Supporting different ISS when validating token

[Nosfistis]

Describe the bug

When validating a user-agent token (created via a public client) from a bearer-only client (backend application) that use different keycloak hostnames, the validation fails with error invalid token (wrong ISS).

Using the external, public url for the keycloak server in the backend application avoids this issue.

The bug also occurs when setting the frontend URL, which changes the authorization_endpoint to the public URL, while maintaining the request URL in the token_endpoint advertisement.

Version

15.0.2

Expected behavior

Given the proposal of the default hostname providers and the frontend url configuration, the nodejs client should accept tokens with ISS that is different from the current realm url.

Actual behavior

No response

How to Reproduce?

No response

Anything else?

I found the specific code to be here:

keycloak-nodejs-connect/middleware/auth-utils/grant-manager.js

Line 427 in bd5ea5f

} else if (token.content.iss !== this.realmUrl) {

[sbellerwork]

I have the same issue, this pull request (#294) is trying to fix this, but there was no recent activity.

[elirenato]

+1