KeyCloak重定向问题(Kong)背后
我正在尝试设置一个KeyCloak实例来处理我的WebApp用户。与所有其他微服务一样,此实例隐藏在反向代理后面(Kong,它是基于NGINX的代理)。
在我的本地设置中,Kong会聆听https:// localhost,而KeyCloak会听http:// localhost:8082/auth。 为此,我在KeyCloak容器上使用了几个环境变量:
ENV KC_HOSTNAME=localhost
ENV KC_HOSTNAME_PORT=8082
ENV KC_HOSTNAME_STRICT_HTTPS=false
ENV KC_PROXY=edge
ENV PROXY_ADDRESS_FORWARDING=true
ENV KC_HTTP_ENABLED=true
ENV KC_HTTP_PORT=8082
KC_HTTP_RELATIVE_PATH=/auth
Kong配置的设置看起来不错,并且我需要的KeyCloak端点可以通过Kong正确公开(/code>/code/js/js ,/resources,/robots.txt,就像Doc所说)。 Kong处理TLS连接,然后仅使用http对所有微服务进行交谈,因此kc_proxy = edge。 /admin没有暴露,我可以在右机器上使用localhost:8082在本地访问此问题。
如果我转到https://localhost/auth/realms/master/.well-nown/openid-configuration,我会得到配置。但是,KeyCloak不知道它在Kong背后,因此所有端点都包含localhost:8082。这似乎是正常的,因为这是我首先设置它的方式。
我尝试使用不同的前端url添加新的ronem,称其为https://myapp.com 现在,我的OpenID配置包含https://myapp.com:8082/...到处都是。所有的工作流都会出现错误的URL。 我想念什么?我无法删除我首先放置的此端口,否则我将无法访问管理员控制台。 我以为我可以用kc_hostname_admin做点事,但是不幸的是没有kc_hostname_admin_port ..或在那里?
谢谢您的阅读:)
I'm trying to setup a Keycloak instance to handle the users of my webapp. This instance would be, like all others microservices, hidden behind a reverse proxy (Kong, it's a nginx-based proxy).
On my local setup, Kong listens to https://localhost, and keycloak listens to http://localhost:8082/auth.
To achieve that, I used several environment variables on my Keycloak container :
ENV KC_HOSTNAME=localhost
ENV KC_HOSTNAME_PORT=8082
ENV KC_HOSTNAME_STRICT_HTTPS=false
ENV KC_PROXY=edge
ENV PROXY_ADDRESS_FORWARDING=true
ENV KC_HTTP_ENABLED=true
ENV KC_HTTP_PORT=8082
KC_HTTP_RELATIVE_PATH=/auth
The setup of Kong configuration looks fine, and the keycloak endpoints that I need are exposed correctly through Kong (/realms, /js, /resources, /robots.txt, like the doc said). Kong handles the TLS connection, and then speaks to all microservices with HTTP only, thus KC_PROXY=edge. /admin is not exposed, I though I could access this locally using localhost:8082 on the right machine.
If I go to https://localhost/auth/realms/master/.well-known/openid-configuration, I get the configuration. However, Keycloak does not know it's behind Kong, so all endpoints contains localhost:8082. That seems normal, since it's how I set it up in the first place.
I tried to add a new realm with a different Frontend URL, calling it https://myapp.com
Now, my openid configuration contains https://myapp.com:8082/... everywhere. All the workflows get wrongs URLs.
What did I miss ? I cannot remove this port that I put in the first place, otherwise I will not be able to access the admin console.
I thought I could do something with KC_HOSTNAME_ADMIN, but unfortunately there is no KC_HOSTNAME_ADMIN_PORT.. or is there ?
Thank you for reading :)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果某人感兴趣,那么解决方案实际上很简单。首先,我不应该设置
hostNamehostname_port 。ENV KC_HOSTNAME_STRICT_HTTPS = FALSE是强制性的,我还需要在Kong中添加一个插件以调整标头:否则,KeyCloak在某些情况下会有错误的重定向URI。
In case it's of interest to someone, the solution was actually quite simple. I should not have set the
HOSTNAMEandHOSTNAME_PORTin the first place.ENV KC_HOSTNAME_STRICT_HTTPS=falseis mandatory, and also I needed to add a plugin to Kong to tweak the headers :Otherwise, keycloak would have the wrong redirect uri in some cases.