Multi Issuer Configuration is not working
The AuthContextInfo is initialized with the first request and is not changed for subsequent requests, even if a JWT token with a different issuer is presented.
When more than one issuer is configured, for example:
AUTH_VALID_ISSUERS_LOCAL=http://localhost:8989/realms/neone
AUTH_ISSUERS_LOCAL_PUBLICKEY_LOCATION=http://localhost:8989/realms/neone/protocol/openid-connect/certs
AUTH_VALID_ISSUERS_LOCAL2=http://localhost:8989/realms/neone2
AUTH_ISSUERS_LOCAL2_PUBLICKEY_LOCATION=http://localhost:8989/realms/neone2/protocol/openid-connect/certs(.env file)
or
auth.valid-issuers.local=http://localhost:8989/realms/neone
auth.issuers.local.publickey.location=http://localhost:8989/realms/neone/protocol/openid-connect/certs
auth.valid-issuers.local2=http://localhost:8989/realms/neone2
auth.issuers.local2.publickey.location=http://localhost:8989/realms/neone2/protocol/openid-connect/certs(application.properties)
For example, a call with a JWT token including "iss": http://localhost:8989/realms/neone
results into:
2024-01-20 17:53:03,452 DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-8) SRJWT08019: AuthContextInfo is: JWTAuthContextInfo{publicVerificationKey=null, secretVerificationKey=null, privateDecryptionKey=null, secretDecryptionKey=null, issuedBy='http://localhost:8989/realms/neone', expGracePeriodSecs=0, maxTimeToLiveSecs=null, tokenAge=null, publicKeyLocation='http://localhost:8989/realms/neone/protocol/openid-connect/certs', publicKeyContent='null', decryptionKeyLocation='null', decryptionKeyContent='null', jwksRefreshInterval=60, tokenHeader='Authorization', tokenCookie='null', alwaysCheckAuthorization=false, tokenKeyId='null', tokenDecryptionKeyId='null', tokenSchemes=[Bearer], requireNamedPrincipal=true, defaultSubClaim='null', subPath='null', defaultGroupsClaim='null', groupsPath='null', signatureAlgorithm=RS256, keyEncryptionAlgorithm=[RSA_OAEP, RSA_OAEP_256], keyFormat=ANY, keyProvider=DEFAULT, keyCacheSize=100, keyCacheTimeToLive=10, expectedAudience=null, groupsSeparator=' ', relaxVerificationKeyValidation=true, verifyCertificateThumbprint=false, tlsCertificatePath=null, tlsTrustAll=false, tlsTrustedHosts=null, httpProxyHost=null, httpProxyPort=80}
2024-01-20 17:53:03,453 DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-8) SRJWT08043: Trying to create a key from the HTTPS JWK(S)
2024-01-20 17:53:04,690 DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-8) SRJWT08043: Trying to create a key from the HTTPS JWK(S)
2024-01-20 17:53:04,691 DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-8) SRJWT08026: Trying to create a key from the JWK(S)Afterwards a call with JWT token from other issuer, e.g. "iss": http://localhost:8989/realms/neone2
results into:
401 Unauthorized
Logs:
2024-01-20 18:00:44,901 DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-8) SRJWT08043: Trying to create a key from the HTTPS JWK(S)
2024-01-20 18:00:44,901 DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-8) SRJWT08026: Trying to create a key from the JWK(S)
2024-01-20 18:00:44,902 DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-8) SRJWT08021: JWK with a matching 'kid' is not available, refreshing HTTPS JWK Set
2024-01-20 18:00:44,918 DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-8) SRJWT08024: Trying to create a key from the HTTPS JWK Set after the refresh
2024-01-20 18:00:44,919 DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-8) SRJWT08026: Trying to create a key from the JWK(S)
2024-01-20 18:00:44,924 DEBUG [io.sma.jwt.aut.principal] (vert.x-eventloop-thread-8) SRJWT08005: Verification key is unresolvableTo reproduce this behavior, it is important that the "kids" in the JSON Web Key Sets (JWKS) are different.
The current docker-compose.keycloak-2.yml and docker-compose.keycloak-2.yml configuration deploys two keycloak instances with same "kids".
A local Keycloak instance with two separate realms is sufficient.
Edited by Daniel A. Doeppner