Keycloak返回'无效参数:redirect_uri' [英] Keycloak returns 'Invalid parameter: redirect_uri'

查看:34
本文介绍了Keycloak返回'无效参数:redirect_uri'的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

[编辑-1]在OAuth2配置中添加作用域,添加Grafana服务,删除。配置参考this link

[更新]我可以在Keyloak页面登录,但它无法将我路由到Grafana服务。查看OAuth2日志,有些奇怪,由Keyshaak生成的访问令牌验证的是Github,而不是Keyshaak:)->;这是由于缺少OAuth valify_url配置造成的。

Solution

- 'traefik.http.middlewares.oauth-keycloak.forwardauth.address=http://oauth-keycloak:4185/oauth2/auth'

OAuth2代理的日志

paddy_oauth-keycloak.1.nd9v50gfv9kc@staging    | 123.28.110.207 - 411d7575-fb97-42ca-87ed-d57cad683b31 - - [2021/09/30 02:04:53] grafana.my-domain.com GET - "/oauth2/start?rd=https%3A%2F%2Fgrafana.my-domain.com%2F" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 302 419 0.000
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging    | [2021/09/30 02:05:00] [internal_util.go:74] token validation request failed: status 400 - {"error":"invalid_request","error_description":"Token not provided"}
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging    | [2021/09/30 02:05:00] [internal_util.go:69] 400 GET https://keycloak.my-domain.com/auth/realms/staging/protocol/openid-connect/userinfo?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYa1NjbzduRjlaTUpiWDRXVU5mTlhJS2FwOG9ZMHZ1THVZZU1SUk9EQ1J3In0.eyJleHAiOjE2MzI5Njc4MDAsImlhdCI6MTYzMjk2NzUwMCwiYXV0aF90aW1lIjoxNjMyOTY3NDk5LCJqdGkiOiI4NGJjZjdiNC0yN2YzLTQ4NDktYjUzNi05OTNkNTczNzA5OWYiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLnN0YWdpbmcucHJlY2lzaW9uYWcub3JnL2F1dGgvcmVhbG1zL3N0YWdpbmciLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNzk1NjE1YWUtN2VkNi00MWI3LWE5YWUtMjBkZmZhMTc1NjBhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYXV0aGVudGljYXRpb24iLCJzZXNzaW9uX3N0YXRlIjoiZTVjM2FkMDMtNzhmNi00ZmE4LThhOTgtZTdkYjk1YjZiNmEzIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtc3RhZ2luZyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW5... {"error":"invalid_request","error_description":"Token not provided"}
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging    | 123.28.110.207 - 39bea317-002b-4366-858c-01aa6f6901b6 - dathuynh@my-domain.com [2021/09/30 02:05:00] [AuthSuccess] Authenticated via OAuth2: Session{email:dathuynh@my-domain.com user: PreferredUsername: token:true groups:[/pader]}
我正在为我的系统中的身份验证设置KEYCLOAK和OAuth2。该系统运行在坞站群模式下,并使用Traefik反向代理。我按照以下指南设置OAuth2容器:https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/#keycloak-auth-provider

我在‘Development’领域中创建了一个新客户端,其有效的重定向URL为https://oauth-keycloak.my-domain.com/oauth2/callback(它是OAuth URL),并使用traefik转发身份验证将请求路由到未经过身份验证的密钥遮盖。

我收到了2个案例的Invalid parameter: redirect_uri

  • 我访问Grafana,请求被路由到Keyloak
  • 我尝试访问OAuth配置中的此链接https://oauth-keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/auth

我搜索并尝试了一些建议,但它们对我不起作用。希望你们能帮忙。我真的很感激。

这是我的坞站群配置:

  keycloak:
    image: quay.io/keycloak/keycloak:15.0.2
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.keycloak.rule=Host(`keycloak.my-domain.com`)"
        - "traefik.http.routers.keycloak.entrypoints=websecure"
        - "traefik.http.routers.keycloak.tls=true"
        - "traefik.http.routers.keycloak.tls.certresolver=leresolver"
        # Set up service
        - "traefik.http.routers.keycloak.service=keycloak-svc"
        - "traefik.http.services.keycloak-svc.loadbalancer.server.port=8080"
    environment:
      - "DB_VENDOR=POSTGRES"
      - "DB_ADDR=postgis"
      - "DB_DATABASE=${POSTGRES_DB}"
      - "DB_USER=${POSTGRES_USER}"
      - "DB_PASSWORD=${POSTGRES_PASSWORD}"
      - "KEYCLOAK_USER="
      - "KEYCLOAK_PASSWORD="
      - "PROXY_ADDRESS_FORWARDING=true"
      - "KEYCLOAK_LOGLEVEL=DEBUG" # DEBUG, ERROR, INFO

  grafana:
    image: grafana/grafana
    deploy:
      resources:
        limits:
          memory: 256M
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.grafana.rule=Host(`grafana.my-domain.com`)"
        - "traefik.http.routers.grafana.entrypoints=websecure"
        - "traefik.http.routers.grafana.tls=true"
        - "traefik.http.routers.grafana.tls.certresolver=leresolver"
        # Basic HTTP authentication
        - "traefik.http.routers.grafana.middlewares=oauth-keycloak"
        # Set up service
        - "traefik.http.services.grafana-svc.loadbalancer.server.port=3000"
        - "traefik.http.routers.grafana.service=grafana-svc"
    environment:
      - GF_SECURITY_ADMIN_USER=my-username
      - GF_SECURITY_ADMIN_PASSWORD=my-pasword
      - GF_USERS_ALLOW_SIGN_UP=true
    volumes:
      - "/home/app/grafana:/var/lib/grafana"

  oauth-keycloak:
    image: quay.io/oauth2-proxy/oauth2-proxy
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.oauth-keycloak.rule=Host(`oauth-keycloak.my-domain.com`) || PathPrefix(`/oauth2`)"
        - "traefik.http.routers.oauth-keycloak.entrypoints=websecure"
        - "traefik.http.routers.oauth-keycloak.tls=true"
        - "traefik.http.routers.oauth-keycloak.tls.certresolver=leresolver"
        # Set up service
        - "traefik.http.routers.oauth-keycloak.service=oauth-keycloak-svc"
        - "traefik.http.services.oauth-keycloak-svc.loadbalancer.server.port=4185"
        # Set up middlewares
        - 'traefik.http.middlewares.oauth-keycloak.forwardauth.address=http://oauth-keycloak:4185'
        - 'traefik.http.middlewares.oauth-keycloak.forwardauth.trustForwardHeader=true'
        - 'traefik.http.middlewares.oauth-keycloak.forwardauth.authResponseHeaders=X-Forwarded-User'
        # - "traefik.http.middlewares.oauth-keycloak-signin.errors.service=oauth-keycloak-svc"
        # - "traefik.http.middlewares.oauth-keycloak-signin.errors.status=401-403"
        # - "traefik.http.middlewares.oauth-keycloak-signin.errors.query=/oauth2/sign_in"
    environment:
      OAUTH2_PROXY_CLIENT_ID: 'development'
      OAUTH2_PROXY_CLIENT_SECRET: '' 
      OAUTH2_PROXY_PROVIDER: 'keycloak'
      OAUTH2_PROXY_SCOPE: 'profile email address phone'
      OAUTH2_PROXY_LOGIN_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/auth'
      OAUTH2_PROXY_REDEEM_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/token'
      OAUTH2_PROXY_PROFILE_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/userinfo'
      OAUTH2_PROXY_VALIDATE_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/userinfo'
      
      OAUTH2_PROXY_COOKIE_DOMAINS: 'my-domain.com'
      OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4185'
      OAUTH2_PROXY_COOKIE_REFRESH: '1h'
      OAUTH2_PROXY_COOKIE_SECURE: 'false'
      OAUTH2_PROXY_COOKIE_SECRET: '0Y18nYVtNLzKQroYQpi0jw=='
      OAUTH2_PROXY_EMAIL_DOMAINS: 'my-domain.com'
      OAUTH2_PROXY_REVERSE_PROXY: 'true'
      OAUTH2_PROXY_WHITELIST_DOMAINS: 'my-domain.com'
      OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR: 'true'

推荐答案

如您所说,您为https://oauth-keycloak.my-domain.com/oauth2/callback配置了有效的重定向URI。在访问Grafana的情况下,您的重定向URI应该是https://grafana.my-domain.com/oauth2/callback。您还需要将其添加到有效重定向URI列表中。

这篇关于Keycloak返回'无效参数:redirect_uri'的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆