Authorization fails when APIcast is configured as a proxy for RH-SSO on OpenShift

Solution Verified - Updated -


  • Authorization fails in APIcast with status code: 403 Forbidden when a Product is configured with Authentication method = OpenID Connect while the OCP router and RH-SSO are configured as described in the Environment section and APIcast is used as a proxy for generating JWTs on RH-SSO.


  • Red Hat 3scale API Management Platform (3scale)

    • 2
  • Red Hat Single Sign On (RH-SSO)

    • 7.4
      • proxy-address-forwarding="true"
      • frontendUrl=""
  • Red Hat OpenShift Container Platform (OCP)

    • 4
      • ROUTER_SET_FORWARDED_HEADERS={append|replace|IfNone}

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In