带有Keycloak服务器的Zuul反向代理 [英] Zuul reverse proxy with Keycloak server
问题描述
我正在使用Zuul反向代理实用程序配置Spring Cloud(Angel.SR6)应用程序,以便隐藏内部服务端口.我的zuul(边缘)服务发布在8765端口中,而我的组织服务则发布在8083端口中.当我在没有安全性的情况下访问应用程序时,一切都会顺利进行,http://localhost:8765/organization/organizations返回所有组织的JSON.
I'm configuring a Spring Cloud (Angel.SR6) application using the Zuul reverse proxy utility, in order to hide the internal service ports. My zuul (edge) service is published in the 8765 port and my organizations service is in the 8083 one. Everything goes smoothly when I access the application with no security, http://localhost:8765/organization/organizations returns the JSON with all the organizations.
但是,现在我想集成Keycloak SSO(OAuth2)服务器以进行授权.我添加了 Spring Security适配器在我的组织服务中,并将其配置为在http://localhost:8080/auth中进行身份验证.一切正常,除了zuul执行重定向而不是代理.因此,当身份验证成功后,我将重定向到http://localhost:8083/organizations而不是http://localhost:8765/organization/organizations.这是我的浏览器请求:
However, now I want to integrate a Keycloak SSO (OAuth2) server for authorization purposes. I have added the Spring Security adapter in my organization service and configured it to authenticate in http://localhost:8080/auth. Everything goes well, except that zuul performs a redirection instead of proxying. So when authentication is successful, I get redirected to http://localhost:8083/organizations instead of http://localhost:8765/organization/organizations. Here there are my browser requests:
这是因为keycloak适配器在http://localhost:8083/sso/login中创建了令牌验证端点,从该端点执行重定向到授权服务器以验证令牌.授权服务器确认后,将使用/organization路径将重定向发送到组织服务,因此要加载的最终URL为http://localhost:8083/organizations.但是我想先加载第一个请求的URL.
That's because the keycloak adapter creates a token verification endpoint in the http://localhost:8083/sso/login, from which it performs a redirection to the authorization server in order to validate the token. When authorization server acknowledges it, a redirection is sent to the organization service, with the /organization path, so the end url being loaded is http://localhost:8083/organizations. But I would like the first requested url to be loaded instead.
我有哪个选择?
推荐答案
(从评论迁移到答案)
为了解释,我最终制作了一个 Github项目我对钥匙斗篷团队的问题,并从一位试图帮助我的开发团队成员那里获得了拉取请求.根据他们的建议,我得出的结论是,zuul很好地隐藏了无状态服务(仅承载者的服务),而不是用户直接与之交互的服务.这是邮件列表中的整个主题
I ended up making a Github project in order to explain my problem to the keycloak team, and got a pull request from one of the development team members trying to help me out. Following their recommendations, I came into the conclusion that zuul is good to hide stateless services (bearer only ones), but not the ones that user directly interacts with. Here it is the whole thread in the mailing list.
这篇关于带有Keycloak服务器的Zuul反向代理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
