3

Scenario

I have secured webservice (JakartaEE + Microprofile + JWT) running in open liberty. As issuer of the jwt token I use keycloak. For testing and development i want to run both services in docker. Therefore I wrote a docker-compose file. As test client I use JUnit with microprofile-client. This is running outside of docker.

Problem

I can retrieve the JWT-Token via localhost at the host - e.g.:

POST /auth/realms/DC/protocol/openid-connect/token HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded

realm=DC&grant_type=password&client_id=dc&username=dc_editor&password=******

The problem is, that from the perspective of the webservice localhost isn't the keycloak server. The JWT-Token-Validation against the issuer fails.

Goal

I want to access the keycloak server from the host with its docker-internal network alias - e.g. dcAuthServer. The JWT-Token would be validated correctly.

Code

The docker-compose file looks like this:

version: "3.8"
services:
  dcWebservice:
    environment:
      - DC_AUTH_SERVER_HOST=dcAuthServer
      - DC_AUTH_SERVER_PORT=8080
      - DC_AUTH_SERVER_REALM=DC
    image: dc_webservice:latest
    ports:
    - "9080:9080"
    networks:
      - dcNetwork

  dcAuthServer:
    image: dc_keycloak:latest
    ports:
    - "8080:8080"
    networks:
      dcNetwork:
        aliases:
            - dcAuthServer
    healthcheck:
      test: "curl --fail http://localhost:8080/auth/realms/DC || false"

networks:
  dcNetwork:

The environment DC_AUTH* are used in the mpJwt-configuration in server.xml of the open liberty server:

<mpJwt id="dcMPJWT" audiences="dc" issuer="http://${DC_AUTH_SERVER_HOST}:${DC_AUTH_SERVER_PORT}/auth/realms/${DC_AUTH_SERVER_REALM}"
           jwksUri="http://${DC_AUTH_SERVER_HOST}:${DC_AUTH_SERVER_PORT}/auth/realms/${DC_AUTH_SERVER_REALM}/protocol/openid-connect/certs"/>

The issuer is where I have to put a trusted issuer for the JWT-Token.

I hope I did not forget important information - just ask!

Thanks in advance Robert

Robert Hempel
  • 71
  • 8
  • 1
    Do you require keycloak to be the JWT provider in your tests? For this situation in OpenLiberty I would utilize Microshed Testing which has auto-config for the JWT on the client/server side but still runs your liberty app in a docker container. See https://microshed.org/microshed-testing/features/MP_JWT.html and https://openliberty.io/guides/microshed-testing.html – Andy Guibert May 03 '20 at 19:18
  • Hi @AndyGuibert .. thanks for your hint. It was quiet easy to migrate to Microshed because I was using [Testcontainers](https://www.testcontainers.org) already. With Microshed I got rid of the manual setup of the MP-Client+JWT. Now its injected - thanks again. I leave the question open out of pure curiosity if there is a solution. – Robert Hempel May 04 '20 at 14:40
  • glad microshed worked for you. If you have ideas/suggestions for how Microshed could integrate with Keycloak containers directly, please file an issue on the Microshed github repo: https://github.com/MicroShed/microshed-testing – Andy Guibert May 04 '20 at 15:59
  • Hey, I'm having the same issue, and looking for solution. Did you able to resolve it? – Kostanos May 29 '22 at 18:48
  • Hi @Kostanos . I'm sorry, but I could not solve the problem as intended. I went on with the solution hinted by (at)AndyGuibert .. so everything was running inside a docker compose bubble and the services could see eachother by theire servicen names. – Robert Hempel May 31 '22 at 09:15

0 Answers0