我正在使用本指南https://www.baeldung.com/spring-boot-keycloak。 我正在尝试将我的 bff 应用程序连接到我的反向代理,但我不断收到此错误: 配置元数据中提供的发行者“http://localhost:8080/auth/realms/baeldung”与请求的发行者“http 不匹配” ://localhost:7080/auth/realms/baeldung"。
我相信我的 keycloak 配置设置不正确。 如何解决代理问题?
我尝试更改我的 keycloak 配置以及我的反向代理和 bff 的设置。
这是我最好的朋友YML:
# Custom properties to ease configuration overrides
# on command-line or IDE launch configurations
scheme: http
hostname: localhost
reverse-proxy-port: 7080
reverse-proxy-uri: ${scheme}://${hostname}:${reverse-proxy-port}
authorization-server-prefix: /auth
issuer: http://localhost:7080${authorization-server-prefix}/realms/baeldung
client-id: baeldung-confidential
client-secret: secret
username-claim-json-path: $.preferred_username
authorities-json-path: $.realm_access.roles
bff-port: 7081
bff-prefix: /bff
resource-server-port: 7084
audience:
server:
port: ${bff-port}
ssl:
enabled: false
spring:
cloud:
gateway:
routes:
- id: bff
uri: ${scheme}://${hostname}:${resource-server-port}
predicates:
- Path=/api/**
filters:
- DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
- TokenRelay=
- SaveSession
- StripPrefix=1
security:
oauth2:
client:
provider:
baeldung:
issuer-uri: ${issuer}
registration:
baeldung:
provider: baeldung
authorization-grant-type: authorization_code
client-id: ${client-id}
client-secret: ${client-secret}
scope: openid,profile,email,offline_access
com:
c4-soft:
springaddons:
oidc:
ops:
- iss: ${issuer}
authorities:
- path: ${authorities-json-path}
aud: ${audience}
# SecurityFilterChain with oauth2Login() (sessions and CSRF protection enabled)
client:
client-uri: ${reverse-proxy-uri}${bff-prefix}
security-matchers:
- /api/**
- /login/**
- /oauth2/**
- /logout/**
permit-all:
- /api/**
- /login/**
- /oauth2/**
- /logout/connect/back-channel/baeldung
post-logout-redirect-host: ${hostname}
csrf: cookie-accessible-from-js
oauth2-redirections:
rp-initiated-logout: ACCEPTED
back-channel-logout:
enabled: true
# internal-logout-uri: ${reverse-proxy-uri}${bff-prefix}/logout
# should work too, but there is no reason to go through the reverse proxy for this internal call
internal-logout-uri: ${scheme}://localhost:${bff-port}/logout
# SecurityFilterChain with oauth2ResourceServer() (sessions and CSRF protection disabled)
resourceserver:
permit-all:
- /login-options
- /error
- /v3/api-docs/**
- /swagger-ui/**
- /actuator/health/readiness
- /actuator/health/liveness
management:
endpoint:
health:
probes:
enabled: true
endpoints:
web:
exposure:
include: '*'
health:
livenessstate:
enabled: true
readinessstate:
enabled: true
logging:
level:
root: INFO
org:
springframework:
boot: INFO
security: TRACE
web: INFO
---
spring:
config:
activate:
on-profile: ssl
server:
ssl:
enabled: true
scheme: https
---
spring:
config:
activate:
on-profile: cognito
issuer: https://cognito-idp.us-west-2.amazonaws.com/us-west-2_RzhmgLwjl
client-id: 12olioff63qklfe9nio746es9f
client-secret: change-me
username-claim-json-path: username
authorities-json-path: $.cognito:groups
com:
c4-soft:
springaddons:
oidc:
client:
oauth2-logout:
baeldung:
uri: https://spring-addons.auth.us-west-2.amazoncognito.com/logout
client-id-request-param: client_id
post-logout-uri-request-param: logout_uri
---
spring:
config:
activate:
on-profile: auth0
issuer: https://dev-ch4mpy.eu.auth0.com/
client-id: yWgZDRJLAksXta8BoudYfkF5kus2zv2Q
client-secret: change-me
username-claim-json-path: $['https://c4-soft.com/user']['name']
authorities-json-path: $['https://c4-soft.com/user']['roles']
audience: bff.baeldung.com
com:
c4-soft:
springaddons:
oidc:
client:
authorization-params:
baeldung:
audience: ${audience}
oauth2-logout:
baeldung:
uri: ${issuer}v2/logout
client-id-request-param: client_id
post-logout-uri-request-param: returnTo
显然,您选择将所有内容都放在反向代理后面。这是可选的,但为显示登录表单提供了更大的灵活性(如果两者共享相同的源,Keycloak UI 可以轻松包含在显示 SPA 的页面的 iframe 中)。
即使这会导致相同的值,为了使其在conf中更明显,我会更改:
issuer: http://localhost:7080${authorization-server-prefix}/realms/baeldung
至:
issuer: ${reverse-proxy-uri}${authorization-server-prefix}/realms/baeldung
您的问题中没有包含 Keycloak 配置。我的猜测是,您的问题是由于那里的配置错误造成的:当您通过反向代理提供 Keycloak 服务时,您必须设置
hostname-url=http://localhost:7080/authhostname-admin-url=http://localhost:7080/authhostname-strict-backchannel=true keycloak:
container_name: baeldung-bff.auth
image: quay.io/keycloak/keycloak:24.0.0
command:
- start-dev
- --import-realm
ports:
- 8080:8080
volumes:
- ./keycloak/import/:/opt/keycloak/data/import/
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
KC_HTTP_PORT: 8080
KC_HOSTNAME_URL: http://localhost:7080/auth
KC_HOSTNAME_ADMIN_URL: http://localhost:7080/auth
KC_HOSTNAME_STRICT_BACKCHANNEL: true
KC_HTTP_RELATIVE_PATH: /auth/
KC_HTTP_ENABLED: true
KC_HEALTH_ENABLED: true
KC_METRICS_ENABLED: true
#KC_LOG_LEVEL: DEBUG
extra_hosts:
- "host.docker.internal:host-gateway"
请注意,Keycloak 25 中的主机名配置存在一些重大更改。因此,如果使用最新的镜像,请参考Keycloak文档来设置hostname
、
hostname-admin和
hostname-strict,而不是上面的设置。作为旁注,
来自配套项目的 build.sh
将默认的撰写文件替换为一个指向使用您的主机名的反向代理。因此,如果您按照本教程第
3.2 部分的说明运行它,就不会遇到此问题 ;)。