Keycloak token verification fails when the backend is running in a Docker container

docker keycloak oauth-2.0

I am in the early stages of building my web application. I intend to use Keycloak as the identity provider to secure the backend. On my local machine, I am running both Keycloak and my backend as docker containers but on different networks, since eventually in production, I would like to have the authentication server running Keycloak running separately from the backend e.g account.example.com and api.example.com respectively

Locally, my Keycloak container can be accessed via the base URL http://localhost:8080/auth and the backend via http://test.localhost:8000/

I have created a client in the Keycloak realm whose access type is confidential. I am generating the token using the authorization code grant type.enter image description here

Each REST API endpoint on the backend would therefore verify the token passed to the authorization header and then call the Keycloak server to verify the token before processing the request.

The issue that I am currently experiencing is that the token verification fails with the response

{"error":"invalid_token","error_description":"Token verification failed"}'

After investigation, apparently, it's because I am calling the Keycloak server from the backend API container. If I generate the token using curl within the backend docker container, the token I receive is being verified fine, but a token generated outside the container is not.

I am using python-keycloak as a wrapper for Keycloak REST API

from keycloak import KeycloakOpenID


self._keycloak = KeycloakOpenID(
            server_url='http://host.docker.internal:8080/auth/',
            realm_name='myrealm',
            client_id='myclient',
            client_secret_key='mysecret,
        )

if "HTTP_AUTHORIZATION" not in request.META:
       
        return JsonResponse(
            {"detail": NotAuthenticated.default_detail},
            status=NotAuthenticated.status_code,
        )

 auth_header = request.META.get("HTTP_AUTHORIZATION").split()
 token = auth_header[1] if len(auth_header) == 2 else auth_header[0]

    
    try:
        self.keycloak.userinfo(token)
    except KeycloakInvalidTokenError as e:
        # print(e)
        return JsonResponse(
            {"detail": AuthenticationFailed.default_detail},
            status=AuthenticationFailed.status_code,
        )

How do I resolve this and have token verification working on my local machine


Problem is with the issuer of the token. Issuer of your token from the postman is http://localhost:8080/..., but backend is configured to accept only issuer http://host.docker.internal:8080/.... It is a best practise to use the same protocol:domain[:port] for IdP (Keycloak in your case) everywhere e.g. https://keycloak.domain.com, otherwise you will have this kind of problems.

Related

Button disabled when data is call over still?
error with PhotoView : Looking up a deactivated widget's ancestor is unsafe
How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
How to export a html page to pdf in client side using JavaScript or jQuery?
Getting data of multiple stocks into one xts object
Hide or Show multiple columns in one command
Azure DevOps Service - Authenticate with On-Premise ADFS
How to configure Java Priority Queue to ignore duplicates?
Mapping values are not allowed here. Did you miss a colon earlier?
Validating date format
How to change font size of xarray facetgrid colorbar labels?
Using Tabula to pull tables out pdf