Merge pull request keycloak#1115 from mposolda/master

Fix clustering when auth-server-url-for-backend-requests is used

core/src/main/java/org/keycloak/RSATokenVerifier.java

@@ -39,7 +39,7 @@ public static AccessToken verifyToken(String tokenString, PublicKey realmKey, St
             throw new VerificationException("Realm URL is null. Make sure to add auth-server-url to the configuration of your adapter!");
         }
         if (!realmUrl.equals(token.getIssuer())) {
-            throw new VerificationException("Token audience doesn't match domain.");
+            throw new VerificationException("Token audience doesn't match domain. Token issuer is " + token.getIssuer() + ", but URL from configuration is " + realmUrl);
 
         }
         if (checkActive && !token.isActive()) {

examples/demo-template/testrealm.json

@@ -146,16 +146,6 @@
             "adminUrl": "/database",
             "baseUrl": "/database",
             "bearerOnly": true
-        },
-        {
-            "name": "rest-resources",
-            "enabled": true,
-            "publicClient": true,
-            "adminUrl": "/rest-resources",
-            "baseUrl": "/rest-resources",
-            "redirectUris": [
-                "/rest-resources/*"
-            ]
         }
     ],
     "oauthClients": [

examples/fuse/camel/src/main/java/org/keycloak/example/CamelHelloProcessor.java

@@ -20,7 +20,6 @@ public void process(Exchange exchange) throws Exception {
         String username = accessToken.getPreferredUsername();
         String fullName = accessToken.getName();
 
-        // send a html response with fullName from LDAP
         exchange.getOut().setBody("Hello " + username + "! Your full name is " + fullName + ".");
     }
 }

examples/fuse/fuse-admin/README.md

@@ -29,10 +29,10 @@ This file contains configuration of the client application, which is used by JAA
 
 4) Start Fuse and install `keycloak` JAAS realm into Fuse. This could be done easily by installing `keycloak-jaas` feature, which has JAAS realm predefined 
 (you are able to override it by using your own `keycloak` JAAS realm with higher ranking). As long as you already installed `keycloak-fuse-example` feature as mentioned 
-in [examples readme](../README.md), you can skip this step as `keycloak-jaas` is installed already. Otherwise use those commands (replace Keycloak version with current one):
+in [examples readme](../README.md), you can skip this step as `keycloak-jaas` is installed already. Otherwise use those commands (replace Keycloak version in this command with the current version):
 
 ```
-features:addurl mvn:org.keycloak/keycloak-osgi-features/1.1.0.Final/xml/features
+features:addurl mvn:org.keycloak/keycloak-osgi-features/1.2.0.Beta1/xml/features
 features:install keycloak-jaas
 ```
 

integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java

@@ -90,15 +90,15 @@ public String getAuthServerBaseUrl() {
 
     public void setAuthServerBaseUrl(AdapterConfig config) {
         this.authServerBaseUrl = config.getAuthServerUrl();
-        if (authServerBaseUrl == null && config.getAuthServerUrlForBackendRequests() == null) return;
+        String authServerURLForBackendReqs = config.getAuthServerUrlForBackendRequests();
+        if (authServerBaseUrl == null && authServerURLForBackendReqs == null) return;
 
         URI authServerUri = null;
         if (authServerBaseUrl != null) {
             authServerUri = URI.create(authServerBaseUrl);
         }
 
         if (authServerUri == null || authServerUri.getHost() == null) {
-            String authServerURLForBackendReqs = config.getAuthServerUrlForBackendRequests();
             if (authServerURLForBackendReqs != null) {
                 relativeUrls = RelativeUrlsUsed.BROWSER_ONLY;
 
@@ -116,7 +116,13 @@ public void setAuthServerBaseUrl(AdapterConfig config) {
             relativeUrls = RelativeUrlsUsed.NEVER;
             KeycloakUriBuilder serverBuilder = KeycloakUriBuilder.fromUri(authServerBaseUrl);
             resolveBrowserUrls(serverBuilder);
-            resolveNonBrowserUrls(serverBuilder);
+
+            if (authServerURLForBackendReqs == null) {
+                resolveNonBrowserUrls(serverBuilder);
+            } else {
+                serverBuilder = KeycloakUriBuilder.fromUri(authServerURLForBackendReqs);
+                resolveNonBrowserUrls(serverBuilder);
+            }
         }
     }
 
@@ -132,6 +138,7 @@ protected void resolveBrowserUrls(KeycloakUriBuilder authUrlBuilder) {
 
         String login = authUrlBuilder.clone().path(ServiceUrlConstants.AUTH_PATH).build(getRealm()).toString();
         authUrl = KeycloakUriBuilder.fromUri(login);
+        realmInfoUrl = authUrlBuilder.clone().path(ServiceUrlConstants.REALM_INFO_PATH).build(getRealm()).toString();
     }
 
     /**
@@ -145,7 +152,6 @@ protected void resolveNonBrowserUrls(KeycloakUriBuilder authUrlBuilder) {
         tokenUrl = authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_PATH).build(getRealm()).toString();
         logoutUrl = KeycloakUriBuilder.fromUri(authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH).build(getRealm()).toString());
         accountUrl = authUrlBuilder.clone().path(ServiceUrlConstants.ACCOUNT_SERVICE_PATH).build(getRealm()).toString();
-        realmInfoUrl = authUrlBuilder.clone().path(ServiceUrlConstants.REALM_INFO_PATH).build(getRealm()).toString();
         registerNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_REGISTER_NODE_PATH).build(getRealm()).toString();
         unregisterNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH).build(getRealm()).toString();
     }

integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java

@@ -322,7 +322,7 @@ protected AuthChallenge resolveCode(String code) {
             }
             log.debug("Token Verification succeeded!");
         } catch (VerificationException e) {
-            log.error("failed verification of token");
+            log.error("failed verification of token: " + e.getMessage());
             return challenge(403);
         }
         if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) {

integration/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java

@@ -33,7 +33,7 @@ public void load() throws Exception {
         assertTrue(deployment.isExposeToken());
         assertEquals("234234-234234-234234", deployment.getResourceCredentials().get("secret"));
         assertEquals(20, ((ThreadSafeClientConnManager) deployment.getClient().getConnectionManager()).getMaxTotal());
-        assertEquals("https://localhost:8443/auth/realms/demo/protocol/openid-connect/token", deployment.getTokenUrl());
+        assertEquals("https://backend:8443/auth/realms/demo/protocol/openid-connect/token", deployment.getTokenUrl());
         assertTrue(deployment.isAlwaysRefreshToken());
         assertTrue(deployment.isRegisterNodeAtStartup());
         assertEquals(1000, deployment.getRegisterNodePeriod());

testsuite/docker-cluster/shared-files/deploy-examples.sh

@@ -33,6 +33,9 @@ for I in *.war/WEB-INF/keycloak.json; do
   sed -i -e 's/\"bearer-only\" : true,/&\n    \"credentials\" : \{ \"secret\": \"password\" \},/' $I;
 done;
 
+# Configure database.war
+sed -i -e 's/\"auth-server-url\": \"\/auth\",/\"auth-server-url\": \"http:\/\/localhost:8000\/auth\",/' database.war/WEB-INF/keycloak.json;
+
 # Enable distributable for customer-portal
 sed -i -e 's/<\/module-name>/&\n    <distributable \/>/' customer-portal.war/WEB-INF/web.xml