使用AWS加载平衡器与OIDC和KeyCloak使用时,访问令牌有效期
我们运行以下设置:
- AWS LOAD BALANCER(ALB),其配置为通过OIDC进行身份验证请求的侦听器。 当身份验证完成后,我们的OIDC服务器是KeyCloak
- ,请求将转发给我们的NGINX,充当反向代理。
- 前端存储在AWS S3中,并通过NGINX代理。
这项工作是预期的(罚款)。
从WebBrowser调用我们的后端服务时,我们的问题就会发生。
例如:
setInterval(() => {
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://our-backend-api-via.reverse.proxy.com');
xhr.send();
}, 1000);
这可以正常工作,直到访问到期(60s)。然后,我们的后端将看到令牌已过期并返回HTTP 401多次。
通过AWS ALB获取新的访问权限的过程似乎对我们来说是一个黑框,我们无法解释为什么会发送到我们的后端,AWS ALB ALB不应该及时更新令牌吗?
We run the following setup:
- AWS Load Balancer (ALB) with Listener configured to authenticate requests via OIDC. Our OIDC Server is Keycloak
- When authentication completed, the request is forwarded to our nginx, acting as Reverse Proxy.
- Frontends are stored in AWS S3 and proxied through the nginx.
This work as expected (fine).
Our problem occurs when calling our backend services from the Webbrowser.
For example:
setInterval(() => {
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://our-backend-api-via.reverse.proxy.com');
xhr.send();
}, 1000);
This works fine until the AccessToken is expired (60s). Then our backend will see that the token is expired and returns HTTP 401 for multiple times.. after a while (20 seconds) a new AccessToken is received and the backends responses fine.
The process of getting new accessToken via AWS ALB seems to be a blackbox for us, we cannot explain why expired accessTokens are send to our backends, shouldn't the AWS ALB renew the token in time?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这是一个实现错误。我们已经使用了KeyCloak提供的原始JWT来验证到期时间。
正确的方法是使用ALB通过X-oidc-amazon-data标头提供的令牌。
It was an implementation error. We have used the original JWT provided from Keycloak to verify the expiration time.
The correct way is to use the token provided by alb via x-oidc-amazon-data header.
您的用例中有错误的下属。 Alb OIDC Auth适用于WebApps。您的情况看起来像是浏览器中的spa = frontend负责管理Auth State =它将观看令牌的有效性,并且它将在令牌到期之前触发令牌刷新,...
You have wrong infra for your use case. ALB OIDC auth is intended for webapps. Your case looks like a SPA = frontend in the browser will be responsible to manage auth state = it will be watching token validity and it will trigger token refresh before token expiration,...