I'm using a Docker composition to develop a set of application. Some of them run as Docker container while the one I'm working on is running on my Docker host in an IDE.
Within my composition I have Keycloak running to secure my APIs using OpenID Connect. Additionally there is another container exposing an REST API (interacting with the Keycloak container). Each
services:
keycloak:
image: keycloak:latest
ports:
- "9080:8080"
restapi:
image: restapi:latest
ports:
- "10080:8080"
environment:
KEYCLOAK: http://keycloak # pointing to keycloak
KEYCLOAK_REALM: myrealm
# more OIDC client env vars such as client secret …
As mentioned on my Docker host I develop another application also secured by Keycloak (reachable on Docker host 127.0.0.1:9080). When calling the REST API running on my Docker host and providing a valid JWT as a BEARER token, the request is propagated to restapi including the JWT.
--> Docker Host REST API --> Request to container restapi (with token propagation)
Since the Docker host accesses Keycloak on 127.0.0.1:9080 and restapi reaches Keycloak on keycloak:8080 the token validation fails. Not the same hostname and ports.
Is there a way I can make Keycloak accessible using the same hostname and port from inside AND outside of the Docker composition?
Something like id.mydomain.local that points Docker internally to the keycloak container and outside I put the id.mydomain.local to my /etc/hosts
I have found a way, that works for me setup.
As mentioned in my question, keycloak container port 8080 is bound to 9080 on my Docker host. All I needed to do is, to have a common hostname for Keycloak that is resolvable for my Docker Host and my Docker containers.
I chose my.keycloak.local as the domain name.
For my Docker host I simply added the following line to my /etc/hosts file.
127.0.0.1 my.keycloak.local
This make sure, that when application connect to http://my.keycloak.local:9080 it will be routed to 127.0.0.1:9080 and therefore will be connected with my Keycloak container.
Inside the Docker composition I needed to add an addition custom host record so the container is able to resolve my.keycloak.local to the Docker host IP 172.17.0.1. Then I need to tell the restapi container to use the custom hostname my.keycloak.local to connect to Keycloak.
services:
keycloak:
image: keycloak:latest
ports:
- "9080:8080"
restapi:
image: restapi:latest
ports:
- "10080:8080"
environment:
KEYCLOAK: http://my.keycloak.local # pointing to keycloak
KEYCLOAK_REALM: myrealm
extra_hosts:
- "my.keycloak.local:172.17.0.1"
# more OIDC client env vars such as client secret …