问题
I am trying to secure my application using keycloak.
I use angular for my frontend and spring boot for my backend.
Using only http, everything works fine, the problem is, if I want to use HTTPS along side HTTP, I am having a problem with the backend throwing an error like:
o.k.a.BearerTokenRequestAuthenticator : Failed to verify token
org.keycloak.common.VerificationException: Invalid token issuer. Expected 'http://myDomain/auth/realms/realmName', but was 'https://myDomain/auth/realms/realmName'
in my properties file I do have the: keycloak.auth-server-url and it is pointing to the http://my-keycloak/auth
Is there a way to support http and https with keycloak ?
回答1:
I don't think this is feasible if you are using keycloak libs. When I was using keycloak I came across the same flow. Some one argued that why even use http on your security modules. I mean when you passing along tokens you just need to have https. Agreed, but then often the service need to initiate a call themselves and make a call to keycloak from within(secure Zone) and they could do it without https (can make it just a bit faster.).
But then I was not able find my way through. We ended up using https only.
Why is it failing?
As your token gets signed with the protocol information if you decode the token you will find the iss field. Keycloak Token validator puts a check on this field. So you can have a server running on both HTTP and HTTPS but application can be configured for one of the two.
What can we do to possible fix this
You can however make changes in the token validator module to ignore the check on the protocol. This should help you validate the token. All you will need is JWT library and the public key.
回答2:
For now, token validations must be checked using the same URL as the URL that the token was issued for.
Support for different URLs, front and back channel requests in adapters, will be available starting from version 4.
Source
来源:https://stackoverflow.com/questions/49019649/http-and-https-with-keycloack-spring