Fix clustering when auth-server-url-for-backend-requests is used

core/src/main/java/org/keycloak/RSATokenVerifier.java

@@ -39,7 +39,7 @@ public class RSATokenVerifier {
             throw new VerificationException("Realm URL is null. Make sure to add auth-server-url to the configuration of your adapter!");
         }
         if (!realmUrl.equals(token.getIssuer())) {
-            throw new VerificationException("Token audience doesn't match domain.");
+            throw new VerificationException("Token audience doesn't match domain. Token issuer is " + token.getIssuer() + ", but URL from configuration is " + realmUrl);
 
         }
         if (checkActive && !token.isActive()) {

examples/demo-template/testrealm.json

@@ -146,16 +146,6 @@
             "adminUrl": "/database",
             "baseUrl": "/database",
             "bearerOnly": true
-        },
-        {
-            "name": "rest-resources",
-            "enabled": true,
-            "publicClient": true,
-            "adminUrl": "/rest-resources",
-            "baseUrl": "/rest-resources",
-            "redirectUris": [
-                "/rest-resources/*"
-            ]
         }
     ],
     "oauthClients": [

integration/adapter-core/src/main/java/org/keycloak/adapters/KeycloakDeployment.java

@@ -90,7 +90,8 @@ public class KeycloakDeployment {
 
     public void setAuthServerBaseUrl(AdapterConfig config) {
         this.authServerBaseUrl = config.getAuthServerUrl();
-        if (authServerBaseUrl == null && config.getAuthServerUrlForBackendRequests() == null) return;
+        String authServerURLForBackendReqs = config.getAuthServerUrlForBackendRequests();
+        if (authServerBaseUrl == null && authServerURLForBackendReqs == null) return;
 
         URI authServerUri = null;
         if (authServerBaseUrl != null) {
@@ -98,7 +99,6 @@ public class KeycloakDeployment {
         }
 
         if (authServerUri == null || authServerUri.getHost() == null) {
-            String authServerURLForBackendReqs = config.getAuthServerUrlForBackendRequests();
             if (authServerURLForBackendReqs != null) {
                 relativeUrls = RelativeUrlsUsed.BROWSER_ONLY;
 
@@ -116,7 +116,13 @@ public class KeycloakDeployment {
             relativeUrls = RelativeUrlsUsed.NEVER;
             KeycloakUriBuilder serverBuilder = KeycloakUriBuilder.fromUri(authServerBaseUrl);
             resolveBrowserUrls(serverBuilder);
-            resolveNonBrowserUrls(serverBuilder);
+
+            if (authServerURLForBackendReqs == null) {
+                resolveNonBrowserUrls(serverBuilder);
+            } else {
+                serverBuilder = KeycloakUriBuilder.fromUri(authServerURLForBackendReqs);
+                resolveNonBrowserUrls(serverBuilder);
+            }
         }
     }
 
@@ -132,6 +138,7 @@ public class KeycloakDeployment {
 
         String login = authUrlBuilder.clone().path(ServiceUrlConstants.AUTH_PATH).build(getRealm()).toString();
         authUrl = KeycloakUriBuilder.fromUri(login);
+        realmInfoUrl = authUrlBuilder.clone().path(ServiceUrlConstants.REALM_INFO_PATH).build(getRealm()).toString();
     }
 
     /**
@@ -145,7 +152,6 @@ public class KeycloakDeployment {
         tokenUrl = authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_PATH).build(getRealm()).toString();
         logoutUrl = KeycloakUriBuilder.fromUri(authUrlBuilder.clone().path(ServiceUrlConstants.TOKEN_SERVICE_LOGOUT_PATH).build(getRealm()).toString());
         accountUrl = authUrlBuilder.clone().path(ServiceUrlConstants.ACCOUNT_SERVICE_PATH).build(getRealm()).toString();
-        realmInfoUrl = authUrlBuilder.clone().path(ServiceUrlConstants.REALM_INFO_PATH).build(getRealm()).toString();
         registerNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_REGISTER_NODE_PATH).build(getRealm()).toString();
         unregisterNodeUrl = authUrlBuilder.clone().path(ServiceUrlConstants.CLIENTS_MANAGEMENT_UNREGISTER_NODE_PATH).build(getRealm()).toString();
     }

integration/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java

@@ -322,7 +322,7 @@ public class OAuthRequestAuthenticator {
             }
             log.debug("Token Verification succeeded!");
         } catch (VerificationException e) {
-            log.error("failed verification of token");
+            log.error("failed verification of token: " + e.getMessage());
             return challenge(403);
         }
         if (tokenResponse.getNotBeforePolicy() > deployment.getNotBefore()) {

integration/adapter-core/src/test/java/org/keycloak/adapters/KeycloakDeploymentBuilderTest.java

@@ -33,7 +33,7 @@ public class KeycloakDeploymentBuilderTest {
         assertTrue(deployment.isExposeToken());
         assertEquals("234234-234234-234234", deployment.getResourceCredentials().get("secret"));
         assertEquals(20, ((ThreadSafeClientConnManager) deployment.getClient().getConnectionManager()).getMaxTotal());
-        assertEquals("https://localhost:8443/auth/realms/demo/protocol/openid-connect/token", deployment.getTokenUrl());
+        assertEquals("https://backend:8443/auth/realms/demo/protocol/openid-connect/token", deployment.getTokenUrl());
         assertTrue(deployment.isAlwaysRefreshToken());
         assertTrue(deployment.isRegisterNodeAtStartup());
         assertEquals(1000, deployment.getRegisterNodePeriod());

testsuite/docker-cluster/shared-files/deploy-examples.sh

@@ -33,6 +33,9 @@ for I in *.war/WEB-INF/keycloak.json; do
   sed -i -e 's/\"bearer-only\" : true,/&\n    \"credentials\" : \{ \"secret\": \"password\" \},/' $I;
 done;
 
+# Configure database.war
+sed -i -e 's/\"auth-server-url\": \"\/auth\",/\"auth-server-url\": \"http:\/\/localhost:8000\/auth\",/' database.war/WEB-INF/keycloak.json;
+
 # Enable distributable for customer-portal
 sed -i -e 's/<\/module-name>/&\n    <distributable \/>/' customer-portal.war/WEB-INF/web.xml