在authorized_code交换上被公司代理阻止的Keycloak身份代理(到Azure AD)
问题描述 投票:3回答:2
我有AzureAD作为在Keycloak注册的外部OIDC提供商。 Keycloak将客户授权请求重定向到AzureAD以提供授权。 Keycloak在公司代理后面的工作站上运行,相应的Azure AD托管在公共互联网上。我可以使用本地工作站上的Postman连接到Azure AD。
通过AzureAD的授权按预期工作(提示用户输入她/他的凭证并接受同意)。成功授权后,AzureAD会使用authorization_code响应已定义的Keycloak return-url:
http://localhost:5000/auth/realms/lsp-api/broker/ms-azure-ad/endpoint?code=AQABAAIAAADX8GCi6Js6SK82TsD2Pb7rL__pDRDcKAqDqyTeTdzmbC9n3kcz5flc0q7zDRbK-WVLUpcUU65tWSh9C-opFiwtMZOACwGLQDgh4y4ScLW-dUGN7g3Ad3_aBqK-uHPgS3uKM1OlAIeSw3NSl1DMTKhH7SGQRGITP6ARIrCL9snqNRDUbHvhfKVlLMxmJTUk0bKDIT3PzM4nBSd1NwdXc9VZ9cCFnRMjlKfpRUx3guo-58tgSL5Vsaf8TvKg8B5TSYbiDzS49epFsU0Eg_PBs1JU4Q-8vOrN_wlV1zs1IUDYbUv8EdlMdqJkaT-nBTv-4Ab2Jf3X39u4m666kvcWmezGJ-NkjPqaOSK6eglWJfjW_z9-vHFQl6F9JxdCIlGbolyZyUpo0-a0LlnVVg2gyl1wJEOSnv5RvhmTZOqa1qWxZNsyG15JeQBkcK-J0XzWmn8CaeqzsJwFlNwkpzK_XaZW-KIsWayZ0Rz2HdDYh3Mre2I4uRmDyoQLiP60lYDaYowZZ11jSBy_87vFL2alK-5sGyUajs6kODfsoSlEGHhWJeHMiC2-jYm0gMNTQIvUMYpLJRpgKX6v3n-E3Q7ZlYD_VAWOnDZBCR5iaTsUOxuXN6CiC4p01N47c4QG4Y8A9lTbVXDvVcxSBz8H7uM5DfawFGUKpSCobI9V1XKnyw1R8UXTObqmEq8gA4jBzaRZb89qAnlZ6X-w39LbLWE7MUlL0Ok8LP-7omQlVei6AdEMfrIaHNIBUFimHLgKjiqcG2ogAA&state=FevrPXHHXkICQjFEYJ_3ZyvfZ2Y9E6iM5foCcOvk5C8.jXAAgdz4mnA.lsp-api&session_state=8cb0539a-b775-4de6-b334-5cb24caeb685
此响应与状态代码qazxsw poi一起发送。此外,还会显示错误消息“使用Identity Provider进行身份验证时出现意外错误”。
我已经尝试将返回的502, Bad Gateway手动发送到authorization_code AzureAD端点,然后我收到了/token和access_token。所以问题似乎是id_token方面的响应处理。
预期的行为应该是:
Keycloak用AzureAD回应Keycloakauthorization_code能够将Keycloak换成authorization_code(mb。另外还有access_token)
什么行不通:
id_token无法为Keycloak交换authorization_code,但在使用Identity Provider进行身份验证时会抛出“意外错误”错误消息。
Keycloak设置:
Keycloak版本:4.1.0.Final
access_token
AzureAD将设置为Reply-URL。
编辑
我做了一些研究,发现这可能是一个公司代理问题。代理位于http://localhost:5000/auth/realms/lsp-api/broker/ms-azure-ad/endpoint(在我的机器localhost上运行)和Keycloak之间。那么如何设置AzureAD Identity Brokering的代理?相关的Keycloaks日志:
Keycloak2个回答
0
投票
投票
此异常表示没有服务侦听您尝试连接的IP /端口:
- 您正在尝试连接到错误的IP /端口。
- 您尚未启动服务器。
- 您的服务器没有侦听连接。
- 在Windows服务器上,侦听backlog队列已满。
您可以尝试使用您的IP地址替换localhost。还要确保没有防火墙阻止连接。
0
投票
投票
您应该可以为JVM设置代理
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-122) Failed to make identity provider oauth callback: org.apache.http.conn.HttpHostConnectException: Connect to login.microsoftonline.com:443 [login.microsoftonline.com/40.112.64.25, login.microsoftonline.com/104.41.216.18, login.microsoftonline.com/104.41.216.16] failed: Connection refused: connect
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:158)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:185)
at org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:154)
at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:146)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:405)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.net.ConnectException: Connection refused: connect
at java.net.TwoStacksPlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:337)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
... 74 more
最新问题
- (Tauri)无法在云功能中刷新访问令牌-Invalid_grant
- 我有一个带2个单独的SQS队列的春季启动项目。每个SQS队列都在单独的AWS帐户中,带有单独的IAM用户。我有两个独立的配置类,其中我将每个帐户/IAM用户/queue的凭据配置SQSASYNCCLIENT。
- 圆形依赖性何时注射现场
- 使用行分组时将空行不可扩展在材料UI DataGrid Premium中
- NIXOS:安装一个包含pnpm
- ASP.NET核心微服务
- 带ASP.NET核心身份登录时400 我的应用程序已在Microsoft.aspnetcore.Identity和.Net Core 2.2上运行了4年。我进行了修改,并且已经取出了旧文件.zip。我做到了
- <code>rmarkdown</code>
- 我有:
- 如何在ASP.NET Core Web API中使用其他表单数据上传图像? 我正在尝试制作一种表格,该表格将采用必要的表单数据以及配置文件图片并将其存储在Web API中,因为我将稍后在MVC中使用此API。我有点困惑我应该如何
- 为什么Swift的三元操作员需要周围的空格?
- 如何在最新的Android通话中进行电话振动?
- 在二头肌模板和AzurePortal
- 是我可以忽略最后一列中任何选项卡的方法,或者我必须使用诸如Regex之类的内容来删除额外的选项卡?
- 使用XLSXWriter
- 如何将NUXT服务器中间件应用于页面? 我在项目中使用NUXT服务器中间件。每当页面目录中定义的页面或其他内容(静态资产等)中定义的页面时,他们会捕获所有请求。我想限制我的一些米德瓦...
- 如何判断当前使用哪种colorscheme colorsheme session
- 您如何在Delphi 12.2中调用请求Permissions,没有编译器错误? 我正在尝试编写以下代码块,无论我做什么,似乎都遇到了编译器类型的比较问题。 用途 fmx.types, 系统。 androidapi.helpers,// jstringtos ...
- 使用numpy和scipy special textime练习回归
- 如何使用SNMP4J(Java)中的私有MIB文件解决OID名称。 我在使用SNMP4J时会遇到问题:我有一些私人MIB库文件,当我将它们加载到MIB浏览器中时,我可以成功地从SNMP陷阱消息中解决OID并显示
© www.soinside.com 2019 - 2025. All rights reserved.