Unable to resolve Configuration with the provided Issuer #5

1

I am trying to use Keycloak for oauth while setting up Kafka UI and am facing this error: ‘Unable to resolve Configuration with the provided Issuer of “http://localhost:9080/realms/myrealm”’ with respect to issuer URI. Keycloak container is running on 9080 and Kafka UI container on 8080, all specified in my docker compose file.

I hit the endpoint on Keycloak localhost:9080/realms/myrealm/.well-known/openid-configuration to verify the issuer URI and have provided the same endpoint in the config.yml, but according to the logs that URI is not resolving!

docker compose.yml:

version: ‘3.8’
name: “kafbat-ui-keycloak”

services:

kafbat-ui:
container_name: kafbat-rbac
image: Package kafka-ui · GitHub
ports:
- 8080:8080
environment:
SPRING_CONFIG_ADDITIONAL-LOCATION: /config.yml
volumes:
- ./config.yml:/config.yml

keycloak:
image: Quay
ports:
- 9080:8080
- 8082:8443
command: start-dev
environment:
KC_LOG_LEVEL: info
KC_METRICS_ENABLED: true
KC_HEALTH_ENABLED: true
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin

volumes:
  - /keycloak-data:/opt/jboss/keycloak/standalone/data

config.yml

logging:
level:
org.springframework.security: TRACE
io.kafbat.ui.service.rbac: TRACE

dynamic.config.enabled: true

auth:
type: OAUTH2
oauth2:
client:
keycloak:
clientId: kafbat-ui-client
clientSecret: redacted
scope: openid,roles
client-name: keycloak
provider: keycloak
redirect-uri: http://localhost:8080/login/oauth2/code/keycloak
authorization-grant-type: authorization_code
issuer-uri: http://localhost:9080/realms/myrealm
user-name-attribute: name
custom-params:
type: oauth
roles-field: groups

rbac:
roles:
- name: “admins”
clusters:
- local
subjects:
- provider: oauth
type: role
value: “Admin”

  permissions:
    - resource: applicationconfig
      actions: all

    - resource: clusterconfig
      actions: all

    - resource: topic
      value: ".*"
      actions: all

    - resource: consumer
      value: ".*"
      actions: all

    - resource: schema
      value: ".*"
      actions: all

    - resource: connect
      value: ".*"
      actions: all

    - resource: ksql
      actions: all

    - resource: acl
      actions: all

    - resource: audit
      actions: all
- name: "readonly"
  clusters:
    - local
  subjects:
    - provider: oauth
      type: role
      value: "Viewer"
  permissions:
    - resource: clusterconfig
      actions: [ "view" ]

    - resource: topic
      value: ".*"
      actions:
        - VIEW
        - MESSAGES_READ

    - resource: consumer
      value: ".*"
      actions: [ view ]

    - resource: schema
      value: ".*"
      actions: [ view ]

    - resource: connect
      value: ".*"
      actions: [ view ]

    - resource: acl
      actions: [ view ]
2

localhost within a container is not the same as localhost on your computer. In order for one container to reach the other you need to use the name of the other container as address.

Alternatively you can use host networking.

3

Is the host supposed to be changed for both issuer and redirect uri? Should i also be changing the host for ‘valid redirect uri’ on keycloak client settings to http://:?

And, how do I access my application via browser, as in what endpoint should I hit - localhost or the url in above format?

Context: Suppose kafkaui is container 1 and keycloak is container 2.

Update: i have changed the issuer uri to http://keycloak:9080/realms/myrealm and still the error persists.

4

You are mixing the network on your pc with the container network/the one created by compose.

Applications within the compose network are reachable by their name and “native” port, for keycloak this would be 8080, not 9080. The latter is just proxied to the host computers network namespace by docker.

This causes an interesting challenge, as both your browser as well as the application need to be able to reach keycloakn by the same name. Probably the easiest way would be to just use host networking, but then you’ll probably need to ensure the startup ports are unique.

5

Would you suggest anything part from host networking. I tried it and got a ‘Arjuna’ error after providing network mode as ‘host’. I ran on a windows system.

I need to rectify:

  1. redirect_uri (on Keycloak and in the config.yml)
  2. issuer_uri

Based on above context (in previous comments) could you suggest uri’s that would work?

6

I’m not entirely sure how to connect both, as your browser needs to connect to a different endpoint as your application and the container network does mess with it.

I did find GitHub - eabykov/keycloak-compose: Keycloak with PostgreSQL, which includes Keycloak's monitoring using Prometheus and Grafana if you look at the configuration of the grafana container, only the token endpoint is configured to go through the container network. userinfo and auth take the uri accessible from the host.