Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-5014

Allow token validation against multiple issuers, not just the realm URL

    Details

    • Type: Feature Request
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate Issue
    • Affects Version/s: 3.1.1.Final
    • Fix Version/s: None
    • Component/s: Adapter - Node.js
    • Labels:
      None
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      In development environments running a containerized local Keycloak server, or in some more complex network topologies, not all clients will be able to access the Keycloak server at the same URL. However, token validation in the Node.JS adapter middleware only allows tokens with an issuer exactly equal to the realm URL.

      If a web browser obtains a token at a realm URL accessible to the developer machine/VM, and passes it as a bearer token to a back end service which must access the Keycloak server at different URL (e.g. a hostname on an internal container network), the token will fail validation.

      Some other JWT validation libraries allow validation against multiple tokens (in an array). This would be a big improvement to the Keycloak middleware.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  rationull Jonathan Little
                • Votes:
                  7 Vote for this issue
                  Watchers:
                  16 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: