Keycloak: Invalid token issuer when running from internal docker container - spring

I'm having some issues with configuring keycloak to run on our server.
Locally it works great but on on our test environment, after login, on any call using the received access token, we get "Invalid token issuer. Expected "http://keycloak:8080/auth/realms/{realmnName}" but was "http://{our-test-server-IP}/auth/realms/{realmName}""
So basically, our backend connects to the internal keycloak docker image but when the request comes it expects that the issuer is the configured external IP so even though the issuers are basically the same service keycloak sees them as being different and responds with a 401.
docker-compose.yml:
keycloak:
image: jboss/keycloak:12.0.4
restart: on-failure
environment:
PROXY_ADDRESS_FORWARDING: "true"
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: password
KEYCLOAK_LOGLEVEL: DEBUG
KEYCLOAK_IMPORT: /etc/settings/realm.json -Dkeycloak.profile.feature.upload_scripts=enabled
TZ: Europe/Bucharest
DB_VENDOR: POSTGRES
DB_ADDR: db
DB_DATABASE: user
DB_SCHEMA: keycloak
DB_USER: user
DB_PASSWORD: user
ports:
- 8090:8080
volumes:
- ./settings:/etc/settings
depends_on:
- db
Spring application.yml:
keycloak:
cors: true
realm: Realm-Name
resource: back-office
auth-server-url: http://keycloak:8080/auth/
public-client: false
credentials:
secret: 8401b642-0ae9-4dc8-87a6-2f494b388a49
keycloak-client:
id: bcc94ed5-0099-40e0-b460-572eba3f0214
If we change the backend properties auth-server-url to connect to the exposed endpoint and no to the internal docker container we get a timeout, seems like it doesn't want to connect to it. I understand that the main issue is that we are running both the keycloak instance and our backend application on the same server but I don't see why it shouldn't work and why they can not connect to each other.
We tried setting up the FRONTEND_URL in the environment when running the container and in Keycloak admin console but nothing has changed. We've also tried to set forceBackendUrlToFrontendUrl to true in standalone.xml/standalone-ha.xml(./jboss-cli.sh --connect "/subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.forceBackendUrlToFrontendUrl, value=true)") files and reset the keycloak instance inside the docker container using ./jboss-cli.sh --connect command=:reload but nothing has changed.
I understand that basically by setting up the FRONTEND_URL all tokens should be signed by the keycloak instance and we would not have this issue but I've tried everything I've found so far on this issue regarding the keycloak configuration and nothing seems to change things. How can I make sure that the issuer that signs the access token and the one that the backend service expects are the same(hopefully the frontend)? And how can I configure this, is there some property I'm missing or was there something I did wrong while configuring it?

Might be related to this answer on here: https://stackoverflow.com/a/64095482/13494285
You could set Host header value to be the expected url.
To override this behavior, you might try to set KEYCLOAK_HOSTNAME environment variable to be the expected url.
Seems like documentation might not be up-to-date (it suggests KEYCLOAK_FRONTEND_URL variable on here), but instead KEYCLOAK_HOSTNAME is used to set fixed provider, as seen on here.
On this context, also the KEYCLOAK_HTTP_PORT is required to set the port to be 8080

Setting the KEYCLOAK_HOSTNAME to the external hostname (as defined in the KEYCLOAK_FRONTEND_URL) definitly worked for my case (eclipse che installation on a vanilla kubernetes cluster)

Related

How do I fix the http 500 bad gatway when delploying Docker to GCP App Engine?

I want to deploy my spring boot app in a docker component to gcp App Engine
When I run the docker componet local I get access to the web site.
When I deploy the component to the gcp app engine with the command gcloud app deploy
I get a http error 502 Bad Gateway nginx
The Docker file look like this
FROM adoptopenjdk/openjdk14
MAINTAINER steinko
VOLUME /tmp
COPY build/libs/atm.jar ./
ENTRYPOINT ["java"]
CMD ["-jar", "/atm.jar"]
EXPOSE 4001
The app.yaml files looks like this
runtime: custom
env: flex
handlers:
- url: /.*
script: this field is required, but ignored
service: atm
How do I fix this error?
According to this document: The App Engine front end will route incoming requests to the appropriate module on port 8080. You must be sure that your application code is listening on 8080. Also, it looks like the FROM should be one of Google's base image, also in that document.

How to disable Keycloak SSL when running Keycloak in Docker?

I have a Spring Boot application and in that I have done Keycloak integration with my REST API.
Now I want to build a Docker image for my app to host in the cloud.
First I tried:
docker container run -d -p 8081:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak
That was not working; I couldn't open the login screen for Keycloak.
So I tried this:
docker container run -p 8443:8443 -d -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak
Using this now I can login to Keycloak.
Then I tried disabling SSL in Realm->Login tab.
I can do this as this is my development environment and I am not much worried about SSL.
Is there any option of disabling SSL while running Keycloak in Docker?
If not how I can disable it?
If it is not possible to disable SSL in Keycloak while running on Docker, how can I integrate the SSL connection of Keycloak with the Spring Boot REST API?
If you're going to run a reverse proxy in front of Keycloak anyway, PROXY_ADDRESS_FORWARDING=true is what you're looking for.
This will disable the TLS requirement if you also send X-Forwarded-Proto: https in the header.
Running without TLS at all is not supported.
Documented here:
https://github.com/keycloak/keycloak-containers/blob/master/server/README.md#enabling-proxy-address-forwarding
Update the REALM table to disable requiring SSL by :
UPDATE REALM SET SSL_REQUIRED='NONE' WHERE ID=<RECORD_ID>;

Spring Cloud Config Server-GITLAB SSH Connection

After going the number of SO threads and blogs and Spring cloud config documentation still, I couldn't find on how I can connect to remote GITLAB repository as I'm getting below error while starting the spring-cloud-config server.
Caused by: com.jcraft.jsch.JSchException: Auth fail
spring:
cloud:
config:
server:
git:
uri: git#private_gitlab_repo:project
search-paths: '{application}'
skip-ssl-validation: true
strict-host-key-checking: false
known-hosts-file: C:\Users\myname\.ssh\known_hosts
spring-boot :2.1.2.RELEASE
spring-cloud.version: Greenwich.RELEASE
OS: Windows-7
With the command prompt, I could able to interact with the GITLAB repository. I do have the SSH key generated and added the public key in GITLAB settings. Also, I do not have the option to use username and password to connect to GITLAB.
Any pointers on where I'm missing the configuration or steps?
Found that this is my IntelliJ idea IDE issue and when I try running the same project in command prompt it worked without any issues.

Laravel CI/CD in Gitlab, Docker set my IP MySQL

I followed this Gitlab tutorial to test and deploy Laravel applications with GitLab CI/CD and Envoy.
All works well, but when I run a pipeline it shows this error:
PDOException::("SQLSTATE[HY000] [1045] Access denied for user 'user'#'172.17.0.4' (using password: YES)")
My IP server is 172.0.0.1 but the pipeline set the IP by 172.17.0.4.
How can I set the IP to make work it?
Finally, it works. I added only this values to the yml file:
variables:
MYSQL_DATABASE: mydatabase
MYSQL_ROOT_PASSWORD: 123456
Obviously the same values to the .env file.
(I also uninstalled and re-installed MySQL, but I don't know if that helped to solve it)

Dropwizard crashing on Heroku

I am trying to deploy my Dropwizard project to Heroku.
I have added a Procfile and a Postgres DB to the Heroku app.
My Procfile reads:
web: java $JAVA_OPTS -Ddw.server.connector.port=$PORT -Ddw.database.url=$DATABASE_URL -jar target/api-1.0-SNAPSHOT.jar server config.yml
When I try to deploy I receive the following error/crash message in the logs.
org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator: HHH000342: Could not obtain connection to query metadata : Driver:org.postgresql.Driver#53d13cd4 returned null for URL:postgres://fdeqzbddzbefaz:138912590e989b1b8fab5d169a1aea291f04b2d3bc040b1bbf6642a9207a5355#ec2-54-235-101-91.compute-1.amazonaws.com:5432/d67crr4pvqrfee
Unable to create requested service [org.hibernate.engine.jdbc.env.spi.JdbcEnvironment]
State changed from starting to crashed
Process exited with status 1
My config.yml reads
database:
# the name of your JDBC driver
driverClass: org.postgresql.Driver
# the username
user: localusername
# the JDBC URL
url: jdbc:postgresql://localhost/dbname
# use the simple server factory if you only want to run on a single port
# HEROKU NOTE - the port gets be overridden with the Heroku $PORT in the Procfile
server:
type: simple
applicationContextPath: /
#adminContextPath: /admin # If you plan to use an admin path, you'll need to also use non-root app path
connector:
type: http
port: 8080
Does anyone have any trouble shooting ideas?
The DATABASE_URL env var is not directly compatible with the JDBC URL format. See docs. Specifically,
The DATABASE_URL for the Heroku Postgres add-on follows the below convention
postgres://username:password#host:port/dbname
However the Postgres JDBC driver uses the following convention:
jdbc:postgresql://host:port/dbname?user=username&password=password
Instead, try using JDBC_DATABASE_URL as documented here

Resources