Reputation: 101
Iss claim not valid Keycloak
I use the Keycloak service to login my web app. Use as a backend Spring with OAuth 2.0 security. When I go to make a request with Postman using the bearer token obtained from Keycloak it gives me an error 401 and also in the text of the answer next to the www-Authenticate entry it tells me:
Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: The iss claim is not valid", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"
How could I solve this problem?
Upvotes: 8
Views: 21458
Answers (4)
Reputation: 1049
I had the same problem with the iss claim is not valid. And it is clear that problem is in setting of issuer-uri. My case is that when you run Keycloak in docker container and application from local then everything is fine. But in case you run application in container as well then you set issuer as 'http://host.docker.internal:8080' or by the name of container 'http://keycloak:8080'. As result iss will not match because it is still 'http://localhost:8080'. Solution can be next: Keycloak container variables KC_HOSTNAME=http://host.docker.internal:8080/ and KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true
Solution found here: https://www.reddit.com/r/KeyCloak/comments/tfgcbg/how_to_change_iss_in_generated_token/
Upvotes: 4
Reputation: 703
In my case I used wrongly 127.0.0.1 instead of localhost in config:
spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:8080/realms/master
beacaus it is localhost in access_token:
Upvotes: 3
Reputation: 452
The OAuth2 properties in application.properties must be the same as the Keycloak address:
spring.security.oauth2.resourceserver.jwt.issuer-uri=http://keycloak-IP:Port/auth/realms/XXX
Upvotes: 2
Reputation: 12835
Spring config value must be exactly the same as iss claim value. Even trailing slash, if any, is important.
Do as @BenchVue wrote in comment: open one of access-token JWTs in jwt.io, copy iss claim value and paste it in spring conf.
Another option is to remove the issuer validation from the JWT decoder: provide jwk-set-uri in your conf and remove issuer-uri, but be aware that in this case the token validation will be done only using its signature.
Upvotes: 7
Related Questions
- Spring Boot with Spring Security and Keycloak only providing Anonymous Authentication Token
- Spring Boot // Keycloak HTTPS : Could not obtain the keys oauth2.jwt.NimbusReactiveJwtDecoder$JwkSetUriReactiveJwtDecoderBuilder
- Keycloak asks for login credentials even when a valid token is provided
- iss claim is not valid Keycloak
- Keycloak JWT Validation using Java Spring Security + KC Adapter
- Make Keycloak authentication work with own JWT tokens generation
- Why does Spring Security reject my Keycloak auth token with "No AuthenticationProvider found"?
- My spring boot does not validate JWT token with the Keycloak?
- Keycloak with external identity provider - No access_token from server
- Keycloak with spring boot CODE_TO_TOKEN_ERROR