My current setup is the following:
- Windows Server running an Active Directory.
- Keycloak server runningon a WildFly.
- Java test application with restricted access deployed on the WildFly.
The authorization flow is that a user from the AD requests access to the application, the user is granted a Kerberos ticket, and trying the get access to the same application with that specific ticket.
All the configuration with Kerberos, Keycloak and AD is done, and the agreements between the server and the client are running smoothly, but the last "GET" request, where the user has been granted access, it means making a request for the Keycloak redirect URL containing the OpenID-Connect parameters (state= and code=), returns a "bad request".
I am fairly new to the concept of using Keycloak as a SSO provider, so this could be something very trivial I missed.
[EDIT] If I fire a request for the restriced page in Fiddler, it gives me a "No State Cookie", BUT when I use any kind of browser, it says "Forbidden", and my log says that ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-9) failed verification of token: Invalid token issuer. Expected http://KEYCLOAK:9090/auth/realms/kerberos-realms/" but expected "http://keycloak:8080/auth/realms/kerberos-realm"
I actually did find a solution for it: