Invalid token issuer when running keycloak behind proxy

Question

I\'ve placed my keycloak server behind apache proxy:

ProxyRequests On
ProxyVia On
ProxyPreserveHost On
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheck         


        

Answer 1

This has been a common problem as Keycloak verifies the issuer of the placed token with the issuer that generated token. And in your case, the token was generated by http://keycloak:8090/auth/realms/local but in the given token issuer is your proxy server FQDN i.e. http://localhost/auth/realms/local

Answer 2

Your proxy should add forwarding headers on the proxy such as X-Forwarded-For, X-Forwarded-Proto and X-Forwarded-Host, this will allow keycloak to retrieve the client's (not the reverse proxy's) original IP which is important for security reasons. Also Keycloak can retrieve it's host name as it appears outside the proxy which should help with the Invalid token issuer problem.

Also you should configure Keycloak such that is uses the proxy headers, if you're using the Docker image do this with the environment variable PROXY_ADDRESS_FORWARDING=true.

Have a look at the documentation [1], you'll find more answeres there. [1] https://www.keycloak.org/docs/4.8/server_installation/#_setting-up-a-load-balancer-or-proxy