDING_ADDRESS: true
New keycloak v19.0.1 (quarkus) has:
HOSTNAME: domainB
KC_PROXY: edge
KC_HOSTNAME_STRICT: false
KC_HTTP_ENABLED: true