`Error: {errors: ["IAM: Invalid issuer. Expected ...` IAM_URLs don't match for internal calls - error message

[rohit-joy]

We have a requirement where Keycloak is on a different port internally in Kubernetes. And Registry needs to talk to it directly. This means it needs to use the service port of the Keycloak pod. Let's say port 8443.

But it seems the library you are using is asserting the Public URL which does not require the port per the /.well-known/openid-configuration. So it fails the request immediately.

• CR Service to Keycloak Service calls should be able to use the internal cluster routing to reach the pod and hit port 8443 with HTTPS.
• Browser to Keycloak Service calls would use port 443 (regular HTTPS).

Let me know if you have questions.

[rohit-joy]

@excelsior

1. Log the host names not matching as a Warning.
2. Remove the assertion that the hostname in the Request doesn't match the issuer in the JWT.

[excelsior]

@chuang-CE @rohit-joy The change is available for QA in the CLLC's repo 962-iam-issuer branch.

[jeannekitchens]

@chuang-CE is working on testing this but is blocked from completing this today so won't occur until Jan.