Search code examples
dockerdocker-composekeycloak

How to properly introspect Keycloak access tokens using the internal Docker URL?

This code successfully introspects a Keycloak access token using Python Keycloak and FastAPI:

keycloak_openid = KeycloakOpenID(
    server_url="https://example.com/auth/",
    realm_name="abc",
    client_id="myclient",
    client_secret_key="secret",
    verify=False,
)
header = request.headers.get('Authorization')
token = header.split()[1]
token_info = keycloak_openid.introspect(token)
print(token_info)

However, when replacing the server URL with http://keycloak:8080/auth/ (the internal address of the Keycloak container in my Docker Compose setup), I get this output: {'active': False}.

Here is my Docker Compose setup:

services:
  keycloak:
    image: quay.io/keycloak/keycloak:25.0.2
    command: 
      - start
      - --import-realm
      - --features=hostname:v2
    volumes:
      - ./config/keycloak/imports:/opt/keycloak/data/import
    environment:
      - KC_DB=postgres
      - KC_DB_URL=jdbc:postgresql://keycloak-db/access-control-db
      - KC_DB_USERNAME=${POSTGRES_USER}
      - KC_DB_SCHEMA=public
      - KC_DB_PASSWORD=${POSTGRES_PASSWORD}
      - KEYCLOAK_ADMIN=${KEYCLOAK_USER}
      - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_PASSWORD}
      - KC_HOSTNAME=example.com
      - KC_HOSTNAME_STRICT=false
      - KC_HTTP_ENABLED=true     
      - KC_HTTP_RELATIVE_PATH=/auth
      - KC_PROXY_HEADERS=xforwarded
    depends_on:
      - keycloak-db
    restart: always

  keycloak-db:
    image: postgres:16
    environment:
      POSTGRES_DB: access-control-db
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    volumes:
      - keycloak-db-data:/var/lib/postgresql/data
    restart: always

volumes:
  keycloak-db-data:

I tried not providing the KC_HOSTNAME variable, but it had no effect.

How can I make my code work with http://keycloak:8080/auth/?

Solution

  • Setting the KC_HOSTNAME variable to https://example.com/auth/ solved the issue due to an unclear reason.

    Here is the entire specs for Keycloak on the docker-compose.yml file:

    keycloak:
    image: quay.io/keycloak/keycloak:25.0.2
    command: 
      - start
      - --import-realm
      - --features=hostname:v2
    volumes:
      - ./config/keycloak/imports:/opt/keycloak/data/import
    environment:
      - KC_DB=postgres
      - KC_DB_URL=jdbc:postgresql://keycloak-db/access-control-db
      - KC_DB_USERNAME=${POSTGRES_USER}
      - KC_DB_SCHEMA=public
      - KC_DB_PASSWORD=${POSTGRES_PASSWORD}
      - KEYCLOAK_ADMIN=${KEYCLOAK_USER}
      - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_PASSWORD}
      - KC_HOSTNAME=https://example.com/auth/
      - KC_HOSTNAME_STRICT=false
      - KC_HTTP_ENABLED=true     
      - KC_HTTP_RELATIVE_PATH=/auth
      - KC_PROXY_HEADERS=xforwarded