堆栈内存溢出
  繁体   English   中英

Keycloak、oauth2-proxy 和 nginx.ingress.kubernetes

[英]Keycloak, oauth2-proxy and nginx.ingress.kubernetes

 原文  2021-03-16 11:37:11       nginx/ kubernetes/ proxy/ keycloak/ oauth2-proxy

问题描述

我在通过 oauth2-proxy/keycloak 验证 kubernetes webapp 时遇到问题。 你不知道怎么了

  • Webapp (test-app.domain.com)
  • oauth2-proxy (oauth2-proxy.domain.com)
  • 密钥斗篷(keycloak-test.domain.com)

这三个应用程序分别运行。

认证过程说明:

打开test.domain.com 后被重定向到https://keycloak-test.domain.com/auth/realms/local/protocol/openid-connect/auth?approval_prompt=force&client_id=k8%2%2%2%2https-3%2%F proxy.domain.com%2Foauth2%2Fcallback&response_type=code&scope=openid+profile+email+users&state=7a6504626c89d85dad9337f57072d7e4%3Ahttps%3A%2F%2Ftest-app%2F

Keycloak login page is displayed correctly but after user login I get: 500 Internal Server Error with URL https://oauth2-proxy.domain.com/oauth2/callback?state=753caa3a281921a02b97d3efeabe7adf%3Ahttps%3A%2F%2Ftest-app.domain .com%2F&session_state=f5d45a13-5383-4a79-aa7a-56bbaa16056f&code=5344ae72-a9ee-448f-95ef-45e413f69f4b.f5d45a13-5383-4a79-aa7a-56bbaa16056f.78732ee5-af48-c517-6

来自 oauth2-proxy 的日志

[2021/03/16 11:25:35] [stored_session.go:76] Error loading cookied session: cookie "_oauth2_proxy" not present, removing session
10.30.21.14:35382 - - [2021/03/16 11:25:35] oauth2-proxy.domain.com GET - "/oauth2/auth" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15" 401 13 0.000
10.96.5.198:35502 - - [2021/03/16 11:25:35] oauth2-proxy.domain.com GET - "/oauth2/start?rd=https://test-app.domain.com/" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15" 302 400 0.000
[2021/03/16 11:25:39] [oauthproxy.go:753] Error redeeming code during OAuth2 callback: email in id_token (user1@user.com) isn't verified
10.96.5.198:35502 - - [2021/03/16 11:25:39] oauth2-proxy.domain.com GET - "/oauth2/callback?state=1fe22deb33ce4dc7e316f23927b8d821%3Ahttps%3A%2F%2Ftest-app.domain.com%2F&session_state=c69d7a8f-32f2-4a84-a6af-41b7d2391561&code=4759cce8-1c1c-4da3-ba94-9987c2ce3e02.c69d7a8f-32f2-4a84-a6af-41b7d2391561.78732ee5-af17-43fc-9f52-856e06bfce04" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15" 500 345 0.030

测试应用入口

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "oauth2-proxy.domain.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "oauth2-proxy.domain.com/oauth2/start?rd=$scheme://$best_http_host$request_uri"
    nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user, x-auth-request-email, x-auth-request-access-token"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
  name: test-app
  namespace: its
spec:
  rules:
    - host: test-app.domain.com
      http:
        paths:
          - path: /
            backend:
              serviceName: test-app
              servicePort: http

  tls:
    - hosts:
      - test-app.domain.com
      secretName: cert-wild.test-proxy.domain.com

oauth2-proxy 配置和入口

 containers:
      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:latest
        ports:
        - containerPort: 8091
        args:
        - --provider=oidc
        - --client-id=k8s2
        - --client-secret=Sd28cf1-1e14-4db1-8ed1-5ba64e1cd421
        - --cookie-secret=x-1vrrMhC-886ITuz8ySNw==
        - --oidc-issuer-url=https://keycloak-test.domain.com/auth/realms/local
        - --email-domain=*
        - --scope=openid profile email users
        - --cookie-domain=.domain.com
        - --whitelist-domain=.domain.com
        - --pass-authorization-header=true
        - --pass-access-token=true
        - --pass-user-headers=true
        - --set-authorization-header=true
        - --set-xauthrequest=true
        - --cookie-refresh=1m
        - --cookie-expire=30m
        - --http-address=0.0.0.0:8091
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy
  labels:
    name: oauth2-proxy
spec:
  ports:
  - name: http
    port: 8091
    targetPort: 8091
  selector:
    name: oauth2-proxy
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
  name: oauth2-proxy
  namespace: its
spec:
  rules:
    - host: oauth2-proxy.domain.com
      http:
        paths:
          - path: /oauth2
            backend:
              serviceName: oauth2-proxy
              servicePort: 8091
  tls:
    - hosts:
      - oauth2-proxy.domain.com
      secretName: cert-wild.oauth2-proxy.domain.com

2 个解决方案

解决方案1
 0  2021-07-18 03:10:44

您可以尝试在 oauth2-proxy 配置中设置 --insecure-oidc-allow-unverified-email 。 或者,在 keycloak 中,标记用户 email 在用户设置中验证。

解决方案2
 0  2022-09-19 10:49:35

答案很简单,现在在 keycloak 中删除用户并重新创建同一个用户,这次检查 email 是否已验证切换为 true

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 oauth2-proxy 身份验证在 kubernetes 集群上调用缓慢,带有 nginx 入口的身份验证注释 使用 master - minion Nginx 入口和 oauth2-proxy 身份验证 尝试在 nginx + oauth2-proxy + docker 上使用不记名令牌进行身份验证时出现问题 Nginx Ingress OAuth注销(Kubernetes)? Nginx 和 Oauth2-proxy:使用 Google 登录后,重定向回 Oauth 登录页面 在Kubernetes入口之前的Nginx反向代理 can I use nginx ingress controller oauth2_proxy in kubernetes with azure active directory without cookies 使用 nginx 代理动态进入 Kubernetes 服务 Kube.netes Ingress 在 nginx 反向代理后面运行 Kubernetes nginx ingress代理传递给websocket
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM