nest-keycloak-connect icon indicating copy to clipboard operation
nest-keycloak-connect copied to clipboard

Published 20 hours ago verified publisher icon ferrerojosh

Question :Error Wrong ISS between keycloak and nestjs app container

Open DimRX opened this issue 11 months ago • 4 comments

Hello,

I currently have a docker architecture with a nginx that serves as a reverse proxy, a nestjs backend and a keycloak, each on different containers and on the same network.

When I make an api request from my frontend, I give a jwt token from the frontend to the backend. But the backend returns this error:

WARN [Keycloak] Cannot validate access token: Error: Grant validation failed. Reason: invalid token (wrong ISS)

Note that I've configured my nginx with my domain name and SSL certificates.

Extract from my configuration on my nestjs backend authServerUrl: "https://keycloak.domain.name", realm: "real-name", clientId: "client-id", secret: "secret"

Thanks in advance for your help

DimRX avatar Feb 28 '24 21:02 DimRX

Update: I've added a log that prints the contents of "keycloak.grantManager",

bug1

Is it normal to have a clientId and secret undefined knowing that I specify them as shown on the screen below?

bug2

.env :

KEYCLOAK_REALM='realm-name' KEYCLOAK_CLIENT_ID='realm-client-id' KEYCLOAK_BASE_URL='https:/domain-name' KEYCLOAK_SECRET='secret'

DimRX avatar Feb 29 '24 13:02 DimRX

Update :

J'ai ajouté en dur mes variables pour keycloak dans le code et j'ai désormais des valeurs pour mon realm et ma baseUrl cependant j'ai désormais une nouvelle erreur qui apparaît :

bug3

Est-il possible de spécifier la clé public ?

DimRX avatar Feb 29 '24 15:02 DimRX

Related to #174.

ferrerojosh avatar Mar 12 '24 00:03 ferrerojosh

I'm having the invalid token (wrong ISS) error. I've read this issue and the fix to #174 in https://github.com/ferrerojosh/nest-keycloak-connect/commit/43977c74e42e457261b9120730f59c7e6cd4fca7. But it is not clear to me how to implement the fix in order to fix wrong ISS error.

Pointers would be appreciated.

NOTE: I've tried tokenValidation: TokenValidation.NONE and still get the error

moisesrodriguez avatar Jun 15 '24 20:06 moisesrodriguez

This problem has been around for 2 years - it is crucial for the integration of Keycloak into NestJS. However, the authors, for some reason, do not want to solve it. What a shame.

whitebiker avatar Aug 04 '24 03:08 whitebiker

My issue was that for authServerUrl I was pointing it to http://localhost:8080/auth but for newer versions of Keycloak it is http://localhost:8080. After that no more invalid token (wrong ISS)

hikufi-dev avatar Aug 04 '24 15:08 hikufi-dev

I'm able to run it in my local machine with authServerUrl: http://localhost:8080, but once I'm trying with production and I have authServerUrl: https://domain.com I get invalid token (wrong ISS). The only difference between local and prod is that I have a nginx reverse proxy to terminate SSL. @DimRX where you able to figure it out?

moisesrodriguez avatar Aug 22 '24 20:08 moisesrodriguez