在WSO2 APIM中使用KeyCloak作为外部IDP,在注销上抛出了太多重定向
我已经使用KeyCloak 18.0.0配置了WSO2 APIM 4.1.0作为外部IDP,其中oIDC在WSO2控制台(发布者,管理员和Devportal)中用于SSO。
我已经关注这些指令来自wso2 apim(与Okta集成)以与KeyCloak配置相同的东西。
我设法在Defportal,Admin和Publisher Consoles上成功登录。
问题在于在任何这些控制台中登录时。
单击注销后,我收到了
err_too_many_redirects
在浏览器上。
在浏览器上,以下是发送的请求(抑制令牌以易于阅读)。
- https://api.mycompany.com:9443/oidc/logout?id_token_token_hint=yeyj4nxqio....。&&&post_logout_logout_logout_uri = /services/auth/callback/logout
- https%3a%3a%2f%2f%2f%2fpapi.mycompany.company.com3a944344444444444444443 fcommonato =“ https://api.mycompany.com:9443/commonauth?state=112132C3-ED35-4235-A451-A451-8C5EF3B8DCBF; ?状态= 112132C3-ED35-4235-A451-8C5EF3B8DCBF%2coidc
请求3和4一遍又一遍地发送。
keycloak上的配置
我已经创建了一个新领域,遵循此 url 。
我已经激活了:
- 标准流
- 隐含流启用启用
- 直接访问授予启用
- 服务帐户
- 启用授权
和配置的直接访问:
- 有效重定向URIS: *
- Web Origins: *
我创建了角色 subscriber 。 还添加了映射器:
- 用户客户端角色 - >角色(代币主张)
- 用户名 - >子(令牌索赔)。
WSO2碳控制台配置
添加了一个新的身份提供商。在此身份提供商中,配置了每个URL,以指向KeyCloak OpenID连接URL。在回调URL上: https://api.mycompany.com:94443/commonauth/commonauth
更新每个服务使用KeyCloak身份提供商的提供商。
在 deployment.toml 上,我已经配置:
[server]
hostname = "$env{API_GATEWAY_SERVER_HOSTNAME}"
where api_gateway_server_hostname = api.mycompany.com
I've configured WSO2 APIM 4.1.0 using Keycloak 18.0.0 as an External IDP with OIDC for SSO in WSO2 consoles (Publisher, Admin and Devportal).
I've followed these instructions from WSO2 APIM (that integrates with OKTA) to configure the same thing with Keycloak.
I've manage to login successfully on DevPortal, Admin and Publisher consoles.
The problem is when hitting logout in any of these consoles.
After clicking logout, I've receive the
ERR_TOO_MANY_REDIRECTS
on the browser.
On the browser the following are the requests sent (suppress token for easier reading).
- https://api.mycompany.com:9443/devportal/services/logout
- https://api.mycompany.com:9443/oidc/logout?id_token_hint=eyJ4NXQiO...&post_logout_redirect_uri=https://api.mycompany.com:9443/devportal/services/auth/callback/logout
- https://dev-apigw-2-pdun.northeurope.cloudapp.azure.com:8443/realms/apim/protocol/openid-connect/logout?id_token_hint=e...&post_logout_redirect_uri=https%3A%2F%2Fapi.mycompany.com%3A9443%2Fcommonauth
- https://api.mycompany.com:9443/commonauth?state=112132c3-ed35-4235-a451-8c5ef3b8dcbf%2COIDC
Requests 3 and 4 are then sent over and over again.
The configuration on Keycloak
I've create a new realm following this url.
I've activated:
- Standard Flow
- Implicit Flow Enabled
- Direct Access Grants Enabled
- Service Accounts Enabled
- Authorization Enabled
And configured:
- Valid Redirect URIs: *
- Web Origins: *
I've created role subscriber.
Also added a mappers:
- User Client Role -> role (token claim)
- username -> sub (token claim).
WSO2 Carbon Console configurations
Added a new Identity Provider. In this Identity Provider configured every URL to point to keycloak openid-connect URLs. On Callback URL: https://api.mycompany.com:9443/commonauth
Updated each Service Provider to use keycloak Identity Provider.
On deployment.toml, I've configured:
[server]
hostname = "$env{API_GATEWAY_SERVER_HOSTNAME}"
Where API_GATEWAY_SERVER_HOSTNAME = api.mycompany.com
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论