Keycloak - 授权验证失败。 原因:无效的令牌(错误的 ISS)
[英]Keycloak - Grant validation failed. Reason: invalid token (wrong ISS)
问题描述
So I'm having some issues with getting my Keycloak-Connect sample to work.
所以我在让 Keycloak-Connect 示例工作时遇到了一些问题。
Basically I have a simple check with Keycloak on an express route On my VM基本上,我在我的 VM 上的快速路线上使用 Keycloak 进行了简单检查
(10.10.10.54:8081) as follows. (10.10.10.54:8081) 如下。
app.get('/api*', keycloak.protect(), (req, res) => res.status(200).send({
message: 'Hit API Backend!',
}));
My Keycloak Server is on a separate VM (for this example http://keycloak.myexternaldomain.ca/auth/ )我的 Keycloak 服务器在一个单独的虚拟机上(对于这个例子http://keycloak.myexternaldomain.ca/auth/ )
the calls I've been making to test this out are.我一直在打电话来测试这一点。
RESULT=`curl --data "grant_type=password&client_secret=mysecret&client_id=account&username=myusername&password=mypassword" http://keycloak.myexternaldomain.ca/auth/realms/TEST/protocol/openid-connect/token`
This returns the proper access token everytime,这每次都会返回正确的访问令牌,
TOKEN=`echo $RESULT | sed 's/.*access_token":"//g' | sed 's/".*//g'`
To parse token into a variable.将令牌解析为变量。
curl http://10.10.10.54:8081/api -H "Authorization: bearer $TOKEN"
Which still constantly returns Access Denied, I tried this in a similar example with the Keycloak-Quickstart Node Service to see if there was a more verbose error in that.它仍然不断返回拒绝访问,我在Keycloak-Quickstart 节点服务的一个类似示例中尝试了这个,看看是否有更详细的错误。 What i'd receive back was我收到的是
Validate grant failed
Grant validation failed. Reason: invalid token (wrong ISS)
Though if I waited a little bit it'd give me an Expired Token error so I feel like i'm on the right track.虽然如果我稍等一下,它会给我一个过期令牌错误,所以我觉得我在正确的轨道上。
so obviously there is something wrong from where i'm issuing the token from not matching where it's expecting?所以很明显,我发出令牌的地方与预期的地方不匹配有什么问题吗? I can make a call to get the Users credentials from the keycloak server itself by cURLing to我可以通过 cURLing 调用从 keycloak 服务器本身获取用户凭据
curl --data "grant_type=password&token=$TOKEN&client_secret=secret&client_id=account&username=myaccount&password=mypassword" http://keycloak.myexternaldomain.ca/auth/realms/TEST/protocol/openid-connect/token/introspect
am I misinterpreting how I am supposed to be using Keycloak, or is this a settings issue?我是否误解了我应该如何使用 Keycloak,或者这是一个设置问题?
Thanks in advance提前致谢
3 个解决方案
解决方案1
4 已采纳 2017-09-07 18:04:16
My Issue was in my keycloak.json ... I had a different realm vs the one I was authenticating for.我的问题在我的 keycloak.json 中......我有一个与我正在验证的领域不同的领域。
If you're ever having this issue I suggest modifying keycloak-auth-utils to give you more verbose error logging on the grant-manager.如果您遇到过这个问题,我建议修改keycloak-auth-utils以在授权管理器上为您提供更详细的错误日志记录。
Specifically changing具体变化
else if (token.content.iss !== this.realmUrl) {
reject(new Error('invalid token (wrong ISS)'));
}
to到
else if (token.content.iss !== this.realmUrl) {
reject(new Error('invalid token (wrong ISS) Expecting: '+this.realmUrl+' Got: '+token.content.iss);
}
helped me track down this issue myself.帮助我自己追踪这个问题。
解决方案2
0 2020-08-12 20:16:21
如果您在 localhost 中工作并遇到同样的问题,我的问题是我在 localhost 中使用 https,即realmUrl: "https://localhost:8080/auth/realms/master"而不是realmUrl: "http://localhost:8080/auth/realms/master"
解决方案3
0 2021-12-02 04:48:02
I have also faced with same issue .我也遇到过同样的问题。 i used following checks to solve this我使用以下检查来解决这个问题
1.check the configuration in your project 1.检查项目中的配置
- is serverurl exact (127.0.0.1 , localhost, 0.0.0.0 are different urls ..mention same as keycloak url) serverurl 是精确的(127.0.0.1,localhost,0.0.0.0 是不同的 urls ..mention 与 keycloak url 相同)
- is realm in small case在小情况下是领域
- is client id and secret is correct客户端 ID 和密码是否正确
if still you are facing a problem try to use single quote instead of double quote ex-如果您仍然遇到问题,请尝试使用单引号而不是双引号ex-
realm_name:"demo-realm" --> realm_name:'demo-realm'
it is working for me它对我有用
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.