keycloak’s access token is validated as github access token by oauth2

  docker, github, keycloak, oauth, oauth-2.0

I have some microservices that need to be protected with authentication. So that I used OAuth2 + Keycloak. You can see the detailed configurations from this post (Keycloak returns 'Invalid parameter: redirect_uri').

After successfully login in, the keycloak generates an access token that is routed to the OAUth2 service for validating. Somehow, the OAuth2 thinks the access token was from github, not from the keycloak. You can see the logs:

123.28.110.207 - 78368701-f2b3-48c2-8f57-3a77a6b385f0 - - [2021/09/28 03:20:52] grafana.my-domain.com GET - "/oauth2/start?rd=https%3A%2F%2Fgrafana.my-domain.com%2F" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 302 419 0.000 [2021/09/28 03:21:06] [internal_util.go:64] GET https://keycloak.org/api/v3/user?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJvNXViN... [2021/09/28 03:21:06] [internal_util.go:65] token validation request failed: error performing request: Get "https://keycloak.org/api/v3/user?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJvNXViNgmU66CrcaFozOg": x509: certificate is valid for *.github.com, github.com, not keycloak.org
123.28.110.207 - a4f32698-44f4-463d-831e-93c292fb91ea - [email protected] [2021/09/28 03:21:06] [AuthSuccess] Authenticated via OAuth2: Session{email:[email protected] user: PreferredUsername: token:true}
123.28.110.207 - a4f32698-44f4-463d-831e-93c292fb91ea - - [2021/09/28 03:21:05] grafana.my-domain.com GET - "/oauth2/callback?state=rVOsXkFxqswYCI8LhKTCOAUUjP76i8k3ltnqJcoxEDU%3Ahttps%3A%2F%2Fgrafana.my-domain.com%2F&session_state=36f8da18-6477-4a72-a7d2-10aadc5a0679&code=b9bbeb85-45bf-4fb5-ad31-cd6a59fc955f.36f8da18-6477-4a72-a7d2-10aadc5a0679.9f5b720c-0be6-44f0-946f-62e34ca0e5ec" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 302 63 0.955
123.28.110.207 - a25fe783-0e8f-48de-8040-80e77c98d35b - [email protected] [2021/09/28 03:21:06] grafana.my-domain.com GET
- "/" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 404 19 0.000
123.28.110.207 - c5eeb805-c532-401b-aed4-d462b8b26d11 - [email protected] [2021/09/28 03:21:07] grafana.my-domain.com GET
- "/" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 404 19 0.000

I might miss something in Keycloak configuration but I don’t really know. Any suggestions would be highly appreciated.

Source: Docker Questions

LEAVE A COMMENT