带有 NGINX 代理服务器的 Keycloak 不验证 rest api [英] Keycloak with NGINX proxy server not authenticating rest api

问题描述

我有一个示例应用程序，它可以在没有 nginx 的情况下在本地正确保护其余 api.现在，当我将它放在 nginx 代理后面的生产中时，它不起作用.没有错误.它允许所有请求.

I have a sample app which correctly secures the rest api locally without nginx. Now when I put this in production behind a nginx proxy it does not work. No errors. It allows all request.

带有 ssl 的前端服务器是 https://frontend.com

Front end serer with ssl is https://frontend.com

带有 ssl 的后端服务器是 https://backend.com

Back end server with ssl is https://backend.com

Keycloak 代理转发为真

Keycloak proxy forward is true

前端服务器(9000 上的节点服务器)<-> NGINX <-> Keycloak(在 8180 上运行)

Front end server(node server on 9000) <-> NGINX <-> Keycloak (running on 8180)

nginx 文件示例

upstream keycloak_server {
  server localhost:8180;
}

upstream node_server {
  server localhost:9000;
}

location /auth/ {
  proxy_pass http://keycloak_server;
  proxy_http_version 1.1;
  proxy_set_header Host              $host;
  proxy_set_header X-Real-IP         $remote_addr;
  proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
}  
location / {
  proxy_pass http://node_server;
  proxy_http_version 1.1;
  proxy_set_header Host              $host;
  proxy_set_header X-Real-IP         $remote_addr;
  proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
}

前端服务器使用 Angular 调用后端 api.REST api 调用看起来像 https://backend.com/callTest

Front end server calls a backend api using Angular. REST api calls looks like https://backend.com/callTest

后端服务器(在 tomcat 上运行)<-> NGINX <-> Spring Boot(带 keycloak)

Backend server(running on tomcat) <-> NGINX <-> Spring Boot(with keycloak)

nginx 示例

location / {
  proxy_pass http://127.0.0.1:8080/dt-1.0/;
  proxy_http_version 1.1;
  proxy_set_header Host               $host;
  proxy_set_header X-Real-IP          $remote_addr;
  proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto  $scheme;
}  

在 angular keycloak.json 中看起来像

in angular keycloak.json looks like

{
  "realm": "demo",
  "auth-server-url": "https://frontend.com/auth",
  "ssl-required": "none",
  "resource": "tutorial-frontend",
  "public-client": true
}

在 spring boot keycloak 属性看起来像

in spring boot keycloak properties look like

  keycloak.auth-server-url=https://frontend.com/auth
  keycloak.realm=demo
  keycloak.resource=tutorial-frontend
  keycloak.public-client=true
  keycloak.bearer-only = true
  keycloak.cors = true
  keycloak.security-constraints[0].authRoles[0]=user
  keycloak.security-constraints[0].securityCollections[0].patterns[0]=/*

请告诉我如何更正此问题.我真的很感激.

Please let me know how to correct this. I would really appreciate it.

推荐答案

三年后，我也遇到了同样的问题.也许你已经解决了，但我想还有很多人和我一样遇到过这个问题.我的解决方案是使用 openresty.你会发现很多 openresty 的教程或代码片段.这里就不多说了.

Three years later, I have encountered the same problem. Maybe you have solved it, but I guess there are still many people who have encountered this problem like me. My solution is to use openresty. You will find many tutorials or code fragments of openresty. I won't talk more about it here.

我只是在openresty认证通过后把access_token放在请求头中，就像这样

I just put access_token in the request header after the openresty authentication is passed, just like this

local opts = {
    redirect_uri_path = "/redirect_uri",
    discovery = "https://a.b.c.d:8093/auth/realms/xxx/.well-known/openid-configuration",
    client_id = "client_id",
    client_secret = "client_secret",
    redirect_uri_scheme = "https",
    logout_path = "/logout",
    redirect_after_logout_uri = "https://a.b.c.d:8093/auth/realms/xxx/protocol/openid-connect/logout?redirect_uri=https://a.b.c.d:8093/",
    scope = "openid email",
    access_token_expires_leeway = 0,
    accept_none_alg = false,
    accept_unsupported_alg = false,
    renew_access_token_on_expiry = true,
    session_contents = {access_token=true, id_token = true}
}
local res, err = require("resty.openidc").authenticate(opts)
if err then
    ngx.status = 403
    ngx.say(err)
    ngx.exit(ngx.HTTP_FORBIDDEN)
end
ngx.req.set_header("Authorization", "Bearer " .. res.access_token)

在nginx配置文件中，我是这样做的

In the nginx configuration file, I did this

    location /auth/ {
        proxy_pass http://keycloak:8080/auth/;
        proxy_set_header Host $host:$server_port;
    }

    location / {
        access_by_lua_block {
            require("oidc/acc")()
        }
        try_files $uri $uri/ /index.html;
        index  index.html;
    }

    location  /api/ {
        access_by_lua_block {
            require("oidc/acc")()
        }
        proxy_set_header  Host  $host:$server_port;
        proxy_pass http://gateway:8881/api/;
    }

这篇关于带有 NGINX 代理服务器的 Keycloak 不验证 rest api的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！