Using access token in cross-domain environment

Hello All,

Scenario is following:

Auth structure:
subdomainA.domain.com APP ----+
							  +---> authDomain (KC lives here)
subdomainB.domain.com APP ----+

Backend communication structure:
subdomainA.domain.com APP-A --> request to /api/data... --> (Reverse proxy) --> BE server
                                                              |
subdomainB.domain.com APP-A --> request to /api/data...---------+

Recently we spin up new Frontend environment just for design work. It’s sole purpose is to present only visual updates, thus all backend communication is proxied to orginal BE server (dedicated for APP-A).

Obviously, Keycloak is used, beside being our OpenID connect provider, as oAuth2 server to validate requests and their access tokens.

For main environment everything works perfect. When we try to configure second environmet, at first we got incoeerct redirections after login attempts from APP-B. even with redirect URL query parameter it was owerwritten by frontendUrl property that was set in Keycloak admin console.

After deleting frontendUrl we got correct redirection, but requesting any data results with invalid request with auth header set as following:

Bearer realm="<realm-name>", 
error="invalid_token", error_description="Invalid token issuer. 
Expected '<authServer>/realms/<realm-name>', 
but was 'subdomainB.domain.com'"

We consider to spin dedicated realm just for this test environment, set there correct frontendUrl but I guess this suppose to be a really common case (cross-domain communication) that it shall be possible to configure such cases without such extreme methods…

Any help would be appreciated and disclaimer: I’m unfortunately not an KC/Auth/Sec expert, if any additional info is needed, I’d be glad to supplement this question

Hi,

I’m facing a similar issue, but for with 2 domains not just subdomain, we have a main webapp, and are working on a portal for specific services, which leaves in a different , this new app lives at “app.example.com” and KC is at “idm.example2.com

Did you figure a fix?