Question 97403 in Nginx Question posted in
The official documentation can be found here.

KeyCloak failed verification of token: Invalid token issuer. Expected http but was https – Nginx

I have a Problem with KeyCloak 19.0.1 deployed in Kubernetes as custom docker image (build by me) and Spring Boot client application. I see in my app logs:

o.k.adapters.OAuthRequestAuthenticator   : failed verification of token: Invalid token issuer. Expected 'http://auth.example.com/realms/MyRealm', but was 'https://auth.example.com/realms/MyRealm'

My application is accessible via https://example.com, the KeyCloak is accessible via https://auth.example.com. All pods are behind Ingress Nginx. I set the ingress to detect correct client IP (by setting: controller.service.externalTrafficPolicy=Local). If I’m trying to login to admin console with bad credentials I see in KeyCloak logs my public IP:

WARN  [org.keycloak.events] (executor-thread-68) type=LOGIN_ERROR, realmId=dbb1ee57-XXXX, clientId=security-admin-console, userId=null, ipAddress=165.225.XX.XX, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://auth.example.com/admin/master/console/#/MyRealm/realm-settings/general, code_id=d905f971-5638-40e0-8460-73df72e68398, username=xxxx, authSessionParentId=d905f971-XXXX, authSessionTabId=2VFrXXXXXX

Also https://auth.example.com/realms/master/.well-known/openid-configuration returns the whole configuration and each URI uses https:// instead of http://.

Configuration of KeyCloak pod (other ENVs like DB connection cutted out):

env:
  - name: KC_HOSTNAME
    value: "auth.example.com"    // to override default for local development, without it something else didn't work
  - name: KC_HOSTNAME_URL
    value: "https://auth.example.com"
  - name: KC_PROXY
    value: edge

Start arguments passed to KeyCloak container: start-dev --http-port 8080 --http-enabled true --hostname-strict false.

Conf of Spring Boot (comunication between spring backend and KeyCloak inside the cluster):

env:
  - name: KEYCLOAK_AUTHSERVERURL
  value: http://gap-got-chart-keycloak-svc:8080

Defaults in application.yaml:

keycloak:
  auth-server-url: http://localhost:8081
  realm: MyRealm
  resource: my-app-id
  public-client: true
  principal-attribute: preferred_username

Any idea what is missconfigured?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    The workaound is to use the public DNS of the KeyCloak server:

    env:
  - name: KEYCLOAK_AUTHSERVERURL
  value: https://auth.example.com

  2. 0

    You are running Keycloak behind proxy (Nginx), so make sure your Keycloak is aware of that (+ proxy must pass correct X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Host HTTP headers to Keycloak):

    KC_PROXY=edge

    See doc https://www.keycloak.org/server/reverseproxy

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search