dockerized 环境中的 Keycloak 和 Spring Boot Web 应用程序 [英] Keycloak and Spring Boot web app in dockerized environment
问题描述
考虑以下环境:
- 一个 docker 容器是 keycloak
- 另一个 docker 容器是我们的 Web 应用程序,它使用 keycloak 进行身份验证
Web 应用程序是应用了keycloak-spring-boot-starter"的 Spring Boot 应用程序.在 application.properties 中:
The web app is a Spring Boot application with "keycloak-spring-boot-starter" applied. In application.properties:
keycloak.auth-server-url = http://localhost:8028/auth
keycloak.auth-server-url = http://localhost:8028/auth
访问我们的 Web 应用程序的用户将使用 keycloak docker 容器的公开端口的 URL 重定向到 keycloak.登录在 keycloak 中没有问题,并且用户(浏览器)再次重定向到我们的 Web 应用程序.现在,需要将授权代码交换为访问令牌.因此,我们的 Web 应用程序(keycloak 客户端)尝试连接到 keycloak.auth-server-url 中配置的相同主机和端口.但这是一个问题,因为 Web 应用程序驻留在 docker 容器中而不是主机上,因此它应该访问 http://keycloak:8080 或者 keycloak 是链接的 keycloak docker 容器.
A user accessing our web app will be redirected to keycloak using the URL for the exposed port of the keycloak docker container. Login is done without problems in keycloak and the user (browser) is redirected to our web app again. Now, the authorization code needs to be exchanged for an access token. Hence, our web app (keycloak client) tries to connect to the same host and port configured in keycloak.auth-server-url. But this is a problem because the web app resides in a docker container and not on the host machine, so it should rather access http://keycloak:8080 or something where keycloak is the linked keycloak docker container.
所以问题是:如何配置 keycloak 客户端来为浏览器重定向和访问令牌端点应用不同的 URL?
推荐答案
曾经有另一个属性 auth-server-url-for-backend-requests 但已被拉取请求 #2506 删除 作为 关于 Keycloak 的 JIRA 的问题 #2623.在此问题的描述中,您将找到原因和可能的解决方法:应该在 DNS 级别或通过向主机文件添加条目来解决此问题.
There used to be another property auth-server-url-for-backend-requests but was removed by pull request #2506 as a solution to issue #2623 on Keycloak's JIRA. In the description of this issue, you'll find the reasons why and possible workarounds: that should be solved at the DNS level or by adding entries to the host file.
因此,在客户端配置中您可以做的并不多,除非您更改代码并制作自己的适配器版本,但是您可以在 Docker 级别做一些事情.为了使其正常工作,首先我建议您使用完全限定的域名而不是 localhost 作为 public 主机名,就像在生产中一样,例如.keycloak.mydomain.com.如果您只是将它添加到主机的 /etc/hosts 文件(或 Windows 等效文件)作为 localhost.
So there is not much you can do in the client configuration, unless you change the code and make your own version of the adapter, but there is something you can do at the Docker level. For this to work properly, first I suggest you use a fully qualified domain name instead of localhost for the public hostname, as you would in production anyway, eg. keycloak.mydomain.com. You can use a fake one (not registered in DNS servers) if you just add it to the host's /etc/hosts file (or Windows equivalent) as an alias next to localhost.
然后,如果您使用的是 Docker Compose,则可以设置 aliases(替代主机名)用于容器连接到的 docker 网络上的 keycloak 服务(请参阅文档:撰写文件参考/服务配置参考/网络/别名).例如:
Then, if you are using Docker Compose, you can set aliases (alternative hostnames) for the keycloak service on the docker network to which the containers are connected (see doc: Compose File reference / Service configuration reference / networks / aliases). For example:
version: "3.7"
services:
keycloak:
image: jboss/keycloak
networks:
# Replace 'mynet' with whatever user-defined network you are using or want to use
mynet:
aliases:
- keycloak.mydomain.com
webapp:
image: "nginx:alpine"
networks:
- mynet
networks:
mynet:
如果你只是使用普通的 Docker,你可以执行 与--alias 标志的docker network connect 命令等效(请参阅文档:容器网络/IP 地址和主机名).
If you are just using plain Docker, you can do the equivalent with --alias flag of docker network connect command (see doc: Container networking / IP address and hostname).
这篇关于dockerized 环境中的 Keycloak 和 Spring Boot Web 应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
