Skip to content

Supporting different ISS when validating token #308

New issue
New issue
Open
#597
Open
Supporting different ISS when validating token#308
#597
Labels
kind/bugstatus/triage
@Nosfistis

Description

@Nosfistis
Nosfistis
opened on Nov 19, 2021

Describe the bug

When validating a user-agent token (created via a public client) from a bearer-only client (backend application) that use different keycloak hostnames, the validation fails with error invalid token (wrong ISS).

Using the external, public url for the keycloak server in the backend application avoids this issue.

The bug also occurs when setting the frontend URL, which changes the authorization_endpoint to the public URL, while maintaining the request URL in the token_endpoint advertisement.

Version

15.0.2

Expected behavior

Given the proposal of the default hostname providers and the frontend url configuration, the nodejs client should accept tokens with ISS that is different from the current realm url.

Actual behavior

No response

How to Reproduce?

No response

Anything else?

I found the specific code to be here:

keycloak-nodejs-connect/middleware/auth-utils/grant-manager.js

Line 427 in bd5ea5f

} else if (token.content.iss !== this.realmUrl) {

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugstatus/triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions