Closed 301lj closed 7 months ago
Hi @301lj Thanks for the comment. If you get a token from Keycloak on port 8080 and use it on Keycloak running on port 8081, you might have an "Invalid token issuer". Is that the case?
Yes, as you said, I can use access_token to exchange the RPT(include resources) from 8080, but cannot exchange it from 8081. This is what the 8081 log shows: WARN [org.keycloak.events] (executor-thread-1) type=PERMISSION_TOKEN_ERROR, realmId=95e930c3-ff41-4bf3-92b8-c0562015a50a, clientId=authz-servlet, userId=null, ipAddress=192.168.56.107, error=invalid_token, auth_method=oauth_credentials, grant_type=urn:ietf:params:oauth:grant-type:uma-ticket
I haven't fully figure out the mechanism here, but what I aim to achieve is the ability to get it from both 8080 and 8081. If you know how to modify it to achieve this, please let me know. Thank you!
I've solved this issue temporarily. Keycloak Admin console -> Select your Realm -> Realm settings -> General -> Frontend url and enter: http://192.168.56.107:8080
But I'm not sure if this approach is reasonable.
Hello, Could you help me check this issue? Based on what you provided, I tried and found that although the session can be shared, the access token cannot be shared. Is this a problem caused by my configuration such as cache-ispn-jdbc-ping.xml?
docker run --name keycloak-1 -d -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -e KC_DB=mysql -e KC_DB_URL=jdbc:mysql://192.168.56.107:3306/keycloak -e KC_DB_USERNAME=root -e KC_DB_PASSWORD=secret -e JGROUPS_DISCOVERY_EXTERNAL_IP=keycloak-1 -e KC_CACHE_CONFIG_FILE=cache-ispn-jdbc-ping.xml -v ${PWD}/cache-ispn-jdbc-ping.xml:/opt/keycloak/conf/cache-ispn-jdbc-ping.xml --network keycloak-net quay.io/keycloak/keycloak:22.0.5 start --auto-build --http-enabled=true --hostname-strict-backchannel=false --hostname-strict=false --https-client-auth=none --proxy=edge --metrics-enabled=true
docker run --name keycloak-2 -d -p 8081:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -e KC_DB=mysql -e KC_DB_URL=jdbc:mysql://192.168.56.107:3306/keycloak -e KC_DB_USERNAME=root -e KC_DB_PASSWORD=secret -e JGROUPS_DISCOVERY_EXTERNAL_IP=keycloak-2 -e KC_CACHE_CONFIG_FILE=cache-ispn-jdbc-ping.xml -v ${PWD}/cache-ispn-jdbc-ping.xml:/opt/keycloak/conf/cache-ispn-jdbc-ping.xml --network keycloak-net quay.io/keycloak/keycloak:22.0.5 start --auto-build --http-enabled=true --hostname-strict-backchannel=false --hostname-strict=false --https-client-auth=none --proxy=edge --metrics-enabled=true
step1: get the access token from 8080 curl -X POST http://192.168.56.107:8080/realms/quickstart/protocol/openid-connect/token \ -H 'content-type: application/x-www-form-urlencoded' \ -d 'client_id=authz-servlet&client_secret=secret' \ -d 'username=alice&password=alice&grant_type=password' | jq --raw-output '.access_token'
step2: get the RPT from 8081, but it returns null. curl -X POST http://192.168.56.107:8081/realms/quickstart/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=authz-servlet"
this is my cache-ispn-jdbc-ping.xml:
<?xml version="1.0" encoding="UTF-8"?> <infinispan xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:infinispan:config:14.0 http://www.infinispan.org/schemas/infinispan-config-14.0.xsd" xmlns="urn:infinispan:config:14.0">