0

Adding the match-claims to the configuration file doesn't seem to do anything. Actually, Gatekeeper is always throwing me the same error when opening a resource (with or without the property).

My Keycloak server is inside a docker container, accessible from an internal network as http://keycloak:8080 while accessible from the external network as http://localhost:8085.

I have Gatekeeper connecting to the Keycloak server in an internal network. The request comes from the external one, therefore, the discovery-url will not match the 'iss' token claim.

Gatekeeper is trying to use the discovery-url as 'iss' claim. To override this, I'm adding the match-claims property as follows:

discovery-url: http://keycloak:8080/auth/realms/myRealm
match-claims:
  iss: http://localhost:8085/auth/realms/myRealm

The logs look like:

On startup

keycloak-gatekeeper_1  | 1.5749342705316222e+09 info    token must contain
  {"claim": "iss", "value": "http://localhost:8085/auth/realms/myRealm"}

keycloak-gatekeeper_1  | 1.5749342705318246e+09 info    keycloak proxy service starting
  {"interface": ":3000"}

On request

keycloak-gatekeeper_1  | 1.5749328645243566e+09 error   access token failed verification
  { "client_ip": "172.22.0.1:38128",
    "error": "oidc: JWT claims invalid: invalid claim value: 'iss'.
           expected=http://keycloak:8080/auth/realms/myRealm,
           found=http://localhost:8085/auth/realms/myRealm."}

This ends up in a 403 Forbidden response.

I've tried it on Keycloak-Gatekeeper 8.0.0 and 5.0.0, both with the same issue.

  1. Is this supposed to work the way I'm trying to use it?
  2. If not, what I'm missing?, how can I validate the iss or bypass this validation? (preferably the former)?
NemesisMate
  • 1
  • 1
  • 2

2 Answers2

2

It is failing during discovery data validation - your setup violates OIDC specification:

The issuer value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information. This MUST also be identical to the iss Claim value in ID Tokens issued from this Issuer.

It is MUST, so you can't disable it (unless you want to hack source code - it should be in coreos/go-oidc library). Configure your infrastructure setup properly (e.g. use the same DNS name for Keycloak in internal/external network, content rewrite for internal network requests, ...) and you will be fine.

Jan Garaj
  • 25,598
  • 3
  • 38
  • 59
  • 1
    Well, this is very confusing. From Gatekeeper's documentation it seems that it is configurable (in both docs the iss claim appears as example): - https://www.keycloak.org/docs/latest/securing_apps/index.html#claim-matching - https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/keycloak-gatekeeper.adoc#claim-matching – NemesisMate Dec 02 '19 at 09:22
  • @NemesisMate Gatekeeper documentation mentions only claim iss matching, not metadata validation configuration. – Jan Garaj Dec 02 '19 at 10:01
0

Change the DNS name to host.docker.internal

  1. token endpoint: http://host.docker.internal/auth/realms/example-realm/open-id-connect/token

  2. issuer URL in your property file as http://host.docker.internal/auth/realms/example-realm

In this way both outside world access and internal calls to keycloak can be achieved

Tyler2P
  • 2,324
  • 26
  • 22
  • 31
Pavan Gowda
  • 1