Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-19423

Authorization is not working if connecting backend service is deployed in the same cluster

    XMLWordPrintable

Details

    • Bug
    • Status: Triage
    • Major
    • Resolution: Unresolved
    • 15.0.2
    • None
    • Authorization Services
    • None
    • Hide

      To reproduce the issue one can use the authorization example from the quarkus-quickstarts repository with the provided realm configuration.

      Steps to reproduce and more detailed information can be found in quarkus issue 20089.

      Show
      To reproduce the issue one can use the authorization example from the quarkus-quickstarts repository with the provided realm configuration . Steps to reproduce and more detailed information can be found in quarkus issue 20089 .
    • NEW
    • NEW
    • ---
    • ---

    Description

      This issue has already been discussed as a quarkus issue on github.
      Here is just a brief summary of what the problem is. The setup is as follows.

      Keycloak server and a backend service (some REST endpoints) are deployed in the same cluster. A Keycloak client is configured with authorization enabled. The service has to reach Keycloak via its backend url (frontend url not accessible from the inside) and is therefore started with quarkus.oidc.auth-server-url = backend-url, and quarkus.oidc.token.issuer = frontend-url.

      For Keycloak there are two options, though for both of them the authorization is failing.

      1. Frontend URL is defined in Keycloak
        The backend service is not able to reach the enforced frontend base url of the authorization_endpoint advertised by the OIDC discovery endpoint and can't access the authorization resources.
      1. Frontend URL is not defined in Keycloak
        Keycloak doesn't accept the token during authorization due to a mismatch of the issuer.

      As far as I can tell, there's currently no possibility to use Keycloak authorization when deployed on the same cluster using internal urls. I believe it's a conceptual issue which would have to be resolved.

      Attachments

        Activity

          People

            Unassigned Unassigned
            martin.vicentini Martin Vicentini
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: