I am using docker to deploy an application with:
- an nginx container terminating SSL
- a Keycloak container
- a Spring Boot OAuth resource server.
I have the following configuration:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: https://example.com/realms/petclinic
This works fine, however if I want to deploy the application using a self-signed SSL certificate, then the Spring Boot container can no longer connect to Keycloak through https://. I cannot control what certificates people will use to use the application with.
I cannot change the issuer-uri to the http:// address as then the tokens will fail validation when used by the end-user, as the Keycloak host remains https://example.com/realms/petclinic.
I was wondering if there was an option to allow the Spring Boot OAuth resourceserver to always connect and configure itself with Keycloak over the local docker http://keycloak address?
It seems the issuer-uri and resourceserver auto-configuration are coupled together, which I don't think was the case for the Keycloak Java adapter.
Using
issuer-urialso adds an issuer validator to the JWT decoder.You can use the
jwk-set-uriinstead (no issuer validation) or in addition toissuer-uri(when you want issuer validation but the OpenID config can't be fetched from the issuer URI)