问题:
Docker上Quarkus和Keycloak的配置
子车俊材
我有以下设置:
- Keycoap在docker中运行,公共接口映射到127.0.0.1:8180,内部Keycoap-n:8080
- Quarkus在docker中运行,公共接口映射到127.0.0.1:8080
- 两者都在同一docker网络中运行,并可以通信。
- 外部AutzClient(不在docker中),使用令牌与quarkus通信
如果客户端和quarkus在Docker之外,并通过同一接口与KeyCoap通信,则一切都正常。quarkus一进入docker,我就无法让它工作。
到目前为止,我已经尝试了许多改变。在keycloak上,我用< code >/subsystem = key cloak-server/SPI = hostname/provider = default:write-attribute(name = properties . frontendUrl = " http://127 . 0 . 0 . 1:8180/auth " 设置了frontendUrl
我当前的夸克配置(oidc部分)如下所示:
# OIDC Configuration
quarkus.oidc.auth-server-url=http://keycloak-n:8080/auth/realms/quarkus
quarkus.oidc.client-id=backend-service
quarkus.oidc.credentials.secret=85174256-b231-4385-9fa9-257dd0d27bf0
quarkus.oidc.token.lifespan-grace=20
quarkus.oidc.introspection-path=.well-known/openid-configuration
quarkus.oidc.jwks-path=.well-known/jwks.json
quarkus.oidc.token.issuer=http://127.0.0.1:8180/auth/realms/quarkus
# Enable Policy Enforcement
quarkus.keycloak.policy-enforcer.enable=true
如果我删除令牌颁发者,我会从vertx获得一个颁发者验证失败。在当前配置中,初始身份验证有效,但随后我从PolicyEnforcer获得了连接拒绝(连接拒绝),因为它尝试与127.0.0.1通信。Stacktrace是:
2020-08-03 05:43:27,933 DEBUG [org.apa.htt.imp.con.tsc.ConnPoolByRoute] (executor-thread-1) Releasing connection [{}->http://keycloak-n:8080][null]
2020-08-03 05:43:27,933 DEBUG [org.apa.htt.imp.con.tsc.ConnPoolByRoute] (executor-thread-1) Pooling connection [{}->http://keycloak-n:8080][null]; keep alive indefinitely
2020-08-03 05:43:27,933 DEBUG [org.apa.htt.imp.con.tsc.ConnPoolByRoute] (executor-thread-1) Notifying no-one, there are no waiting threads
2020-08-03 05:43:27,944 DEBUG [org.apa.htt.imp.con.tsc.ThreadSafeClientConnManager] (executor-thread-1) Get connection: {}->http://127.0.0.1:8180, timeout = 0
2020-08-03 05:43:27,944 DEBUG [org.apa.htt.imp.con.tsc.ConnPoolByRoute] (executor-thread-1) [{}->http://127.0.0.1:8180] total kept alive: 1, total issued: 0, total allocated: 1 out of 20
2020-08-03 05:43:27,944 DEBUG [org.apa.htt.imp.con.tsc.ConnPoolByRoute] (executor-thread-1) No free connections [{}->http://127.0.0.1:8180][null]
2020-08-03 05:43:27,944 DEBUG [org.apa.htt.imp.con.tsc.ConnPoolByRoute] (executor-thread-1) Available capacity: 20 out of 20 [{}->http://127.0.0.1:8180][null]
2020-08-03 05:43:27,944 DEBUG [org.apa.htt.imp.con.tsc.ConnPoolByRoute] (executor-thread-1) Creating new connection [{}->http://127.0.0.1:8180]
2020-08-03 05:43:27,944 DEBUG [org.apa.htt.imp.con.DefaultClientConnectionOperator] (executor-thread-1) Connecting to 127.0.0.1:8180
2020-08-03 05:43:27,945 DEBUG [org.apa.htt.imp.con.DefaultClientConnection] (executor-thread-1) Connection org.apache.http.impl.conn.DefaultClientConnection@6ba49b73 closed
2020-08-03 05:43:27,946 DEBUG [org.apa.htt.imp.con.DefaultClientConnection] (executor-thread-1) Connection org.apache.http.impl.conn.DefaultClientConnection@6ba49b73 shut down
2020-08-03 05:43:27,946 DEBUG [org.apa.htt.imp.con.tsc.ThreadSafeClientConnManager] (executor-thread-1) Released connection is not reusable.
2020-08-03 05:43:27,946 DEBUG [org.apa.htt.imp.con.tsc.ConnPoolByRoute] (executor-thread-1) Releasing connection [{}->http://127.0.0.1:8180][null]
2020-08-03 05:43:27,946 DEBUG [org.apa.htt.imp.con.DefaultClientConnection] (executor-thread-1) Connection org.apache.http.impl.conn.DefaultClientConnection@6ba49b73 closed
2020-08-03 05:43:27,946 DEBUG [org.apa.htt.imp.con.tsc.ConnPoolByRoute] (executor-thread-1) Notifying no-one, there are no waiting threads
2020-08-03 05:43:27,947 ERROR [org.key.ada.aut.PolicyEnforcer] (executor-thread-1) Could not lazy load resource with path [/hello/find/1] from server: java.lang.RuntimeException: Could not find resource
at org.keycloak.authorization.client.util.Throwables.retryAndWrapExceptionIfNecessary(Throwables.java:91)
at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:232)
at org.keycloak.authorization.client.resource.ProtectedResource.findByMatchingUri(ProtectedResource.java:291)
at org.keycloak.adapters.authorization.PolicyEnforcer$PathConfigMatcher.matches(PolicyEnforcer.java:268)
at org.keycloak.adapters.authorization.AbstractPolicyEnforcer.getPathConfig(AbstractPolicyEnforcer.java:351)
at org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(AbstractPolicyEnforcer.java:72)
at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer.apply(KeycloakPolicyEnforcerAuthorizer.java:45)
at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer.apply(KeycloakPolicyEnforcerAuthorizer.java:29)
at io.quarkus.vertx.http.runtime.security.HttpAuthorizer$1$1$1.run(HttpAuthorizer.java:68)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:2046)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1578)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1452)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at java.base/java.lang.Thread.run(Thread.java:834)
at org.jboss.threads.JBossThread.run(JBossThread.java:479)
Caused by: java.lang.RuntimeException: Error executing http method [GET]. Response : null
at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:106)
at org.keycloak.authorization.client.util.HttpMethodResponse$3.execute(HttpMethodResponse.java:68)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:226)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:222)
at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:230)
... 15 more
Caused by: java.net.ConnectException: Connection refused (Connection refused)
at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:399)
at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:242)
at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:224)
at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:403)
at java.base/java.net.Socket.connect(Socket.java:609)
at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:121)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:84)
... 19 more
2020-08-03 05:43:27,951 DEBUG [org.key.ada.aut.AbstractPolicyEnforcer] (executor-thread-1) Checking permissions for path [http://127.0.0.1:8080/hello/find/1] with config [null].
2020-08-03 05:43:27,951 DEBUG [org.key.ada.aut.AbstractPolicyEnforcer] (executor-thread-1) Could not find a configuration for path [/hello/find/1]
有没有关于如何配置这样一个场景的真实示例?我已经尝试将front antUrl设置为内部地址,这实际上适用于运行时,但Web前端不再可访问。
更新:
从前端代码(缩写):
java.io.InputStream stream = Thread.currentThread().getContextClassLoader()
.getResourceAsStream("META-INF/keycloak.json");
auth=AuthzClient.create(stream);
response = auth.obtainAccessToken(user, password);
final String accessToken = response.getToken();
...
requestContext.getHeaders().add(HttpHeaders.AUTHORIZATION, AUTH_HEADER_PREFIX + accessToken);
...
而keycloak.json中的config是
{
"realm": "quarkus",
"auth-server-url": "http://localhost:8180/auth/",
"ssl-required": "external",
"resource": "backend-service",
"verify-token-audience": true,
"credentials": {
"secret": "85174256-b231-4385-9fa9-257dd0d27bf0"
},
"confidential-port": 0,
"policy-enforcer": {}
}
多谢
共有1个答案
俞学
因此,以下设置对我有用:
frontendUrl: external-docker-ip --> NOT localhost!
set in jboss cli by e.g.:
/subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.frontendUrl,value="http://172.20.48.1:8180/auth")
##quarkus config
quarkus.oidc.auth-server-url=http://internal_keycloak_docker_IP:8080/auth/realms/quarkus
quarkus.oidc.token.issuer=http://external-docker-ip:8180/auth/realms/quarkus
##client json file
"auth-server-url": "http://external-docker-ip:8180/auth/"
类似资料:
-
我正在使用Quarkus 1.0.1框架开发一套微服务。我希望使用KeyCloak8.0.1作为我的身份提供程序来保护这些信息。我已经在一个Docker容器中启动并运行了Keycloak,并为我的微服务配置了一个领域和相应的客户机。现在我到了我想保护他们的地步,我遇到了一个问题。 我的REST服务没有为它配置的注释或任何授权要求。这应该意味着,即使我没有经过身份验证,我也能够访问该服务。但是,当我
-
我目前正在使用多个Quarkus服务和Keycloak RBAC开发一个PoC。工作起来就像一个魅力,很容易引导和开始实现功能。 但我遇到了一个我无法解决的问题。想象一下: null 使JWT的持续时间超过当前的30分钟,但这只是推迟了问题并打开了一些安全门 将用户的输入存储在本地存储器中,以便在令牌刷新后进行恢复(我们也会这样做,以避免浪费用户的工作) 在JS中“静默”刷新令牌,而不让用户知道。
-
我想用P6Spy和Quarkus一起使用,但无法按照一般说明配置它。有人设法让这两个人一起工作吗?
-
我在试用Quarkus与keycloak的安全集成 下面是我的restendpoint 我的应用程序属性 任何帮助都将不胜感激
-
是否有人成功地在部署在Kubernetes集群中的Quarkus应用程序中设置了与Keycloack的OIDC连接?您能说明(和其他相关参数)是如何工作的吗?(以下是我试图遵循的文档) 当POD启动时,这些味精会出现在它的日志中: 2021-07-26 14:44:22,523 INFO[main][oidcrecorder.java:264]-每2秒连接IDP最多180次 2021-07-26
-
我以前在其他项目中实现过类似的功能,但从未使用Quarkus作为底层实现框架。所以,我的猜测是与此有关。但我从没见过这样的错误。有人能给我一些关于如何绕过这个问题的见解吗?