kubernetes KeyCloak验证令牌失败:令牌颁发者无效,应为http,但实际为https

pgky5nke  于 2022-11-02  发布在  Kubernetes
关注(0)|答案(1)|浏览(411)

我在Kubernetes中部署KeyCloak 19.0.1作为自定义Docker映像(由我构建)和Sping Boot 客户端应用程序时遇到问题。我在应用日志中看到:

o.k.adapters.OAuthRequestAuthenticator   : failed verification of token: Invalid token issuer. Expected 'http://auth.example.com/realms/MyRealm', but was 'https://auth.example.com/realms/MyRealm'

我的应用程序可以通过https://example.com访问,KeyCloak可以通过https://auth.example.com访问。所有pod都在Ingress Nginx后面。我设置了入口以检测正确的客户端IP(通过设置:controller.service.externalTrafficPolicy=Local)。如果我试图登录到管理控制台与错误的凭据,我看到在KeyCloak日志我的公共IP:

WARN  [org.keycloak.events] (executor-thread-68) type=LOGIN_ERROR, realmId=dbb1ee57-XXXX, clientId=security-admin-console, userId=null, ipAddress=165.225.XX.XX, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://auth.example.com/admin/master/console/#/MyRealm/realm-settings/general, code_id=d905f971-5638-40e0-8460-73df72e68398, username=xxxx, authSessionParentId=d905f971-XXXX, authSessionTabId=2VFrXXXXXX

此外,https://auth.example.com/realms/master/.well-known/openid-configuration返回整个配置,并且每个URI使用https://而不是http://
KeyCloak pod的配置(其他ENV,如断开的DB连接):

env:
  - name: KC_HOSTNAME
    value: "auth.example.com"    // to override default for local development, without it something else didn't work
  - name: KC_HOSTNAME_URL
    value: "https://auth.example.com"
  - name: KC_PROXY
    value: edge

传递给KeyCloak容器的开始参数:start-dev --http-port 8080 --http-enabled true --hostname-strict false .
Sping Boot 的配置(群集内Spring后端和KeyCloak之间的通信):

env:
  - name: KEYCLOAK_AUTHSERVERURL
  value: http://gap-got-chart-keycloak-svc:8080

应用程序.yaml中的默认值:

keycloak:
  auth-server-url: http://localhost:8081
  realm: MyRealm
  resource: my-app-id
  public-client: true
  principal-attribute: preferred_username

知道什么是错误配置吗?

jexiocij

jexiocij1#

您正在代理(Nginx)后运行Keycloak,因此请确保您的Keycloak知道这一点(+代理必须将正确的X-Forwarded-For、X-Forwarded-Proto和X-Forwarded-Host HTTP头传递给Keycloak):

KC_PROXY=edge

参见文档https://www.keycloak.org/server/reverseproxy

相关问题