OpenID 配置 JSON 包含内部客户端无法识别的主机

问题描述 投票:0回答:1

我正在使用 Keycloak 与 Portal.local/auth 一起托管。我已经证明,当我使用本地主机中托管的 Spring Boot 应用程序时,我的设置可以正常工作。因此,localhost:8080应用程序可以连接到portal.local/auth/realms/myshop发行者并可以执行auth code flow身份验证。

问题是当应用程序与 Kubernetes 中的 keycloak 部署到同一集群时。该应用程序使用 keycloak 内部名称 keycloak.svc 进行配置,以便发行者地址为 keycloak.svc/auth/realms/myshop。该颁发者的配置 JSON 仍然显示 Portal.local 而不是 keycloak.svc,因此应用程序无法识别它。

在这种情况下配置应用程序或 keycloak 的正确方法是什么?这是我安装 oci://registry-1.docker.io/bitnamicharts/keycloak 时的 Helm 配置

auth:
  adminUser: admin
  adminPassword: admin

extraEnvVars:
  - name: KEYCLOAK_LOG_LEVEL
    value: DEBUG

  - name: PROXY_ADDRESS_FORWARDING
    value: "true"

postgresql:
  postgresqlPassword: postgresPwd

volumes:
  # To import *.json
  - ./import:/opt/bitnami/keycloak/data/import
  # To export, go inside container then run `kc.sh export --dir /export/ --users realm_file`
  - ./export:/export


httpRelativePath: /auth/

ingress:
  enabled: true
  hostname: portal.local

resources:
  requests:
    memory: "512Mi"
    cpu: "500m"

  limits:
    memory: "1Gi"
    cpu: "1"
keycloak kubernetes-ingress
1个回答
0
投票

最重要的是在 k8s 内部署的客户端应用程序中进行以下配置:

#  # This CAN'T be used when internal connection to Keycloak is also required e.g. in K8s
#- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_MYSHOP_ISSUERURI
#  value: http://auth-keycloak/auth/realms/myshop

  # 1) The URI to redirect to for login (done at browser)
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_MYSHOP_AUTHORIZATIONURI
  value: http://portel.local/auth/realms/myshop/protocol/openid-connect/auth

  # 2) Needed
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_MYSHOP_TOKENURI
  value: http://auth-keycloak/auth/realms/myshop/protocol/openid-connect/token

  # Required for confidential client
- name: SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MYSHOP_CLIENTSECRET
  value: O2Cv7BzzkllEySdxFrpJO6ydxNIEJ9BF

  # 3) The URI to redirect to on auth result (done at browser)
- name: SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MYSHOP_REDIRECTURI
  value: http://portel.local/login/oauth2/code/classic-app

  # 4) Required in post successful login
- name: SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_MYSHOP_JWKSETURI
  value: http://auth-keycloak/auth/realms/myshop/protocol/openid-connect/certs
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.