Skip to content

[ISSUE] orchestration cluster Identity has invalid issuers for internal keycloak #4652

New issue
New issue
Open
Open
[ISSUE] orchestration cluster Identity has invalid issuers for internal keycloak#4652
Assignees
hamza-m-masood
Labels
kind/issueUnidentified issue, it could be a bug, misconfig, or anything in betweenplatform/awsIssues related to AWSplatform/gcpIssues related to GCP
@hamza-m-masood

Description

@hamza-m-masood
hamza-m-masood
opened on Nov 7, 2025

Describe the issue:

With the default internal keycloak setup, the following URIs are created in the orchestration clsuter configmap:

authorization-uri: "https://hamzatest.ci.distro.ultrawombat.com/auth/realms/camunda-platform/protocol/openid-connect/auth"

jwk-set-uri: "http://camunda-keycloak/auth/realms/camunda-platform/protocol/openid-connect/certs"

token-uri: "http://camunda-keycloak/auth/realms/camunda-platform/protocol/openid-connect/token"

redirect-uri: "https://hamzatest.ci.distro.ultrawombat.com/orchestration/sso-callback"

The authorization URI is external facing and the token URI is internal facing. This causes a problem. Keycloak is validating the issuers so when the token that is created using the public URL is validated against a request that is based on the internal URL, Keycloak rejects it.

Steps to Resolve

Test to see if all URIs work with internal facing keycloak endpoint. If all URIs can't use the internal facing keycloak endpoint then the ingress endpoint should be used for all URIs.

Logs:

Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

  • Platform:
  • Helm CLI version:
  • Chart version:
  • Values file:

Metadata

Metadata

Assignees

Labels

kind/issueUnidentified issue, it could be a bug, misconfig, or anything in betweenplatform/awsIssues related to AWSplatform/gcpIssues related to GCP

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions