Keycloak 带 EKS + ALB(身份验证后出现 401)

tag-icon tag-icon amazon-web-services amazon-alb amazon-eks helm keycloak
Keycloak 带 EKS + ALB(身份验证后出现 401)

我目前正在尝试让 Keycloak 在 ALB 后面的 EKS 中运行,但无论如何,我都无法让它工作。我被重定向到登录屏幕,登录后,我立即收到 401 需要授权的信息。

基础设施如下:浏览器(HTTPS)→ALB(带有 OIDC 配置的 Pod 之间的 HTTP)→目标组→EKS 中的应用程序

启用调试日志的 Keycloak 根本没有给我任何错误:

keycloak 日志

我登录后,另一端的 ALB 给出了 AuthInvalidIdToken 错误,并尝试重定向到原始 URI:

2022-07-27T13:20:12.184736Z app/k8s-ingr-35696e2f02/3e62855cad3d2877 ip_address:53578 - -1 -1 -1 302 - 384 554 "GET https://application.domain.com:443/favicon.ico HTTP/2.0" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:769668795579:targetgroup/k8s-application-367cc81867/9fbca3b5630aecf1 "Root=1-62e13b8c-14d1e5670bc7d8d86056ddef" "application.domain.com" "arn:aws:acm:eu-west-1:769668795579:certificate/83bd567a-a624-4ff8-86e7-744ebff68575" 6 2022-07-27T13:20:12.184000Z "authenticate" "-" "-" "-" "-" "-" "-"
2022-07-27T13:20:12.314098Z app/k8s-ingr-35696e2f02/3e62855cad3d2877 ip_address:53578 10.0.2.19:8080 0.000 0.010 0.000 302 302 1509 3271 "GET https://keycloak.domain.com:443/realms/master/protocol/openid-connect/auth?client_id=oauth2-proxy&redirect_uri=https%3A%2F%2Fapplication.domain.com%2Foauth2%2Fidpresponse&response_type=code&scope=email%20openid&state=Giz6L1tOQP4KTWIT%2BvrEvnRV3tnHFhCmswD%2B2tattLy8%2FRThp1hYyCrNLQQdG%2FIWq2JjO1p8rjDMHawgK0JW3S%2BszvY6JrZ9%2BeMzBmp05iTDXRre2IWaYnYxlH86i1FVCYrkIONZ0bdxu0UydsLuXEhx57FGsu6fbjKMNxAKO2cKPvDn7xZYLzCQuJWKKx3NZXUSEVNGgQLtCLMTM9YRBA%3D%3D HTTP/2.0" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:769668795579:targetgroup/k8s-keycloak-1f3317ccac/0ac746adee6d293e "Root=1-62e13b8c-73b50ba974b867b243093ce4" "application.domain.com" "arn:aws:acm:eu-west-1:769668795579:certificate/83bd567a-a624-4ff8-86e7-744ebff68575" 11 2022-07-27T13:20:12.303000Z "authenticate,forward" "-" "-" "10.0.2.19:8080" "302" "-" "-"
2022-07-27T13:20:12.479301Z app/k8s-ingr-35696e2f02/3e62855cad3d2877 ip_address:53578 - -1 -1 -1 401 - 674 616 "GET https://application.domain.com:443/oauth2/idpresponse?state=Giz6L1tOQP4KTWIT%2BvrEvnRV3tnHFhCmswD%2B2tattLy8%2FRThp1hYyCrNLQQdG%2FIWq2JjO1p8rjDMHawgK0JW3S%2BszvY6JrZ9%2BeMzBmp05iTDXRre2IWaYnYxlH86i1FVCYrkIONZ0bdxu0UydsLuXEhx57FGsu6fbjKMNxAKO2cKPvDn7xZYLzCQuJWKKx3NZXUSEVNGgQLtCLMTM9YRBA%3D%3D&session_state=f0c7b40f-df70-40a4-a4ec-ae674eddf704&code=5e30afcf-2121-4c3f-a2c5-6be9ccce569e.f0c7b40f-df70-40a4-a4ec-ae674eddf704.398968b2-cc51-4f41-8680-92e32051d6b0 HTTP/2.0" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 - "Root=1-62e13b8c-466c6d524d1bd9a745476851" "application.domain.com" "arn:aws:acm:eu-west-1:769668795579:certificate/83bd567a-a624-4ff8-86e7-744ebff68575" -1 2022-07-27T13:20:12.459000Z "authenticate" "-" "AuthInvalidIdToken" "-" "-" "-" "-"

OIDC 身份验证(Keycloak)的 ALB 注释并不花哨和/或自定义:

auth_path = f"https://{self.keycloak_domain}/realms/{self.keycloak.realm}"
auth_annotations = base_annotations | {
    "alb.ingress.kubernetes.io/auth-type": "oidc",
    "alb.ingress.kubernetes.io/auth-idp-oidc": (
        f'{{"issuer":"https://{self.keycloak_domain}/",'
        f'"authorizationEndpoint":"{auth_path}/protocol/openid-connect/auth",'
        f'"tokenEndpoint":"{auth_path}/protocol/openid-connect/token",'
        f'"userInfoEndpoint":"{auth_path}/protocol/openid-connect/userinfo",'
        f'"secretName":"{self.keycloak.secrets_name}"}}'
    ),
    "alb.ingress.kubernetes.io/auth-on-unauthenticated-request": "authenticate",
}

AWS 中的 ALB 路由

Keycloak配置:

fullnameOverride: "{{ full_name }}"
extraStartupArgs: "--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true"

service:
  type: "ClusterIP"

auth:
  createAdminUser: true
  adminUser: "{{ admin_username }}"
  adminPassword: "{{ admin_password }}"

postgresql:
  enabled: false

externalDatabase:
  host: "{{ postgresql_host }}"
  database: "{{ postgresql_db }}"
  user: "{{ postgresql_user }}"
  password: "{{ postgresql_password }}"

extraEnvVars:
  - name: KEYCLOAK_HOSTNAME
    value: "{{ hostname }}"
  - name: PROXY_ADDRESS_FORWARDING
    value: "true"

我尝试过的:

  1. KEYCLOAK_FRONTEND_URL
  2. 在 URI 后面添加 /
  3. 设置 ALB 会话 cookie 名称(例如 KEYCLOAK_SESSION)
  4. 为 ALB 内部路由强制实施 HTTPS(alb_backend_protocol 注释)
  5. 在 Keycloak 中使用 redirect_uri 运行所有内容作为 *
  6. 项目清单

我在尝试调试这个问题时想到了一些选项:

AWS ALB 解析 keycloak 身份验证响应时出现错误?是我这边配置错误吗?(即使 keycloak 对一切都很满意?)

版本:

Keycloak(bitnami)Helm Chart:9.2.2 chart w/ 18.0.0 Keycloak

AWS ALB Helm Chart:1.4.2 chart w/ 2.4.2 ALB

答案1

事实证明,openid connect您必须authorization_code按照以下步骤进行验证:https://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation

我的问题是issuer我的 OIDC 配置 != 来自 id_token 的 iss 声明。基本上改变:

f'{{“发行人”:“https://{self.keycloak_domain} /”,'-> f'{{“发行人”:“https://{self.keycloak_domain}/领域/大师“”,

问题已解决!

事实证明,oauth2-proxy 不会验证来自 id_token 的用户声明

相关内容