4

I have a keycloak server and a spring boot app running on Kubernetes cluster and I'm facing 2 scenarios the first one is working and the other one I'm getting 401 Unauthorized.

First scenario:

  • Enter a test container with kubectl exec command inside my k8s cluster and ask for a token with a curl POST request : http://keycloak-service-name:8080/auth/realms/lisa/protocol/openid-connect/token
  • I get a token
  • I send a request from postman using that token to the secured endpoint of my app and It's working, access is granted

Second scenario:

  • Ask for a token by sending a POST request to: http://keycloak-external-ip:port/auth/realms/lisa/protocol/openid-connect/token with the necessary parameters from postman
  • I receive an access token
  • I send a request from postman to the secured endpoint using that token of my app I get 401 unauthorized

The Keycloak is exposed using NodePort service.

The app is exposed using istio ingress gateway.

Keycloak server version:9.0.0.

keycloak version in spring boot app: 10.0.2

Kamèl Romdhani
  • 342
  • 1
  • 9
  • Same here, a question was posted at [Keycloak forum](https://keycloak.discourse.group/t/gettiing-401-when-access-from-outside-but-200-from-inside-a-k8s-container/4998). – belgoros Sep 23 '20 at 11:05
  • Hi, can you add the following to your question?: 1. Details on the incoming request to the istio ingress gateway. 2. Details on the application behind the istio ingress gateway. 3. The logs of your istio ingress gateway. – Piotr Malec Sep 23 '20 at 13:04
  • this is a curl of the request I send through the istio gateway to test my app:curl --location --request GET 'http://gateway-external-ip/history/admin/v1/health' \ --header 'Cookie: JSESSIONID=2C40C674EA1A3D13BEC98313BB3D23C6; JSESSIONID=B1CF761DA1349D2AF40F7DB11FBB2503' \ --header 'Authorization: Bearer token' – Kamèl Romdhani Sep 23 '20 at 13:22
  • The issue is most likely related to JWT ISS checking failing for external call. It looks to me that it is configured based on local service/hostname. You can verify that by checking logs. Take a look at this github [post](https://github.com/istio/istio/issues/15122#issuecomment-505963324) to see how to view logs. – Piotr Malec Oct 01 '20 at 15:37

1 Answers1

2

Fixed this by changing the keycloak.auth-server-url value in the application.properties file. The keycloak deployment has 2 services, one of type clusterIP, the second is of type nodePort

before

keycloak.auth-server-url=http://keycloak-clusterIP-service-name:8080/auth

after

keycloak.auth-server-url=http://node-ip-adress:nodePort/auth

Mohamed Ennahdi El Idrissi
  • 2,931
  • 2
  • 19
  • 32
Kamèl Romdhani
  • 342
  • 1
  • 9