Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-16059

ELY23019: Invalid ID token

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • None
    • 26.0.1.Final
    • Management, Security, Server
    • None
    • Hide

      A Docker Compose test environment was created for WFL-16000, and this test case also demonstrates this Invalid ID token issue.  The test environment can be found here: 

      https://github.com/slominskir/wfly16000

       

      The easiest way to reproduce is to use the Docker test environment.  However, to manually reproduce you'll need to install Keycloak and configure it with a frontend URL that differs from the backend URL.  Wildfly then needs to be configured using the provider-url instead of the auth-server-url.  A simple application (.war file) then must be created that triggers auth.  Deploy the application, navigate to the webpage to trigger auth, and watch the logs after a successful auth.

      Show
      A Docker Compose test environment was created for WFL-16000 , and this test case also demonstrates this Invalid ID token issue.  The test environment can be found here:  https://github.com/slominskir/wfly16000   The easiest way to reproduce is to use the Docker test environment.  However, to manually reproduce you'll need to install Keycloak and configure it with a frontend URL that differs from the backend URL.  Wildfly then needs to be configured using the provider-url instead of the auth-server-url .  A simple application (.war file) then must be created that triggers auth.  Deploy the application, navigate to the webpage to trigger auth, and watch the logs after a successful auth.
    • Hide

      Use the auth-server-url instead of provider-url to avoid this issue.

      Show
      Use the auth-server-url instead of provider-url to avoid this issue.

    Description

      There are multiple different ways to configure OIDC in Wildfly and a few of them result in:

      ERROR [org.wildfly.security.http.oidc] (default task-1) ELY23013: Failed verification of token: ELY23019: Invalid ID token

      For example including the provider-url directly inside the secure-deployment element of the standalone.xml in combination with a Keycloak configured with a different front end address vs back end.   The scenario where the provider element is used separately from the secure-deployment element also causes this.

      Attachments

        Activity

          People

            fjuma1@redhat.com Farah Juma
            slominskir Ryan Slominski
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: