我目前正在尝试让 Keycloak 在 ALB 后面的 EKS 中运行,但无论如何,我都无法让它工作。我被重定向到登录屏幕,登录后,我立即收到 401 需要授权的信息。
基础设施如下:浏览器(HTTPS)→ALB(带有 OIDC 配置的 Pod 之间的 HTTP)→目标组→EKS 中的应用程序
启用调试日志的 Keycloak 根本没有给我任何错误:
我登录后,另一端的 ALB 给出了 AuthInvalidIdToken 错误,并尝试重定向到原始 URI:
2022-07-27T13:20:12.184736Z app/k8s-ingr-35696e2f02/3e62855cad3d2877 ip_address:53578 - -1 -1 -1 302 - 384 554 "GET https://application.domain.com:443/favicon.ico HTTP/2.0" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:769668795579:targetgroup/k8s-application-367cc81867/9fbca3b5630aecf1 "Root=1-62e13b8c-14d1e5670bc7d8d86056ddef" "application.domain.com" "arn:aws:acm:eu-west-1:769668795579:certificate/83bd567a-a624-4ff8-86e7-744ebff68575" 6 2022-07-27T13:20:12.184000Z "authenticate" "-" "-" "-" "-" "-" "-"
2022-07-27T13:20:12.314098Z app/k8s-ingr-35696e2f02/3e62855cad3d2877 ip_address:53578 10.0.2.19:8080 0.000 0.010 0.000 302 302 1509 3271 "GET https://keycloak.domain.com:443/realms/master/protocol/openid-connect/auth?client_id=oauth2-proxy&redirect_uri=https%3A%2F%2Fapplication.domain.com%2Foauth2%2Fidpresponse&response_type=code&scope=email%20openid&state=Giz6L1tOQP4KTWIT%2BvrEvnRV3tnHFhCmswD%2B2tattLy8%2FRThp1hYyCrNLQQdG%2FIWq2JjO1p8rjDMHawgK0JW3S%2BszvY6JrZ9%2BeMzBmp05iTDXRre2IWaYnYxlH86i1FVCYrkIONZ0bdxu0UydsLuXEhx57FGsu6fbjKMNxAKO2cKPvDn7xZYLzCQuJWKKx3NZXUSEVNGgQLtCLMTM9YRBA%3D%3D HTTP/2.0" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:769668795579:targetgroup/k8s-keycloak-1f3317ccac/0ac746adee6d293e "Root=1-62e13b8c-73b50ba974b867b243093ce4" "application.domain.com" "arn:aws:acm:eu-west-1:769668795579:certificate/83bd567a-a624-4ff8-86e7-744ebff68575" 11 2022-07-27T13:20:12.303000Z "authenticate,forward" "-" "-" "10.0.2.19:8080" "302" "-" "-"
2022-07-27T13:20:12.479301Z app/k8s-ingr-35696e2f02/3e62855cad3d2877 ip_address:53578 - -1 -1 -1 401 - 674 616 "GET https://application.domain.com:443/oauth2/idpresponse?state=Giz6L1tOQP4KTWIT%2BvrEvnRV3tnHFhCmswD%2B2tattLy8%2FRThp1hYyCrNLQQdG%2FIWq2JjO1p8rjDMHawgK0JW3S%2BszvY6JrZ9%2BeMzBmp05iTDXRre2IWaYnYxlH86i1FVCYrkIONZ0bdxu0UydsLuXEhx57FGsu6fbjKMNxAKO2cKPvDn7xZYLzCQuJWKKx3NZXUSEVNGgQLtCLMTM9YRBA%3D%3D&session_state=f0c7b40f-df70-40a4-a4ec-ae674eddf704&code=5e30afcf-2121-4c3f-a2c5-6be9ccce569e.f0c7b40f-df70-40a4-a4ec-ae674eddf704.398968b2-cc51-4f41-8680-92e32051d6b0 HTTP/2.0" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 - "Root=1-62e13b8c-466c6d524d1bd9a745476851" "application.domain.com" "arn:aws:acm:eu-west-1:769668795579:certificate/83bd567a-a624-4ff8-86e7-744ebff68575" -1 2022-07-27T13:20:12.459000Z "authenticate" "-" "AuthInvalidIdToken" "-" "-" "-" "-"
OIDC 身份验证(Keycloak)的 ALB 注释并不花哨和/或自定义:
auth_path = f"https://{self.keycloak_domain}/realms/{self.keycloak.realm}"
auth_annotations = base_annotations | {
"alb.ingress.kubernetes.io/auth-type": "oidc",
"alb.ingress.kubernetes.io/auth-idp-oidc": (
f'{{"issuer":"https://{self.keycloak_domain}/",'
f'"authorizationEndpoint":"{auth_path}/protocol/openid-connect/auth",'
f'"tokenEndpoint":"{auth_path}/protocol/openid-connect/token",'
f'"userInfoEndpoint":"{auth_path}/protocol/openid-connect/userinfo",'
f'"secretName":"{self.keycloak.secrets_name}"}}'
),
"alb.ingress.kubernetes.io/auth-on-unauthenticated-request": "authenticate",
}
Keycloak配置:
fullnameOverride: "{{ full_name }}"
extraStartupArgs: "--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true"
service:
type: "ClusterIP"
auth:
createAdminUser: true
adminUser: "{{ admin_username }}"
adminPassword: "{{ admin_password }}"
postgresql:
enabled: false
externalDatabase:
host: "{{ postgresql_host }}"
database: "{{ postgresql_db }}"
user: "{{ postgresql_user }}"
password: "{{ postgresql_password }}"
extraEnvVars:
- name: KEYCLOAK_HOSTNAME
value: "{{ hostname }}"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
我尝试过的:
- KEYCLOAK_FRONTEND_URL
- 在 URI 后面添加 /
- 设置 ALB 会话 cookie 名称(例如 KEYCLOAK_SESSION)
- 为 ALB 内部路由强制实施 HTTPS(alb_backend_protocol 注释)
- 在 Keycloak 中使用 redirect_uri 运行所有内容作为 *
- 项目清单
我在尝试调试这个问题时想到了一些选项:
AWS ALB 解析 keycloak 身份验证响应时出现错误?是我这边配置错误吗?(即使 keycloak 对一切都很满意?)
版本:
Keycloak(bitnami)Helm Chart:9.2.2 chart w/ 18.0.0 Keycloak
AWS ALB Helm Chart:1.4.2 chart w/ 2.4.2 ALB
答案1
事实证明,openid connect
您必须authorization_code
按照以下步骤进行验证:https://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation
我的问题是issuer
我的 OIDC 配置 != 来自 id_token 的 iss 声明。基本上改变:
f'{{“发行人”:“https://{self.keycloak_domain} /”,'-> f'{{“发行人”:“https://{self.keycloak_domain}/领域/大师“”,
问题已解决!
事实证明,oauth2-proxy 不会验证来自 id_token 的用户声明