Iss claim not valid Keycloak

Asked 4/7, 2022 at 9:21 Answered 22/7 at 7:39

Solved spring spring-boot authentication jwt keycloak

I use the Keycloak service to login my web app. Use as a backend Spring with OAuth 2.0 security. When I go to make a request with Postman using the bearer token obtained from Keycloak it gives me an error 401 and also in the text of the answer next to the www-Authenticate entry it tells me:

Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: The iss claim is not valid", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

How could I solve this problem?

Celluloid answered 4/7, 2022 at 9:21 Comment(3)

What's the value of iss claim in your token? – Jeopardous 4/7, 2022 at 10:21

localhost:8080/realms/demo – Celluloid 4/7, 2022 at 10:42

when the token has expired it tells me token has expired, instead at the moment it just tells me that there is a problem in the issue claim. To be clearer what I do is: 1. I get the token from keycloak through postman 2. I send the token in the header to the server spring which verifies if the token is correct by connecting to keycloak – Celluloid 4/7, 2022 at 20:13

Spring config value must be exactly the same as iss claim value. Even trailing slash, if any, is important.

Do as @BenchVue wrote in comment: open one of access-token JWTs in jwt.io, copy iss claim value and paste it in spring conf.

Another option is to remove the issuer validation from the JWT decoder: provide jwk-set-uri in your conf and remove issuer-uri, but be aware that in this case the token validation will be done only using its signature.

William answered 12/7, 2022 at 7:39 Comment(5)

Another option is to remove the issuer validation from the JWT decoder: provide jwk-set-uri in your conf and remove issuer-uri Then OidcClientInitiatedLogoutSuccessHandler is not working anymore, because end_session_endpoint metadata is not provided anymore. Is there a workaround? – Apery 23/5 at 14:1

I think not within OpenID Connect. As stated by this spec: (OpenID configuration) available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer. Also, as per this other spec: The issuer returned by discovery MUST exactly match the value of iss in the ID Token. – William 23/5 at 18:8

You may use OAuth2 without OpenID, but in that case, you can hardly expect Spring Boot to auto-configure an OidcClientInitiatedLogoutSuccessHandler. You might still write your own success handler with values taken from application properties or from a JSON document fetched from an URI contained in this properties. But the easiest option clearly is to use a properly configured OpenID Provider as authorization server and to use Spring auto-configuration from issuer claim. – William 23/5 at 18:12

Some debbuging shows that /.well-known/openid-configuration returns URLs with the domain from the reqiest, e.g. http: //localhost/... or http://mykecloak.mycompany.com. Apparently the token contains always the same domain, ignoring the domain of the request. That's one reason for the error, I guess. – Apery 23/5 at 18:16

There are some Keycloak configuration options to be strict (always the same configured value) or flexible (adapt to the request URL) with values in the OpenID configuration. I personally use strict values pointing to a reverse-proxy and point all actors to this reverse proxy. – William 23/5 at 18:20

The OAuth2 properties in application.properties must be the same as the Keycloak address:

spring.security.oauth2.resourceserver.jwt.issuer-uri=http://keycloak-IP:Port/auth/realms/XXX

Landrum answered 1/11, 2022 at 8:35 Comment(0)

In my case I used wrongly 127.0.0.1 instead of localhost in config:

spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8080/realms/master

beacaus it is localhost in access_token:

Paquette answered 14/2 at 15:53 Comment(0)

I had the same problem with the iss claim is not valid. And it is clear that problem is in setting of issuer-uri. My case is that when you run Keycloak in docker container and application from local then everything is fine. But in case you run application in container as well then you set issuer as 'http://host.docker.internal:8080' or by the name of container 'http://keycloak:8080'. As result iss will not match because it is still 'http://localhost:8080'. Solution can be next: Keycloak container variables KC_HOSTNAME=http://host.docker.internal:8080/ and KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true

Solution found here: https://www.reddit.com/r/KeyCloak/comments/tfgcbg/how_to_change_iss_in_generated_token/

Cherie answered 22/7 at 7:39 Comment(1)

It’s work for me! Thanks 🙏🏼 – Ashtray 16/9 at 18:25

Recommended topics

Hot tags