forgejo_admin/westside-ai-assistant
1
0
Fork 0
Code Issues 13 Pull requests Projects Releases Packages Wiki Activity Actions

Keycloak token validation failing — basketball-api returns 401 #26

New issue
Closed
opened 2026-03-31 00:58:12 +00:00 by forgejo_admin · 1 comment
forgejo_admin commented 2026-03-31 00:58:12 +00:00
Owner
Copy link

Type

Bug

Lineage

Discovered during validation of PR #24 (generic api_get). Pre-existing — not caused by the PR.

Repo

forgejo_admin/westside-ai-assistant

What Broke

Nemo's Keycloak service account token is rejected by basketball-api with {"detail":"Token validation failed"}. The api_get tool correctly calls basketball-api but gets 401 Unauthorized. This means ALL read tools (both old and new) are broken — not just the generic api_get.

Repro Steps

  1. Send any data question to Nemo via GroupMe (e.g. "how many players?")
  2. Nemo calls api_get("/admin/dashboard")
  3. Basketball-api returns 401: Token validation failed

Expected Behavior

Keycloak client credentials flow should return a valid token that basketball-api accepts.

Environment

  • Cluster/namespace: westside-ai-assistant (prod)
  • Service version: commit 5211f23
  • Keycloak realm: westside-basketball
  • Keycloak client: westside-ai-bot
  • Related alerts: none

Acceptance Criteria

  • Nemo can successfully authenticate to basketball-api
  • api_get("/admin/dashboard") returns data, not 401

Related

  • project-westside-basketball
  • westside-ai-assistant #23 (parent feature)
### Type Bug ### Lineage Discovered during validation of PR #24 (generic api_get). Pre-existing — not caused by the PR. ### Repo `forgejo_admin/westside-ai-assistant` ### What Broke Nemo's Keycloak service account token is rejected by basketball-api with `{"detail":"Token validation failed"}`. The `api_get` tool correctly calls basketball-api but gets 401 Unauthorized. This means ALL read tools (both old and new) are broken — not just the generic api_get. ### Repro Steps 1. Send any data question to Nemo via GroupMe (e.g. "how many players?") 2. Nemo calls api_get("/admin/dashboard") 3. Basketball-api returns 401: Token validation failed ### Expected Behavior Keycloak client credentials flow should return a valid token that basketball-api accepts. ### Environment - Cluster/namespace: westside-ai-assistant (prod) - Service version: commit 5211f23 - Keycloak realm: westside-basketball - Keycloak client: westside-ai-bot - Related alerts: none ### Acceptance Criteria - [ ] Nemo can successfully authenticate to basketball-api - [ ] api_get("/admin/dashboard") returns data, not 401 ### Related - `project-westside-basketball` - westside-ai-assistant #23 (parent feature)
forgejo_admin commented 2026-03-31 01:01:09 +00:00
Author
Owner
Copy link

Fixed. Root cause: Nemo's KEYCLOAK_REALM_URL pointed to internal URL (http://keycloak.keycloak.svc.cluster.local/realms/westside-basketball). Tokens from internal URL have a different issuer than what basketball-api validates against (external URL). Changed env var to https://keycloak.tail5b443a.ts.net/realms/westside-basketball. Validated end-to-end: api_get("/admin/dashboard") returns 200 OK.

**Fixed.** Root cause: Nemo's `KEYCLOAK_REALM_URL` pointed to internal URL (`http://keycloak.keycloak.svc.cluster.local/realms/westside-basketball`). Tokens from internal URL have a different issuer than what basketball-api validates against (external URL). Changed env var to `https://keycloak.tail5b443a.ts.net/realms/westside-basketball`. Validated end-to-end: api_get("/admin/dashboard") returns 200 OK.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo_admin/westside-ai-assistant#26
No description provided.