0

My problem: i have a client where users successfully authenticate against keycloak (using keycloak-js) in a "frontend"-client. I then use the "keycloak.token" and forward this to a node/express/keycloak-connect backend. There, the validation of the token seems to fail, i.e. I receive http-403 forbidden. Yet, I do not really understand why the validation fails. Both frontend and backend are member of the same realm, given in the JWT, timings fit, aud/iss/sub also match. Roles are there. Etc.. Unfortunately, I could not find any "debug"-hook in the keycloak middleware to trace (and understand) what happens. Did you every came across? Have I misconfigured the keycloak?

Here is my server code: keycloak.ts

// @ts-ignore
import Keycloak from "keycloak-connect"
// @ts-ignore
import session from "express-session"

let _keycloak: Keycloak.Keycloak | undefined = undefined;
const memoryStore = new session.MemoryStore();

export function getKeycloak(): Keycloak.Keycloak {
    if (!_keycloak) {
      _keycloak = new Keycloak({ store: memoryStore }, {
        "realm": "ear",
        "bearer-only": true,
        "auth-server-url": "http://192.168.76.4:40002/auth/",
        "ssl-required": "external",
        "resource": "ear-backend",
        "confidential-port": 0
      }); }
    return _keycloak;
}

Here is my "main" app - server.ts

import {getKeycloak} from "./keycloak";
import express from "express";
import {Request,Response} from "express";
// @ts-ignore
import cors from "cors";

var app = express();
app.use(cors());
var router = express.Router();
router.get('/user', getKeycloak().protect(), function(req, res){ res.send("Hello User");});
app.use("/test", router);
app.listen(3001);

Here is the bearer token I forward from the client to the server:

authorization: 'Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJkaDEweTB2WWhnUFVmcWppQVZ3ZVBXUUxTYmpxUWVkaWprZHFBMUVLbUdJIn0.eyJleHAiOjE2NzQzODM5NjgsImlhdCI6MTY3NDM4MzY2OCwiYXV0aF90aW1lIjoxNjc0MzgzNjY4LCJqdGkiOiJmYjhjMTJ kMy0xMmFmLTQ1M2MtYmE1Mi0yNzA3ZDkwYTNkMDEiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC43Ni40OjQwMDAyL2F1dGgvcmVhbG1zL2VhciIsImF1ZCI6ImVhci1iYWNrZW5kIiwic3ViIjoiMDQxNTY1ZDQtYzM0Ni00MDRmLWFmYzYtMjVjMzRmMGViNWM5IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZWFyLWZ yb250ZW5kIiwibm9uY2UiOiI2ZGUzOGYzMy00MmQyLTQ4ZTItODQwMi01M2I4OTViNzc4Y2YiLCJzZXNzaW9uX3N0YXRlIjoiYTEyYzhkY2ItMjk5Yy00Y2VlLWEyYWQtOThkN2M1MDJkMDgzIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIqIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJlYXI tcm9sZTEiXX0sInJlc291cmNlX2FjY2VzcyI6eyJlYXItYmFja2VuZCI6eyJyb2xlcyI6WyJmZWF0dXJlMiIsImZlYXR1cmUxIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsInNpZCI6ImExMmM4ZGNiLTI5OWMtNGNlZS1hMmFkLTk4ZDdjNTAyZDA4MyIsImVtYWlsX3ZlcmlmaWVkIjp0cnV lLCJuYW1lIjoiVXNlciAxMiIsInByZWZlcnJlZF91c2VybmFtZSI6InVzZXIxMiIsImdpdmVuX25hbWUiOiJVc2VyIiwiZmFtaWx5X25hbWUiOiIxMiIsImVtYWlsIjoidXNlci4xMkBhY21lLmNvbSJ9.U8YRbUuOdSPKfDeUIfAb5r12ZGhaTB-GCspY9RjKW8iMn2btbTDd9v9TQAvFbvgHHQ7F0QOtwZvfgW DludO1H3pUiEuhzkRcrw7NQLN4WY3atUrIEACpMa5pthZXzDzia3VBYlChMZPnsMOCAq5-fhULhjYz-4SY6YrTpL5TcDcCuAj28-CZt00hqxGQvd2q-LCpRuFXQ6GnxV0fYJZVtX_yolTAJAVHph7uG_WxgBqpxqdh9QBQ1av3Jn9yElo9qZjzbaD261WR1sae6idkSdLmZai1c7r9zVl9MDw8_qE8tzuaY20gIOG2HpUS4sqW7oM9I5cwMBKCHOzODpXkZg'

And, finally, here is the keycloak config export (very lengthy, unfortunately, but I do not know which parts can be safely deleted). It can be downloaded from my Google Drive, since the file would exceed the maxmimum post length: https://drive.google.com/file/d/1vlZC5-W3AOElsTU12p7NldFmFZSGABkA/view?usp=share_link

Thank you for any hints.

user1351376
  • 31
  • 1
  • 3
  • I would compare your setup with https://github.com/keycloak/keycloak-nodejs-connect/tree/main/example and look for differences. Would the example work with your keycloak instance? – Matthias Wiedemann Jan 22 '23 at 16:57
  • I skipped the approach to use keycloak-connect to validate a token got via Web frontend client and instead use jsonwebtoken and jwks-rsa instead, which works fine. Just have to make sure that the AUD is set (ie. the user has assigned a role of the client :) ) – user1351376 Jan 25 '23 at 08:23

0 Answers0