我是 directus 的新手,但是在观看了有关 directus 的 youtube 后,我认为 directus 我需要什么来支持我的后端开发。
我已经设置了 selfhost,使用我的管理员身份验证成功登录。现在,我想设置与我的 SSO Keycloak 服务器连接。
我使用这篇文章作为我的指南:Directu Keycloak 指南
已经设置了 client-id(我将其命名为:在我的 keycloak 管理控制台上的 directus)。钥匙斗篷按钮已经在那里了。但是,当我尝试使用 Keycloak 登录时,它总是重定向到 https://mydirectussite/admin/login?reason=INVALID_CREDENTIALS。
当我检查服务器时,它有这样的日志:
[06:02:07] GET /auth/login/keycloak?redirect=https%3A%2F%2Fcoba2-directus.blablabla.host%2Fadmin%2Flogin%3Freason%3DSIGN_OUT%26continue%3D 302 25ms
[06:02:09.388] WARN: [OpenID] Unknown RP error
err: {
"type": "RPError",
"message": "unexpected JWT alg received, expected RS256, got: RS512",
"stack":
RPError: unexpected JWT alg received, expected RS256, got: RS512
at Client.validateJWT (/directus/node_modules/.pnpm/[email protected]/node_modules/openid-client/lib/client.js:911:13)
at Client.validateIdToken (/directus/node_modules/.pnpm/[email protected]/node_modules/openid-client/lib/client.js:766:60)
at Client.callback (/directus/node_modules/.pnpm/[email protected]/node_modules/openid-client/lib/client.js:505:18)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async OpenIDAuthDriver.getUserID (file:///directus/node_modules/.pnpm/@directus+api@file+api_@[email protected]_@[email protected][email protected][email protected]___e_m3k5vy5wr7txl4ii3ls7kgdvt4/node_modules/@directus/api/dist/auth/drivers/openid.js:114:24)
at async AuthenticationService.login (file:///directus/node_modules/.pnpm/@directus+api@file+api_@[email protected]_@[email protected][email protected][email protected]___e_m3k5vy5wr7txl4ii3ls7kgdvt4/node_modules/@directus/api/dist/services/authentication.js:46:22)
at async file:///directus/node_modules/.pnpm/@directus+api@file+api_@[email protected]_@[email protected][email protected][email protected]___e_m3k5vy5wr7txl4ii3ls7kgdvt4/node_modules/@directus/api/dist/auth/drivers/openid.js:291:28
"jwt": "eyJhbGciOiJSUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI1LWNHMFFpRy14bGY0cU41Uk43WGJmNThTR01JMXplMjlVdW8wYjFhNWUwIn0.eyJleHAiOjE3MjY4MTIxMjksImlhdCI6MTcyNjcyNTcyOSwiYXV0aF90aW1lIjoxNzI2NzI1NjY4LCJqdGkiOiJlNjkxNTExMC1kOTEwLTQxMzgtYWUxMi1kMjA3N2U0OWVmZmUiLCJpc3MiOiJodHRwczovL3Nzby5wYXJhbWFydGhhLm5ldC9yZWFsbXMvcGFyYW1hcnRoYS1pZCIsImF1ZCI6ImRpcmVjdHVzIiwic3ViIjoiM2M3ZjFhMjgtNzViNC00YWJiLThiZWUtNDIxMjM1ODU3ZGIyIiwidHlwIjoiSUQiLCJhenAiOiJkaXJlY3R1cyIsIm5vbmNlIjoidXF5QnVYOV9JQzFJR3FORnU5ZGRkNUhiaGk1TlliTEtfVzdaYkdZVDRzYyIsInNpZCI6ImEzZjg0Y2NlLTExYTctNDBmMy05MWJkLTFmNzQ3NDZiYTc2ZiIsImF0X2hhc2giOiI0WWV3eTA3TmhRYldzRzE2TDIybURDbkdESUVoSlAzOE5vZmMweWQ3LXBjIiwiYWNyIjoiMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoiWW9zZXAgTXVoYW1tYWQgWXVzdWYgU3VkcmFqYXQiLCJncm91cHMiOlsiL0RpdiBJVCIsIi9BdWRpbyBBa3NlcyIsIi9LYXRhbG9nRWRpdG9yIl0sInByZWZlcnJlZF91c2VybmFtZSI6Inlvc2VwIiwiZ2l2ZW5fbmFtZSI6Illvc2VwIiwiZmFtaWx5X25hbWUiOiJNdWhhbW1hZCBZdXN1ZiBTdWRyYWphdCIsImVtYWlsIjoieW15czk5OTlAZ21haWwuY29tIiwiZ3JvdXAiOnsibGRhcCI6WyIvRGl2IElUIiwiL0F1ZGlvIEFrc2VzIiwiL0thdGFsb2dFZGl0b3IiXX19.q_KnxlvRKMItZNCq-5ScXsaz3mBzmC3bE3Niz5Eu-jZ7GE1JVqjizxUU_zp6xI1SvTv2hpIIafc45YXVsEFMGWNUZuaJcfpJ3nWb_0UyG-rQ2uopg0Xe03op29lZJSZ8i-0V9ufUuDMbljq4aMRCssDzORoxbjzT_HUquYy2e66tGnHL8VqEpftU7Id-8xDNx88GPgVQVzjsPqJfcs1Y0JTGAPcYHwOMsiFrucdTaasFB7h9mKE3XD_hf",
"name": "RPError"
}
[06:02:09.405] WARN: Invalid user credentials.
err: {
"type": "",
"message": "Invalid user credentials.",
"stack":
DirectusError: Invalid user credentials.
at handleError (file:///directus/node_modules/.pnpm/@directus+api@file+api_@[email protected]_@[email protected][email protected][email protected]___e_m3k5vy5wr7txl4ii3ls7kgdvt4/node_modules/@directus/api/dist/auth/drivers/openid.js:234:16)
at OpenIDAuthDriver.getUserID (file:///directus/node_modules/.pnpm/@directus+api@file+api_@[email protected]_@[email protected][email protected][email protected]___e_m3k5vy5wr7txl4ii3ls7kgdvt4/node_modules/@directus/api/dist/auth/drivers/openid.js:124:19)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async AuthenticationService.login (file:///directus/node_modules/.pnpm/@directus+api@file+api_@[email protected]_@[email protected][email protected][email protected]___e_m3k5vy5wr7txl4ii3ls7kgdvt4/node_modules/@directus/api/dist/services/authentication.js:46:22)
at async file:///directus/node_modules/.pnpm/@directus+api@file+api_@[email protected]_@[email protected][email protected][email protected]___e_m3k5vy5wr7txl4ii3ls7kgdvt4/node_modules/@directus/api/dist/auth/drivers/openid.js:291:28
"name": "DirectusError",
"code": "INVALID_CREDENTIALS",
"status": 401
}
所以我更改了 /realm-setting/tokens 处的默认签名算法,然后错误发生了变化,所以我假设“alg RS512”已解决。但后来,我得到了不同的错误:
WARN: [OpenID] Couldn't verify OpenID cookie
12|npm | err: {
12|npm | "type": "JsonWebTokenError",
12|npm | "message": "jwt must be provided",
12|npm | "stack":
12|npm | JsonWebTokenError: jwt must be provided
12|npm | at module.exports [as verify] (/home/blabla/dir/node_modules/jsonwebtoken/verify.js:60:17)
12|npm | [13:48:00.479] WARN: [OpenID] User doesn't exist, and public registration not allowed for provider "keycloak"
12|npm | [13:48:00.481] WARN: Invalid user credentials.
12|npm | err: {
12|npm | "type": "",
12|npm | "message": "Invalid user credentials.",
12|npm | "stack":
12|npm | DirectusError: Invalid user credentials.
12|npm | at OpenIDAuthDriver.getUserID (file:///home/xxx/dir/node_modules/@directus/api/dist/auth/drivers/openid.js:164:19)
12|npm | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
12|npm | at async AuthenticationService.login (file:///home/x/dir/node_modxxules/@directus/api/dist/services/authentication.js:46:22)
12|npm | at async file:///home/xxx/dir/node_modules/@directus/api/dist/auth/drivers/openid.js:291:28
12|npm | "name": "DirectusError",
12|npm | "code": "INVALID_CREDENTIALS",
12|npm | "status": 401
12|npm | }
当我单击“使用 Keycloack 登录”按钮,然后通过检查元素检查 cookie 时,有 keycloak 响应,但当它重定向到 /admin/login/?reason=INVALID_CREDENTIALS 时突然消失。
Directus版本:11.1.0 钥匙斗篷版本:25.0.4
有什么解决办法吗?
已解决:
第一个问题:我在领域设置/令牌中将“默认签名算法”从 RS512 更改为 RS256。所以基本上,这是 Keycloak 管理问题。
第二个问题: