Invalid token issuer
See original GitHub issueHi,
I have a tricky issue and I need your help to solve it.
I’m implementing OpenID Connect on my own infrastructure. I have set up an Openshift platform and installed my services on it.
I have a Keycloak (an OpenId Connect server) installation and my app that connects to it.
The keycloak is available externally at identity.myapp.com
My app is available externally at app.myapp.com
Openshift doesn’t let my app talk to Keycloak using the external route, as they are in the same network and can’t access the Openshift Integrated proxy from the inside.
Therefore my OpenId Issuer setup is :
const keycloak = new Issuer({
issuer: "https://identity.myapp.com/auth/realms/master",
authorization_endpoint: "https://identity.myapp.com/auth/realms/master/protocol/openid-connect/auth",
token_endpoint: http://keycloak-openshift:8080/auth/realms/master/protocol/openid-connect/token",
userinfo_endpoint: "http://keycloak-openshift:8080/auth/realms/master/protocol/openid-connect/userinfo",
jwks_uri: "http://keycloak-openshift:8080/auth/realms/master/protocol/openid-connect/certs"
});
Note that the issuer and authorization endpoint point to the external route, and all the other endpoints used by the app point to the internal route.
When I try to retrieve the token I get this error :
{ OpenIdConnectError: invalid_token
at Client.gotErrorHandler (/opt/app-root/src/node_modules/openid-client/lib/error_handler.js:8:11)
at process._tickCallback (internal/process/next_tick.js:103:7)
message: 'invalid_token',
error: 'invalid_token',
error_description: 'Token invalid: Invalid token issuer. Expected \'http://keycloak-openshift-3:8080/auth/realms/master\', but was \'https://identity.myapp.com/auth/realms/master\'',
state: undefined,
scope: undefined }
As you can see, the library expects the issuer value in the token to be set at the internal route, but Keycloak sets it to the external route (as it is called from outside).
Is there a way to tell the library to check the issuer with the value passed at the Issuer instantiation ? Or is there a way to disable the issuer validation (i’m in a private Docker network)
For sure I cannot use the external route from my app. My only other solution would be to take Keycloak out of my platform but I lose the easy scalability and reliability benefits.
Issue Analytics
- State:
- Created 6 years ago
- Comments:8 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
The workaround was to leave it as-is. I mean, if the URL used by the browser is not the same URL the client is calling to validate the token, the keycloak server will refuse the validation. I had to create a dummy DNS entry for my specific setup that allowed the client to have access to keycloak from the inside, but with the same domain name as the browsers have access to it from the outside.
Hi, how did you workround your problem?