Keycloak InvalidBearerTokenException Invalid issuer
17:19 04 Oct 2023

I have a Java Spring backend running in a docker container and then a Keycloak also running in a separate container. Both on their own networks.

When I try to make a request to the Java backend that is protected by the keycloak BE with OAUTH, I get this error:

InvalidBearerTokenException: Invalid issuer

I am setting the location of the keycloak server in the java be as the IP of the gateway of the container. From what I understand because this gateway IP is not the same as the issuer url that is why it gives this error.

I have looked at this and this questions and tried to implement some of the solutions to no avail. Maybe I am not understanding them..

I have tried to set KEYCLOAK_FRONTEND_URL on the admin dashboard to the ip of the api gateway but this then does not let me get the access token in postman has it will redirect to this ip, and break the auth flow.

I have also tried setting this:

  PROXY_ADDRESS_FORWARDING: "true"
  KEYCLOAK_FRONTEND_URL: "https://example.com/auth"

No luck.

Can someone tell me what I am doing wrong and point me in the right direction ? Please tell me if you need more information.

This is what my security filter looks like on the backend:

    @Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.csrf().disable().authorizeHttpRequests(authorize -> {
                try {
                    authorize
                            .antMatchers(HttpMethod.DELETE, "/development/deleteAllUsers").permitAll()
                            .mvcMatchers(HttpMethod.POST, "/createUser").permitAll()
                            .mvcMatchers(HttpMethod.GET,"/test").permitAll()
                            .anyRequest().authenticated();
                } catch (Exception e) {
                    throw new RuntimeException(e);
                }
            })
            .oauth2ResourceServer(
                    oauth2 -> oauth2.authenticationManagerResolver(getJwtIssuerAuthenticationManagerResolver()));

    http.headers()
            .xssProtection()
            .disable()
            .frameOptions()
            .deny()
            .contentSecurityPolicy("default-src 'self'");

    return http.build();
}

@Bean("CurrentUser")
public Supplier currentUser() {
    return () -> (JwtAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
}

private JwtIssuerAuthenticationManagerResolver getJwtIssuerAuthenticationManagerResolver() {
    Map managers = providersProperty.getProviders()
            .values()
            .stream()
            .collect(Collectors.toMap(p -> p.getIssuerUri(),
                    p -> jwtProviderStrategy.getProvider(p.getKey())::authenticate));

    return new JwtIssuerAuthenticationManagerResolver(managers::get);
}

Also I am setting this properties in application.yml

 jwk-set-uri: http://${KEYCLOAK_HOST:localhost}:${KEYCLOAK_PORT:8180}/auth/realms/myrealm/protocol/openid-connect/certs
 issuer-uri: http://${KEYCLOAK_HOST:localhost}:${KEYCLOAK_PORT:8180}/auth/realms/myrealm

If I run the Java backend locally it work normally. Just breaks on docker.

java spring keycloak