令牌自省将令牌视为未激活 [英] Token introspection considering token as not active

问题描述

我已经在两台debian拉伸机上安装了keycloak 4.0.0.这些是在独立群集模式下配置的. 两者都共享一个mysql集群数据库实例，并且负载均衡器正在执行HA.

I've keycloak 4.0.0 installed on two debian stretch machines. Those are configured in standalone clustered mode. Both share a mysql cluster database instance and a load balancer is doing HA.

我有一个代码需要针对自省端点验证令牌，而该代码有一半时间不起作用. 这实际上是因为负载均衡器正在执行其工作，因此易于重现:

I've a code which needs to validate tokens against introspection endpoint put it's not working half of the time. This is actually because load balancer is doing its job and consequently easy to reproduce:

• 在服务器1上的/auth/realms//protocol/openid-connect/token上询问令牌
• 调用自省端点/auth/realms//protocol/openid-connect/token/introspect来检查服务器1在服务器2上提供的访问令牌

如果我在服务器上调用自省端点，则得到了我期望的json响应，但是在服务器2上，我只是处于活动状态:false.

If I call the introspection endpoint on server I've the json response I expect, but on server 2 I just have active: false.

这很奇怪，因为会话是在显示会话"中的管理界面上复制的.

This is quite strange because sessions are replicated on admin interface in "show sessions".

有什么想法吗?

谢谢！

Rémi

推荐答案

我遇到了同样的问题.

对于自省api，请尝试设置主机头. 例如:点击/protocol/openid-connect/token api传递标头"host:foo" 现在，当点击协议/openid-connect/token/introspect api时，设置标头"host:foo"

for introspect api , try setting the host header. For ex: when hitting /protocol/openid-connect/token api pass header "host: foo" Now when hitting the protocol/openid-connect/token/introspect api set header "host: foo"

这篇关于令牌自省将令牌视为未激活的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！