Feature: Add prometheus metrics to plugin

nginx-metrics.conf

@@ -0,0 +1,19 @@
+server {
+    server_name _;
+    listen 0.0.0.0:8002;
+
+    location / {
+        default_type text/plain;
+        content_by_lua_block {
+             local exporter = require "kong.plugins.prometheus.exporter"
+             local prometheus = exporter.get_prometheus()
+             prometheus:collect()
+        }
+    }
+
+    location /nginx_status {
+        internal;
+        access_log off;
+        stub_status;
+    }
+}

src/handler.lua

@@ -14,6 +14,10 @@ local validate_roles = require("kong.plugins.jwt-keycloak.validators.roles").val
 local validate_realm_roles = require("kong.plugins.jwt-keycloak.validators.roles").validate_realm_roles
 local validate_client_roles = require("kong.plugins.jwt-keycloak.validators.roles").validate_client_roles
 
+local exporter = require("kong.plugins.prometheus.exporter")
+local metrics = {}
+local prometheus
+
 local re_gmatch = ngx.re.gmatch
 
 local priority_env_var = "JWT_KEYCLOAK_PRIORITY"
@@ -30,6 +34,79 @@ local JwtKeycloakHandler = {
   PRIORITY = priority,
 }
 
+local function exit(status, message, headers) -- sig matches kong.response.exit
+  kong.log.info('Exit with status ' .. status)
+  error({
+    _KONG_JWT_KEYCLOAK_EXIT = true;
+    smh = {status, message, headers};
+  })
+end
+
+local function decorate_handler(func)
+  local function wrapper(...)
+    local r = {pcall(func, ...)}
+    local success = r[1]
+    table.remove(r, 1)
+
+
+    -- we can't use kong.response.exit in the handler because it interrupts
+    -- processing and we would not have been able to update the metrics.
+    -- so instead we use pcall/error and do the error handling and exit in here
+    if not success then
+      -- pcall failed -> either the error is:
+      -- 1. an exit() (which sets _KONG_JWT_KEYCLOAK_EXIT)
+      --    --> we update the metric then call kong.response.exit
+      -- 2. an actual error
+      --    --> we update the metric then propagate the error
+
+      -- we ran pcall so `r[1]` is `e` in error(e), which is typically (but not
+      -- necessarily) a table
+      local errmsg = r[1]
+
+      local status = 500
+      local message
+      local headers
+      if type(errmsg) == 'table' and errmsg['_KONG_JWT_KEYCLOAK_EXIT'] then
+        -- we get the status so we can update the metric accordingly
+        status = errmsg.smh[1]
+        message = errmsg.smh[2] or nil
+        headers = errmsg.smh[3] or nil
+      end
+      metrics.requests:inc(1, {status})
+      if type(errmsg) == 'table' and errmsg['_KONG_JWT_KEYCLOAK_EXIT'] then
+        return kong.response.exit(status, message, headers)
+      else
+        -- propagate
+        return error(errmsg)
+      end
+    else
+      metrics.requests:inc(1, {200})
+      return unpack(r)
+    end
+  end
+  return wrapper
+end
+
+local function decorate_latency(name, func)
+  local function wrapper(...)
+    local start = socket.gettime()
+
+    local r = {pcall(func, ...)}
+    local success = r[1]
+    table.remove(r, 1)
+
+    metrics.latency:observe(socket.gettime() - start, {name})
+
+    if not success then
+      -- we logged the metric, propagate the error
+      error(r[1])
+    else
+      return unpack(r)
+    end
+  end
+  return wrapper
+end
+
 -------------------------------------------------------------------------------
 -- custom helper function of the extended plugin "jwt-keycloak"
 -- --> this is not contained in the official "jwt" pluging
@@ -65,7 +142,7 @@ end
 -------------------------------------------------------------------------------
 local function custom_helper_issuer_get_keys(well_known_endpoint, cafile)
   kong.log.debug('Getting public keys from token issuer')
-  local keys, err = keycloak_keys.get_issuer_keys(well_known_endpoint, cafile)
+  local keys, err = decorate_latency('get_issuer_keys', keycloak_keys.get_issuer_keys)(well_known_endpoint, cafile)
   if err then
       return nil, err
   end
@@ -90,18 +167,19 @@ end
 -- issued by this instance. The URL from inside the token from the "iss"
 -- information is taken to connect with the token issuer instance.
 -------------------------------------------------------------------------------
-local function custom_validate_token_signature(conf, jwt, second_call)
+local custom_validate_token_signature
+custom_validate_token_signature = decorate_latency('custom_validate_token_signature', function (conf, jwt, second_call)
   local issuer_cache_key = 'issuer_keys_' .. jwt.claims.iss
 
-  local well_known_endpoint = keycloak_keys.get_wellknown_endpoint(conf.well_known_template, jwt.claims.iss)
+  local well_known_endpoint = decorate_latency('get_wellknown_endpoint', keycloak_keys.get_wellknown_endpoint)(conf.well_known_template, jwt.claims.iss)
   -- Retrieve public keys
   local public_keys, err = kong.cache:get(issuer_cache_key, nil, custom_helper_issuer_get_keys, well_known_endpoint, conf.cafile)
 
   if not public_keys then
       if err then
           kong.log.err(err)
       end
-      return kong.response.exit(403, { message = "Unable to get public key for issuer" })
+      return exit(403, { message = "Unable to get public key for issuer" })
   end
 
   -- Verify signatures
@@ -123,8 +201,8 @@ local function custom_validate_token_signature(conf, jwt, second_call)
       return custom_validate_token_signature(conf, jwt, true)
   end
 
-  return kong.response.exit(401, { message = "Invalid token signature" })
-end
+  return exit(401, { message = "Invalid token signature" })
+end)
 
 -------------------------------------------------------------------------------
 -- custom keycloak specific extension for the plugin "jwt-keycloak"
@@ -154,6 +232,14 @@ end
 -- register at startup for events to be able to receive invalidate request needs
 function JwtKeycloakHandler:init_worker()
   kong.worker_events.register(invalidate_customer, "crud", "consumers")
+  prometheus = exporter.get_prometheus()
+  kong.log.debug("Registering prometheus metrics")
+  metrics.latency = prometheus:histogram("plugin_jwt_keycloak_duration_seconds", "Total time spent in the request handler (i.e. plugin overhead)", {"method"}, {0.0001, 0.0005, 0.001, 0.005, 0.01, 0.05, 0.1})
+  metrics.requests = prometheus:counter("plugin_jwt_keycloak_requests", "Total requests per status", {"status"})
+
+  if metrics.latency == nil or metrics.requests == nil then
+    kong.log.err("Failed to register prometheus metrics")
+  end
 end
 
 
@@ -319,7 +405,7 @@ local function custom_load_consumer_by_custom_id(custom_id)
   return result
 end
 
-local function custom_match_consumer(conf, jwt)
+local custom_match_consumer = decorate_latency('custom_match_consumer', function (conf, jwt)
   local consumer, err
   local consumer_id = jwt.claims[conf.consumer_match_claim]
 
@@ -345,17 +431,17 @@ local function custom_match_consumer(conf, jwt)
   end
 
   return true
-end
+end)
 
 -------------------------------------------------------------------------------
 -- Now again module names which also exist in original "jwt" kong OSS plugin
 -------------------------------------------------------------------------------
 
-local function do_authentication(conf)
+local do_authentication = decorate_latency('do_authentication', function (conf)
   local token, err = retrieve_tokens(conf)
   if err then
     kong.log.err(err)
-    return kong.response.exit(500, { message = "An unexpected error occurred" })
+    return exit(500, { message = "An unexpected error occurred" })
   end
 
   local token_type = type(token)
@@ -442,10 +528,9 @@ local function do_authentication(conf)
   end
 
   return false, { status = 403, message = "Access token does not have the required scope/role: " .. err }
-end
-
+end)
 
-function JwtKeycloakHandler:access(conf)
+local _access = decorate_handler(decorate_latency("access", function (conf)
   -- check if preflight request and whether it should be authenticated
   if not conf.run_on_preflight and kong.request.get_method() == "OPTIONS" then
     return
@@ -468,15 +553,19 @@ function JwtKeycloakHandler:access(conf)
                                                 conf.anonymous, true)
       if err then
         kong.log.err(err)
-        return kong.response.exit(500, { message = "An unexpected error occurred during authentication" })
+        return exit(500, { message = "An unexpected error occurred during authentication" })
       end
 
       set_consumer(consumer)
 
     else
-      return kong.response.exit(err.status, err.errors or { message = err.message })
+      return exit(err.status, err.errors or { message = err.message })
     end
   end
+end))
+
+function JwtKeycloakHandler:access(conf)
+  return _access(conf)
 end
 
 

tests/integration_tests/tests/TestBasics.py

@@ -1,18 +1,22 @@
 from tests.utils import *
 
 
-# Tokendetails: "iss": "http://localhost:8080/auth/realms/master", "alg": "RS256" --> Already expired !!
-STANDARD_JWT = 'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJObjlsNXctQ1lORHUwUGh6MTFoWUNqQ050MGJmb2ZMQjZMcGMtWk5hUkFFIn0.eyJqdGkiOiIwZDBlODEyMy1mNjIxLTQzZWQtOTBjZS0yNWNhZDZhOGQ0MGQiLCJleHAiOjE1MzY1NzgxOTQsIm5iZiI6MCwiaWF0IjoxNTM2NTc4MTM0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoidGVzdCIsInN1YiI6ImIzY2RjZjcwLTljMDMtNDgwZi1hZGQwLTY4MWNkMzQyYWU1OCIsInR5cCI6IkJlYXJlciIsImF6cCI6InRlc3QiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiIxMGMzZWFjNC1kNzlmLTQyOGYtYmVlMC1mNDk3MTEwNTY0NDgiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsidGVzdCI6eyJyb2xlcyI6WyJ1bWFfcHJvdGVjdGlvbiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwiY2xpZW50SG9zdCI6IjE3Mi4xNy4wLjEiLCJjbGllbnRJZCI6InRlc3QiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtdGVzdCIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTcuMC4xIiwiZW1haWwiOiJzZXJ2aWNlLWFjY291bnQtdGVzdEBwbGFjZWhvbGRlci5vcmcifQ.cFOVC_tLfyTHXB0T8MMJHizVXhDfh36ZwA6BNA3Jhjm-s-_Kt4_acZtbC-jLoch2Q-A4LPGURpG48RgWfALNaRvv6R5rWwOJ3O94bsCVbsAcY7rw-UMEyWz8sO-VObJnHayybVsnfvLzKZaWCsWIRZaMsE9OtiFfRoWgqHOCqMxFl0YX_ugZGGKKfMDjO0-ie-zzRQeUKjKfNdeJSk7OcrlZp8rpP0J616AocWd_NZTiB6RIuP4zy6z28dYY4Pgw5o-_GyoGI7NyDZxTVQ17XzTl_MFV7pTD9pvYzSpGZevcSfMGh00NHdagq9qr7jF65NYuGmZuCn0jUs9TmtLezQ'
-# Tokendetails: "iss": "http://localhost:8080/auth/realms/master", "alg": "RS256",
-BAD_SIGNATURE = 'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJObjlsNXctQ1lORHUwUGh6MTFoWUNqQ050MGJmb2ZMQjZMcGMtWk5hUkFFIn0.eyJqdGkiOiI0NTQwMGZiNi01MTE0LTRkNWUtOTNkOC1jYjgzYjM0MDFjMjMiLCJleHAiOjE2MjI5ODI4NjAsIm5iZiI6MCwiaWF0IjoxNTM2NTgyODYwLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoidGVzdCIsInN1YiI6ImIzY2RjZjcwLTljMDMtNDgwZi1hZGQwLTY4MWNkMzQyYWU1OCIsInR5cCI6IkJlYXJlciIsImF6cCI6InRlc3QiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJiNTNjNmZhZC0xYWJjLTRmMjYtOGUzNi01MDhkOTdjMTI4NmEiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsidGVzdCI6eyJyb2xlcyI6WyJ1bWFfcHJvdGVjdGlvbiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwiY2xpZW50SG9zdCI6IjE3Mi4xNy4wLjEiLCJjbGllbnRJZCI6InRlc3QiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtdGVzdCIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTcuMC4xIiwiZW1haWwiOiJzZXJ2aWNlLWFjY291bnQtdGVzdEBwbGFjZWhvbGRlci5vcmcifQ.PtpAE8sCkSWuosm7chw_TH2qAQuRIugP-1688WtZ9ZpkrulZ1OxxfAtnJY1eCYk0C4LQd14eI5d-1srim96FGdgG0BKq4T0TknG5JgQsPignMy2JnJWz-ZozO8a6FMLfpGT0hUQyiDbLRs3VES8RV3N_2uxl0ihy_tJ_wvCU0GrBF5-e2z4R-99zWuOpPbDvnDlP6YfCxLsp77ng4HYB1rBSG9100mpkTBsL8Q48HBZk_qAVdHhGRxqTXDEMYPd3gsKNu184DAsE0I1Ea9D0QXijvH7SVoUJvmZwQ0hOtg1bzWxIeIW1sVDqshkaG58kkiomG7G-9RzKrWOxg3lyQ'
+# Tokendetails: "iss": "http://keycloak:8080/auth/realms/master", "alg": "RS256" --> Already expired !!
+# curl --connect-to keycloak:8080:localhost:8080 -X POST http://keycloak:8080/auth/realms/master/protocol/openid-connect/token --data-urlencode grant_type=client_credentials --data-urlencode client_id=<client id> --data-urlencode client_secret=<client secret>
+STANDARD_JWT = 'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJVeXZ6LXZTRzN3SU9hLWFick50RFVtd0c1SElpY0lsMjJxMG4tSTRQQk13In0.eyJleHAiOjE3MTU3MDAxNTMsImlhdCI6MTcxNTY5ODk1MywianRpIjoiZGFlMjI3MTEtNGFhZi00MWY1LThhZjMtMzAxZDhmNDdlMzAzIiwiaXNzIjoiaHR0cDovL2tleWNsb2FrOjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjAwMTA3Njg2LWI2NTEtNDg3YS04ZmE0LTQ2NWY2NzI2MWUxOCIsInR5cCI6IkJlYXJlciIsImF6cCI6IjAzZmRkMTQwLTU0ZGEtNGY1Ny05NTY5LWJlMjE5MmM2YTJkMiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1tYXN0ZXIiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiY2xpZW50SG9zdCI6IjE3Mi4yMi4wLjEiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudElkIjoiMDNmZGQxNDAtNTRkYS00ZjU3LTk1NjktYmUyMTkyYzZhMmQyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2VydmljZS1hY2NvdW50LTAzZmRkMTQwLTU0ZGEtNGY1Ny05NTY5LWJlMjE5MmM2YTJkMiIsImNsaWVudEFkZHJlc3MiOiIxNzIuMjIuMC4xIn0.hKSg6WH3z9QA_QCyLThL8wymqAeDuzdp8Ss8gvfvhG30Ts4nvfkuIxxN0Gz3AGxhGTyDiXYoi8Gxo5tZ-PwyYEU2sVNPxXKsG2wbltZxGEg-VsMLfSErOIgOsryccGHDj8ZOlDRP4Qp1yOG52ukks9BUpX8RawEgii1xDwI_f0opOjOKYoyr125zhNhkaJyflLUh2lBIIs7-RFn27I4OlhcL8MmcrBLBuN50K68JIonucBpwVH4krf2YvVPLqsnmuqVihfnWhVIukeTMVpqQNBkm7lxViP-VUYN8Oz5D72aOrkGlRaz_xdKZoyOAamfGOa2Acmu3JqW17e4_FxKp4A'
+# Tokendetails: "iss": "http://keycloak:8080/auth/realms/master", "alg": "RS256",
+# override realm -> tokens "SSO Session max" and "Access Token lifespan" to 3650 Days
+# curl --connect-to keycloak:8080:localhost:8080 -X POST http://keycloak:8080/auth/realms/master/protocol/openid-connect/token --data-urlencode grant_type=client_credentials --data-urlencode client_id=<client id> --data-urlencode client_secret=<client secret>
+# last char replaced with '!' to make the base64 encoding invalid
+BAD_SIGNATURE = 'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxQ181TWtuRzVPZXFtQTdJMXU2Qk9uT2ZieUNtcVotX3JWQUJ4RFRBaFZJIn0.eyJleHAiOjE3MTY0ODMzOTQsImlhdCI6MTcxNjQ4MjE5NCwianRpIjoiZTY1YTY5YTctYzZhMC00NzYzLWJjZjQtYjAzMTI3NzM2Y2Q5IiwiaXNzIjoiaHR0cDovL2tleWNsb2FrOjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjNmMmQzYzk3LTNhYmUtNDBiZS1hOWNjLTM3ZGJiYTMxOGQ2ZCIsInR5cCI6IkJlYXJlciIsImF6cCI6IjAwMDEyNzM3LTY3OTYtNDIxYy04OWY5LWNlZmVjN2RmNjBkNCIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1tYXN0ZXIiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiY2xpZW50SWQiOiIwMDAxMjczNy02Nzk2LTQyMWMtODlmOS1jZWZlYzdkZjYwZDQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudEhvc3QiOiIxNzIuMjYuMC4xIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2VydmljZS1hY2NvdW50LTAwMDEyNzM3LTY3OTYtNDIxYy04OWY5LWNlZmVjN2RmNjBkNCIsImNsaWVudEFkZHJlc3MiOiIxNzIuMjYuMC4xIn0.SA8xD2SzwzMAA60kpvw-0eU-3BvrxgL_cHDLgCGeGCNvaefUMRloATbDhdtBfZr-8aIDIFPRt5oG1c-_4ilbaaDpnpNo_m36ySV8Xb3uRjwyMGep9N27TSWuN00IdVkSxTOG3w3Wzekv8FTn2cbbvPx7Q2yD1i9pO9KMHksMxc8hTeN_2ygfqgXm80s38Npi1rFhEcTr-QlhZHKUDbdazLJtZTpgUeqHWqywsueDFyWs3dcBv3mhCbhdW9GqNkZpY5M8Zc4-xVKd_iz0adMtwS9jYFtYEgyc5kG9k736wyuoBrODo8ZuFWpKXkCFIOEHFTMHCEGcaYR0rds4z4eWu!'
 
 class TestBasics(unittest.TestCase):
 
     ############################################################################
     # Test if plugin denies requests if completely no token is send to the 
     # kong instance .. it needs to fail
     @create_api({
-        'allowed_iss': ['http://localhost:8080/auth/realms/master']
+        'allowed_iss': ['http://keycloak:8080/auth/realms/master']
     })
     @call_api()
     def test_no_auth(self, status, body):
@@ -24,7 +28,7 @@ def test_no_auth(self, status, body):
     # ... request is without any authentication contained
     @create_api({
         'run_on_preflight': False,
-        'allowed_iss': ['http://localhost:8080/auth/realms/master']
+        'allowed_iss': ['http://keycloak:8080/auth/realms/master']
     })
     @call_api(method='options')
     def test_preflight_success(self, status, body):
@@ -34,7 +38,7 @@ def test_preflight_success(self, status, body):
     # Test if plugin denies by default preflight requests in a unauthenticated
     # way ... It needs to fail
     @create_api({
-        'allowed_iss': ['http://localhost:8080/auth/realms/master']
+        'allowed_iss': ['http://keycloak:8080/auth/realms/master']
     })
     @call_api()
     def test_preflight_failure(self, status, body):
@@ -45,7 +49,7 @@ def test_preflight_failure(self, status, body):
     # Test if plugin denies a request param "jwt" which contains no valid token
     # --> It needs to be denied
     @create_api({
-        'allowed_iss': ['http://localhost:8080/auth/realms/master']
+        'allowed_iss': ['http://keycloak:8080/auth/realms/master']
     })
     @call_api(params={"jwt": "SomeNonSenseJwtTokenValue.1234"})
     def test_bad_token_as_param(self, status, body):
@@ -55,7 +59,7 @@ def test_bad_token_as_param(self, status, body):
     # Test if plugin accepts a request param "jwt" a valid token
     # --> It needs to be allowed
     @create_api({
-        'allowed_iss': ['http://localhost:8080/auth/realms/master']
+        'allowed_iss': ['http://keycloak:8080/auth/realms/master']
     })
     @authenticate() # Get current requested token
     @call_api(authentication_type={"queryparam":"jwt"})
@@ -68,7 +72,7 @@ def test_good_token_as_param(self, status, body):
     # Test-Token "STANDARD_JWT" contains 'algorithm': 'RS256'
     @create_api({
         'algorithm': 'HS256',
-        'allowed_iss': ['http://localhost:8080/auth/realms/master']
+        'allowed_iss': ['http://keycloak:8080/auth/realms/master']
     })
     @call_api(token=STANDARD_JWT)
     def test_invalid_algorithm(self, status, body):
@@ -80,7 +84,7 @@ def test_invalid_algorithm(self, status, body):
     # Test if plugin denies requests if token is issued by a different "iss"
     # Token is only valid for "master" realm
     @create_api({
-        'allowed_iss': ['http://localhost:8080/auth/realms/somethingElseThenMaster']
+        'allowed_iss': ['http://keycloak:8080/auth/realms/somethingElseThenMaster']
     })
     @authenticate() # Use current requested token
     @call_api()
@@ -93,7 +97,7 @@ def test_invalid_iss(self, status, body):
     # Test if plugin denies requests if token is more then 10 minutes valid
     # (in this setup here all fresh requested tokens are 20 minutes valid)
     @create_api({
-        'allowed_iss': ['http://localhost:8080/auth/realms/master'],
+        'allowed_iss': ['http://keycloak:8080/auth/realms/master'],
         'maximum_expiration': 600
     })
     @authenticate() # Use current requested token
@@ -105,7 +109,7 @@ def test_max_exp(self, status, body):
     ############################################################################
     # Test if plugin denies requests if token contains a bad signature
     @create_api({
-        'allowed_iss': ['http://localhost:8080/auth/realms/master']
+        'allowed_iss': ['http://keycloak:8080/auth/realms/master']
     })
     @call_api(token=BAD_SIGNATURE)
     def test_bad_signature(self, status, body):
@@ -118,7 +122,7 @@ def test_bad_signature(self, status, body):
     # !! Execute this as last test .. it uses a short living token which
     #    was at the beginning of this test cases requested.
     @create_api({
-        'allowed_iss': ['http://localhost:8080/auth/realms/master']
+        'allowed_iss': ['http://keycloak:8080/auth/realms/master']
     })
     @call_api(token=TD_TOKEN_EXPIRED)
     def test_invalid_exp(self, status, body):