'Keycloak / SpringBoot - The Issuer <https://example.com> provided in the OpenID Configuration did not match the requested issuer <https://bar.com>

I have an issue with a project I just join.

The technical stack :

  • Jhipster with Angular and SpringBoot
  • Keycloak

I replace the right url by example.com and bar.com

application.yaml

The endpoint https://bar.com/auth/realms/artemis/.well-known/openid-configuration returns this :

{
  "issuer": "https://example.com/auth/realms/artemis",
  "authorization_endpoint": "https://example.com/auth/realms/artemis/protocol/openid-connect/auth",
  "token_endpoint": "https://bar.com/auth/realms/artemis/protocol/openid-connect/token",
  "token_introspection_endpoint": "https://bar.com/auth/realms/artemis/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "https://bar.com/auth/realms/artemis/protocol/openid-connect/userinfo",
  "end_session_endpoint": "https://example.com/auth/realms/artemis/protocol/openid-connect/logout",
  "jwks_uri": "https://bar.com/auth/realms/artemis/protocol/openid-connect/certs",
  "check_session_iframe": "https://example.com/auth/realms/artemis/protocol/openid-connect/login-status-iframe.html",
}

When I run the App I got this error :

Caused by: java.lang.IllegalStateException: The Issuer "https://example.com/auth/realms/artemis" provided in the OpenID Configuration did not match the requested issuer "https://bar.com:8443/auth/realms/artemis"
    at org.springframework.security.oauth2.client.registration.ClientRegistrations.fromOidcIssuerLocation(ClientRegistrations.java:76)
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getBuilderFromIssuerIfPossible(OAuth2ClientPropertiesRegistrationAdapter.java:84)
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getClientRegistration(OAuth2ClientPropertiesRegistrationAdapter.java:60)
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.lambda$getClientRegistrations$0(OAuth2ClientPropertiesRegistrationAdapter.java:53)
    at java.util.HashMap.forEach(HashMap.java:1289)
    at org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesRegistrationAdapter.getClientRegistrations(OAuth2ClientPropertiesRegistrationAdapter.java:52)
    at org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientRegistrationRepositoryConfiguration.clientRegistrationRepository(OAuth2ClientRegistrationRepositoryConfiguration.java:55)
    at org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientRegistrationRepositoryConfiguration$$EnhancerBySpringCGLIB$$c9d328e3.CGLIB$clientRegistrationRepository$0(<generated>)
    at org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientRegistrationRepositoryConfiguration$$EnhancerBySpringCGLIB$$c9d328e3$$FastClassBySpringCGLIB$$1d0ccf00.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244)
    at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:363)
    at org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientRegistrationRepositoryConfiguration$$EnhancerBySpringCGLIB$$c9d328e3.clientRegistrationRepository(<generated>)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154)
    ... 92 common frames omitted

I'm new with Spring Boot. I don't really understand what I have to do to be able to use 2 differents url.

Thx for the help ! I can give you more informations if you need.



Solution 1:[1]

Your application.yaml config issuer-uri is not matching issuer of used OIDC Keycloak realm. Set it to https://example.com/auth/realms/artemis and it should be fine.

Solution 2:[2]

-- This may not be relative to OP's case. But for other cases. -- Just a headsup. -- I am not a professional on this, I could be wrong, but it helped in my case.

The problem could occur from the other side, in the Authorization Server.

So, for example, you may not only need to look at the application.yml in the Resource Server:

spring.security.oauth2.resourceserver.jwt.issuer-uri: http://localhost:9999

you may also need to look at the Authorization Server:

  @Bean
  public ProviderSettings providerSettings() {
    return new ProviderSettings().issuer("http://localhost:9999"); 
  }

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Jan Garaj
Solution 2 Nor.Z