Assistance needed: Quarkus OIDC multitenancy with Keycloak

[roman-galyaminskiy]

We have multiple tenants each accessing the app from its URL (ex: https://tenant1.myapp.net). To support multitenant setup in Keycloak (via organizations, not realms), we are using TenantConfigResolver:

Internal Keycloak URL for auth-server-url:

quarkus.oidc.tenant1.auth-server-url=http://localhost:28080/api/keycloak/realms/myrealm
quarkus.oidc.tenant2.auth-server-url=http://localhost:28080/api/keycloak/realms/myrealm

And matching public URLs to prevent "Issuer (iss) claim value doesn't match expected value":

quarkus.oidc.tenant1.token.issuer=https://tenant1.myapp.net/api/keycloak/realms/myrealm
quarkus.oidc.tenant2.token.issuer=https://tenant2.myapp.net/api/keycloak/realms/myrealm

Using these two properties allows us to use the internal URL for cross-service communications within the cluster - that's great!

However, we are also using Keycloak for authorization, utilizing the Quarkus Keycloak authorization client. The problem is that here we cannot use the internal URL, since according to Keycloak docs, dynamic frontend and backend URLs are mutually exclusive:

If hostname-backchannel-dynamic is set to true, hostname must be set to a URL (not just hostname). Otherwise Keycloak would not know what is the correct frontend URL (incl. port etc.) when being access via the dynamically resolved backchannel.

Keycloak config:

KC_HOSTNAME_BACKCHANNEL_DYNAMIC=false  
KC_HOSTNAME_STRICT=false  
KC_HTTP_ENABLED=true  
KC_HTTP_RELATIVE_PATH=/api/keycloak  
KC_PROXY_HEADERS=xforwarded

Setting auth-server-url to the internal URL results in {"error":"invalid_grant","error_description":"Invalid bearer token"} when attempting authorization.

quarkus.oidc.auth-server-url=http://localhost:28080/api/keycloak/realms/myrealm

The only way we managed to make it work was to use tenant-specific public URLs for auth-server-url. But this forces us to use public URLs within the cluster, which seems non-optimal.

Questions:

Is this a valid approach? Is there a Quarkus OIDC configuration option that would allow using the internal URL for authorization as well, or is relying on public URLs the only supported way?

Versions:

Quarkus: 3.18.4
Keycloak: 26.0.5

[quarkus-bot[bot]]

/cc @pedroigor (keycloak,oidc), @sberyozkin (keycloak,oidc)

[sberyozkin]

@roman-galyaminskiy Thanks for the detailed description, so, when using quarkus-keycloak-authorization, the internal URL does not work when quarkus-keycloak-authorization attempts to get to the Keycloak authorization endpoint, only public URLs work ?

I'm not sure Quarkus can help here. May be you can get a more specific feedback in the Keycloak GitHub Discussions ?

@pedroigor Pedro, do you have some hints ? Thanks

[roman-galyaminskiy]

the internal URL does not work when quarkus-keycloak-authorization attempts to get to the Keycloak authorization endpoint, only public URLs work?

Yes, that's the issue.

I've created a discussion in Keycloak repo before asking here. Unfortunately, I haven't gotten a response there.

[sberyozkin]

@pedroigor Hi Pedro, can you please comment ?

@roman-galyaminskiy

Setting auth-server-url to the internal URL results in {"error":"invalid_grant","error_description":"Invalid bearer token"} when attempting authorization.

Does this happen during the Keycloak Authorization Client call ?

Can you please try to look deeper into the Keycloak code and check why exactly sending the token over the internal API fails the verification ? May be we can come up with some workarounds