使用Keycloak的Spring Boot应用程序的Oauth2登录失败 [英] Oauth2 login fails for Spring boot application using Keycloak

问题描述

我有一个简单的Spring引导应用程序(使用jhipster 5.7.2生成).没有发现服务.只是一个简单的整体.它正在使用Keycloak进行身份验证.

I have a simple Spring boot application (generated using jhipster 5.7.2). No service discovery. Just a simple monolith. It is using Keycloak for auth.

这是我为我的应用选择的配置:

Here is the configuration I selected for my application:

{
  "generator-jhipster": {
    "promptValues": {
      "packageName": "com.mycompany.myapp",
      "nativeLanguage": "en"
    },
    "jhipsterVersion": "5.7.2",
    "applicationType": "monolith",
    "baseName": "test",
    "packageName": "com.mycompany.myapp",
    "packageFolder": "com/mycompany/myapp",
    "serverPort": "8080",
    "authenticationType": "oauth2",
    "cacheProvider": "no",
    "websocket": false,
    "databaseType": "sql",
    "devDatabaseType": "postgresql",
    "prodDatabaseType": "postgresql",
    "searchEngine": false,
    "messageBroker": false,
    "serviceDiscoveryType": false,
    "buildTool": "maven",
    "enableSwaggerCodegen": false,
    "clientFramework": "angularX",
    "useSass": false,
    "clientPackageManager": "npm",
    "testFrameworks": [],
    "jhiPrefix": "jhi",
    "otherModules": [],
    "enableTranslation": true,
    "nativeLanguage": "en",
    "languages": [
      "en"
    ]
  }
}

我正在使用Keycloak 4.5

I am using Keycloak 4.5

我已按照此文档进行启用我的身份验证服务器上的HTTPS. 现在，我的身份验证服务器可从外部访问.

I have followed this documention to enable HTTPS on my Auth Server. Now, my auth server is externally accessible.

我的应用程序正在localhost中运行.当我尝试执行登录时，登录失败并显示以下消息:未经授权

My application is running in localhost. When I try to perform login, the login fails with a message : Unauthorized

应用程序日志中显示以下内容:(BadCredentialsException)

Application logs say the following: (BadCredentialsException)

2018-12-24 19:31:27.579 DEBUG 43877 --- [ XNIO-2 task-13] c.m.myapp.aop.logging.LoggingAspect      : Enter: com.mycompany.myapp.repository.CustomAuditEventRepository.add() with argument[s] = [AuditEvent [timestamp=2018-12-24T14:01:27.579Z, principal=UNKNOWN, type=AUTHENTICATION_FAILURE, data={type=org.springframework.security.authentication.BadCredentialsException, message=Could not obtain access token}]]
Hibernate: select nextval ('hibernate_sequence')

Keycloak端无日志.如果我删除了我的身份验证服务器上与HTTPS相关的配置，则登录有效.不知道到底是什么问题.

No logs on the Keycloak end. If I remove HTTPS related configuration on my auth server, login works. Not sure what exactly is the issue.

推荐答案

我发现了此问题的原因.

I found out the reason for this issue.

就我而言，问题出在密钥库(JKS)创建过程中. 我们只给了我们cert.crt和privkey.crt. 创建密钥库时不包括根证书. docs 显然是告诉要包括根证书.

In my case, the problem lies in the keystore(JKS) creation process. We had only cert.crt and privkey.crt given to us. Root certificate was not included while creating the keystore. The docs clearly tell to include root certificate.

可以从证书提供者那里下载根证书. 此链接有助于包含根目录证书.

Root certificate can be downloaded from the certificate provider. This link was helpful in including the root certificate.

使用 Letsencrypt 颁发的证书时，我们要做的就是使用privkey.pem和fullchain. pem.在这里，我们不必担心将根证书包含在fullchain中.pem已经包含了它.

When playing around with certificates given by Letsencrypt all we need to do is use the privkey.pem and fullchain.pem. Here we don't need to worry about including the root certificate as the fullchain.pem already contains it.

# convert certificate chain + private key to the PKCS#12 file format
openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem

# convert PKCS#12 file into Java keystore format
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks

这篇关于使用Keycloak的Spring Boot应用程序的Oauth2登录失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！