Dear caddiers 
I try to use the authenticated User from KC (keycloak) to accesses a resource on caddy webserver.
I try to use the caddy module: https://caddyserver.com/docs/jwt
I have a realm called “customer001”.
I don’t know which of the secrets should I use from kc to put into JWT_SECRET.
This environment variable JWT_SECRET use the caddy module to check if the JWT is walid
The jwt looks like this.
{
“jti”: “”,
“exp”: ,
“nbf”: 0,
“iat”: ,
“iss”: “https://kc./auth/realms/customer001”,
“aud”: “portal”,
“sub”: “MY_EMAIL@MY-DOMAIN”,
“typ”: “Bearer”,
“azp”: “portal”,
“nonce”: “”,
“session_state”: “”,
“client_session”: “”,
“allowed-origins”: [
“*”
],
“resource_access”: {
“account”: {
“roles”: [
“manage-account”,
“view-profile”
]
}
},
“name”: “Full NAME”,
“preferred_username”: “MY_EMAIL@MY-DOMAIN”,
“given_name”: “GN”,
“family_name”: “FN”,
“email”: “MY_EMAIL@MY-DOMAIN”
}
So when I try to access the resource I always get a 401.
curl -vo /dev/null -H 'Authorization: Bearer '$(<lll) https://www.MY-DOMAIN/download/linux.tar.gz
caddy config
http://:2015 {
redir 301 {
if {path} not_match ^/download.*
/ https://{$REDIR_DOMAIN}/
}
realip {
from 10.0.0.0/8
}
log stdout
errors stdout
gzip
tls off
root {$DOWNLOAD_DIR}
browse
jwt {
path /download
allow iss https://kc./auth/realms/customer001
allow aud portal
}
}
Any hint?
BR aleks