'Keycloak Gatekeeper always fail to validate 'iss' claim value

Adding the match-claims to the configuration file doesn't seem to do anything. Actually, Gatekeeper is always throwing me the same error when opening a resource (with or without the property).

My Keycloak server is inside a docker container, accessible from an internal network as http://keycloak:8080 while accessible from the external network as http://localhost:8085.

I have Gatekeeper connecting to the Keycloak server in an internal network. The request comes from the external one, therefore, the discovery-url will not match the 'iss' token claim.

Gatekeeper is trying to use the discovery-url as 'iss' claim. To override this, I'm adding the match-claims property as follows:

discovery-url: http://keycloak:8080/auth/realms/myRealm
match-claims:
  iss: http://localhost:8085/auth/realms/myRealm

The logs look like:

On startup

keycloak-gatekeeper_1  | 1.5749342705316222e+09 info    token must contain
  {"claim": "iss", "value": "http://localhost:8085/auth/realms/myRealm"}

keycloak-gatekeeper_1  | 1.5749342705318246e+09 info    keycloak proxy service starting
  {"interface": ":3000"}

On request

keycloak-gatekeeper_1  | 1.5749328645243566e+09 error   access token failed verification
  { "client_ip": "172.22.0.1:38128",
    "error": "oidc: JWT claims invalid: invalid claim value: 'iss'.
           expected=http://keycloak:8080/auth/realms/myRealm,
           found=http://localhost:8085/auth/realms/myRealm."}

This ends up in a 403 Forbidden response.

I've tried it on Keycloak-Gatekeeper 8.0.0 and 5.0.0, both with the same issue.

  1. Is this supposed to work the way I'm trying to use it?
  2. If not, what I'm missing?, how can I validate the iss or bypass this validation? (preferably the former)?
keycloakkeycloak-gatekeeper


Solution 1:[1]

It is failing during discovery data validation - your setup violates OIDC specification:

The issuer value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information. This MUST also be identical to the iss Claim value in ID Tokens issued from this Issuer.

It is MUST, so you can't disable it (unless you want to hack source code - it should be in coreos/go-oidc library). Configure your infrastructure setup properly (e.g. use the same DNS name for Keycloak in internal/external network, content rewrite for internal network requests, ...) and you will be fine.

Solution 2:[2]

Change the DNS name to host.docker.internal

  1. token endpoint: http://host.docker.internal/auth/realms/example-realm/open-id-connect/token

  2. issuer URL in your property file as http://host.docker.internal/auth/realms/example-realm

In this way both outside world access and internal calls to keycloak can be achieved

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Jan Garaj
Solution 2 Tyler2P

Related Questions

Deploying a Keycloak HA cluster to kubernetes | Pods are not discovering each other

What is the best approach to logout from keycloak after authentication via pkce?

Change the preferred_username in token for client credential grant flow

Keycloak-js 'init()' not executing in React app

Keycloak Rest API get all available resources

Customize keycloak error page with spring boot

AWS Cognito in place of Keycloak [closed]

Keycloak 17.0.1 Import Realm on Docker / Docker-Compose Startup

How to configure "accept Terms and Conditions" on Keycloak registration page

What are the differences between CAS and Keycloak?

What are the differences between CAS and Keycloak?

Keycloak templates available variables

Keycloak: CLIENT_INITIATED_ACCOUNT_LINKING_ERROR with invalid_token

Keycloak / SpringBoot - The Issuer <https://example.com> provided in the OpenID Configuration did not match the requested issuer <https://bar.com>

M1 docker preview and keycloak 'image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8)' Issue