Spring 网关(webflux) - oauth 安全 - 问题
[英]Spring gateway(webflux) - oauth security - issue
问题描述
Spring 2.2.5.RELEASE Spring Gateway - spring-cloud-starter-gateway - spring-cloud-security - spring-boot-starter-oauth2-resource-server 
Spring 2.2.5.RELEASE Spring 网关-spring-cloud-starter-gateway-spring-cloud-security-spring-boot-starter-oauth2-resource-server
SSO: keycloak 8.0.2 (docker) SSO:keycloak 8.0.2(码头工人)
I've an issue with spring gateway security configuration.我对 spring 网关安全配置有疑问。 In my system there are a Spring gateway and Keycloak instance behind a proxy and firewall and I would like them to communicate inside the private network.在我的系统中,代理和防火墙后面有一个 Spring 网关和 Keycloak 实例,我希望它们在专用网络内进行通信。 See the following image for the architecture structure.有关架构结构,请参见下图。
In fact in my private network I have not access to the internet because of the firewall rules.事实上,在我的私人网络中,由于防火墙规则,我无法访问互联网。
I tried to configure spring provider using for the authorization-uri the public address of keycloak and for token-uri/jwk-set-uri/user-info-uri the private address of keycloak: this configuration doesn't work because seems that authorization-uri and user-info-uri must have the same base url.我尝试配置 spring 提供程序,使用授权 uri keycloak 的公共地址和 token-uri/jwk-set-uri/user-info-uri keycloak 的私有地址:此配置不起作用,因为似乎授权-uri 和 user-info-uri 必须具有相同的基数 url。
security:
oauth2:
client:
...
provider:
myprovider:
authorization-uri: http://sso.domain.it/auth/realms/myrealm/protocol/openid-connect/auth
token-uri:http://sso.private.name/auth/realms/myrealm/protocol/openid-connect/token
jwk-set-uri: http://sso.private.name/auth/realms/myrealm/protocol/openid-connect/certs
user-info-uri: http://sso.private.name/auth/realms/myrealm/protocol/openid-connect/userinfo
user-name-attribute: preferred_username
I get 401 and Keycloak logs this error:我得到 401 并且 Keycloak 记录了这个错误:
21:33:20,636 WARN [org.keycloak.events] (default task-14) type=USER_INFO_REQUEST_ERROR, realmId=myrealm, clientId=null, userId=null, ipAddress=x.x.x.x, error=invalid_token, auth_method=validate_access_token
If I try to set the user-info-uri with keycloak public address the authentication flow works correctly (obviously removing firewall rules).如果我尝试使用 keycloak 公共地址设置 user-info-uri,则身份验证流程可以正常工作(显然删除了防火墙规则)。
WORKS BUT NOT OK工作但不行
security:
oauth2:
client:
...
provider:
myprovider:
authorization-uri: http://sso.domain.it/auth/realms/myrealm/protocol/openid-connect/auth
token-uri: http://sso.private.name/auth/realms/myrealm/protocol/openid-connect/token
jwk-set-uri: http://sso.private.name/auth/realms/myrealm/protocol/openid-connect/certs
user-info-uri: http://sso.domain.it/auth/realms/myrealm/protocol/openid-connect/userinfo
user-name-attribute: preferred_username
1 个解决方案
解决方案1
1 2021-01-22 16:10:22
The problem is that when Keycloak generates JWT, it records issuer in it, in your case - accoring to authorization-uri hostname: sso.domain.it .问题是,当 Keycloak 生成 JWT 时,它会在其中记录颁发者,在您的情况下 - 根据authorization-uri主机名: sso.domain.it 。 When you later access it with sso.private.name , mentioned in the user-info-uri field - there will be no match, which in turn causes 401 Unauthorized .当您稍后使用user-info-uri字段中提到的sso.private.name访问它时 - 将不匹配,这反过来会导致401 Unauthorized 。 To fix the issue, you need to set up environment variable for Keyloak要解决此问题,您需要为 Keyloak 设置环境变量
KEYCLOAK_FRONTEND_URL: http://sso.domain.it/auth
in the way you prefer - via Docker/Kubernetes environment, Keycloak startup command line etc以您喜欢的方式 - 通过 Docker/Kubernetes 环境、Keycloak 启动命令行等
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.