validation issuer for oidc discovery configuration

[waiet]

I have spring boot application with spring boot configuration.
spring: security: oauth2: client: provider: keycloak: issuer-uri: http://gateway:8080/auth/realms/myrealm registration: keycloak: client-id: spring-security client-secret: 6cea952f-10d0-4d00-ac79-cc865820dc2c

I want use openid connect discovery configuration, with oidc provider keycloak. My keycloak is behind proxy and keycloak frontend url(f.e.: login url) is different than backend keycloak url(f.e: url for obtaining token).. And Issue is when application is starting I got error:
The Issuer "http://myfrontend.com/auth/realms/myrealm" provided in the configuration metadata did not match the requested issuer "http://gateway:8080/auth/realms/myrealm

This validation is here:
https://github.com/spring-projects/spring-security/blob/master/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderProviderConfigurationUtils.java#L67
My Openid connect discovery endpoint return issuer with frontend url
"issuer": "http://myfrontend.com/auth/realms/myrealm". And this is compared with value issuer-uri from configuration. I don't know why is existing this validation. I created ticket also for keycloak https://issues.redhat.com/browse/KEYCLOAK-14579, But according keycloak team issuer is right with frontend channel url

To Reproduce
spring boot application with spring security with oidc discovery configuration to keycloak. Keycloak should by behind proxy and should by configured different frontend url as backend url.
Error occurs when application starts

Expected behavior
Validation for should not exist. Or this validation is right and oidc dicovery endpoint(on keycloak) should be return issuer with backchannel url

[jgrandja]

@waiet The configuration issuer-uri: http://gateway:8080/auth/realms/myrealm specifies the host for the gateway, which is not the same as the OIDC Issuer. This misconfiguration is resulting in the error. The actual OIDC Issuer is http://myfrontend.com.

Since you need to go through a Proxy, the issuer-uri property will not work and instead you need to configure the authorization-uri and token-uri properties. See gh-8882 for further details.

As well, you will need to supply a custom RestOperations configured with the appropriate Proxy settings and supply this to DefaultAuthorizationCodeTokenResponseClient and OidcUserService. For a complete sample configuration see gh-8882.

I'm going to close this as a duplicate.

[waiet]

@jgrandja
I think this issue isn't duplicate. Because communication(back channel) between application and identity provider(keycloak) is via internal network and identity provider has different address as address for frontend channel(authorization uri). I don't know why is there validation for issuer from configuration(issuer-uri) against issuer from discovery configuration. In discovery configuration I have right authorization-uri and token-uri. If validation for issuer is required so maybe identity provider should provides issuer in discovery configuration with back channel address(http://gateway:8080/auth/realms/myrealm)

My configuration from oidc discovery:
"issuer": "http://myfrontend.com/auth/realms/myrealm", "authorization_endpoint": "http://myfrontend.com/auth/realms/myrealm/protocol/openid-connect/auth", "token_endpoint": "http://gateway:8080/auth/realms/myrealm/protocol/openid-connect/token", "token_introspection_endpoint": "http://gateway:8080/auth/realms/myrealm/protocol/openid-connect/token/introspect", "userinfo_endpoint": "http://gateway:8080/auth/realms/myrealm/protocol/openid-connect/userinfo", "end_session_endpoint": "http://myfrontend.com/auth/realms/myrealm/protocol/openid-connect/logout", "jwks_uri": "http://gateway:8080/auth/realms/myrealm/protocol/openid-connect/certs", "check_session_iframe": "http://myfrontend.com/auth/realms/myrealm/protocol/openid-connect/login-status-iframe.html", "registration_endpoint": "http://gateway:8080/auth/realms/myrealm/clients-registrations/openid-connect", "introspection_endpoint": "http://gateway:8080/auth/realms/myrealm/protocol/openid-connect/token/introspect"

[jgrandja]

@waiet

I don't know why is there validation for issuer from configuration(issuer-uri) against issuer from discovery configuration

This validation is required as per spec:

The issuer value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information.

Based on your environments OIDC configuration metadata, I see a mix of http://myfrontend.com and http://gateway:8080, which is interesting. I don't see this as a problem but it will require extra configuration in your client application. Given that the token_endpoint is accessible via http://gateway:8080, you will need to configure a custom RestOperations with the Proxy settings and supply that to DefaultAuthorizationCodeTokenResponseClient as I pointed out in previous comment links. And the userinfo_endpoint will need to be configured the same since it goes through the gateway as well.

My previous comment still applies as you will not be able to use OIDC Discovery and instead should specify the authorization-uri, token-uri and user-info-uri properties explicitly and configure a custom RestOperations for DefaultAuthorizationCodeTokenResponseClient and OidcUserService.