X-Forwarded Headers Missing in Token Endpoint Call

[vinay-moldireddy]

Description:

Keycloak 23 requires X-Forwarded headers to validate the iss (issuer) of the refresh token during a REFRESH_TOKEN request. However, the openidc.lua implementation in Kong does not include the following headers when making the refresh token request:

X-Forwarded-Host
X-Forwarded-Port
X-Forwarded-Proto
This omission causes issues with token validation, as Keycloak expects these headers to properly resolve the issuer.

We start to see this issue because keycloak fixed a bug- keycloak/keycloak#22191

Expected Behavior:

Kong should include the necessary X-Forwarded headers in the refresh token request to ensure compatibility with Keycloak 23.

Steps to Reproduce:

Set up Keycloak 23 as an identity provider.
Configure Kong with OpenID Connect and enable token refresh.
Attempt to refresh a token using Kong’s OIDC plugin.
Observe that Keycloak rejects the request due to incorrect iss validation.

Suggested Fix:

Modify openidc.lua to include X-Forwarded-Host, X-Forwarded-Port, and X-Forwarded-Proto in the refresh token request headers.

[oldium]

X-Forwarded-* headers are added by proxies, the headers should not be part of the originating request (like the one made by openidc.lua). Your description suggests that the openidc.lua tries to refresh the token on a URL host that differs from the original issuer host. So the possible issues could be:

1. Your openidc configuration contains discovery URL host, which does not match the issuer host (iss claim).
2. The token endpoint URL host from the discovery address document does not match the issuer host.
3. You are using discovery as object and your discovery.token_endpoint contains URL host, which does not match the issuer host.

So please check the configuration - if the URL hosts are consistent and always match the issuer host.