I'm creating a Spring Boot application that must operate on Keycloak users in a dockerized context. I am using Keycloak Admin Client Java API, and everything works fine if I run Keycloak through Docker and Spring Boot separately, in IntelliJ. I am also able to authenticate my Angular frontend through Keycloak.
Instead, when I run Spring Boot inside a container too, I have problems concerning the use of the token, since I am able either to use the Keycloak admin frontend, if I set in the docker-compose the hostname to localhost, or to let Keycloak Admin Client connect to Keycloak without complaining about the difference between the issuer present in the Jwt token and the host he is contacting.
Is there a way to have both working?
I am using Spring Boot 3.4.0 and Keycloak Admin Client 26.0.4.
Here is one of the many configurations I've tried. In this one I am able to use the Admin frontend and to authenticate to backend through keycloak, but the when I try to use the Java admin API integration the backend says java.lang.IllegalStateException: The Issuer "http://localhost:8080/realms/myrealm" provided in the configuration did not match the requested issuer "http://app-keycloak:8080/realms/myrealm
docker-compose:
services:
app-be:
build:
context: .
container_name: app-be
depends_on:
- app-keycloak
ports:
- "8080:8080"
networks:
- app-network
app-keycloak:
image: quay.io/keycloak/keycloak:26.1.3
container_name: app-keycloak
command: start
environment:
KC_HOSTNAME: localhost
KC_HOSTNAME_STRICT: false
KC_HOSTNAME_STRICT_HTTPS: false
KC_HOSTNAME_STRICT_BACKCHANNEL: false
KC_HTTP_ENABLED: true
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: password
KC_HEALTH_ENABLED: true
ports:
- "8089:8080"
networks:
- app-network
networks:
app-network:
application.properties:
spring.security.oauth2.resourceserver.jwt.issuer-uri=http://app-keycloak:8080/realms/myrealm
security.oauth2.resource.filter-order = 3
Admin Client API configuration:
private final Keycloak keycloak;
public KeycloakUserService() {
this.keycloak = KeycloakBuilder.builder()
.serverUrl("http://app-keycloak:8080")
.realm("myrealm")
.grantType(OAuth2Constants.CLIENT_CREDENTIALS)
.clientId("myclient")
.clientSecret("###secret###")
.build();
}
For mastersofjava they had a similar setup.
Their code is open source: https://github.com/mastersofjava/mastersofjava
To solve this particular issue, I see they start up keycloak using "--hostname=host.docker.internal":
auth:
image: quay.io/keycloak/keycloak:21.1
cpus: 1
mem_reservation: 512m
mem_limit: 1g
restart: unless-stopped
ports:
- "8888:8080"
command:
- "start-dev"
- "--import-realm"
- "--hostname=host.docker.internal"
- "--hostname-strict-https=false"
- "--http-enabled=true"
And in their client application, they use:
OIDC_ISSUER_URI: "http://host.docker.internal:8888/realms/moj"
Which they use in their application.yaml as:
spring:
security:
oauth2:
client:
provider:
keycloak:
issuer-uri: ${OIDC_ISSUER_URI}
resourceserver:
jwt:
issuer-uri: ${OIDC_ISSUER_URI}
Not sure if this is strictly necessary or even a good idea, but if it works for them, it might be good enough for you.