Keycloak发行人验证和多租户方法 [英] Keycloak issuer validation and multi-tenancy approach
问题描述
假设我们有几个微服务.他们每个人都使用Keycloak身份验证.我们也有基于ex的负载均衡器. nginx,它具有外部URL和到密钥斗篷的不同路由(例如,在OpenShift中,它可以是 https ://keycloak.rhel-cdk.10.1.2.2.xip.io ).但是在内部,此地址可能无法访问.还具有依赖于负载均衡器URL的微服务配置有点奇怪.更合适的是在微服务内部甚至短URI中使用内部keycloak身份验证URL.但是在这种情况下,由于发行者验证问题,令牌将不会被验证.如何以良好而灵活的方式配置它?我可以简单地重写realmInfoUrl来更改验证吗?我可以定义哪个发行人用于基于客户端的令牌.
Let's say we have several micro-services. Each of them uses Keycloak authentication. We have also load balancer based on for ex. nginx which has external URLs and different routes to keycloak (for ex. in OpenShift it can be https://keycloak.rhel-cdk.10.1.2.2.xip.io). But internally this address can be inaccessible. Also having micro-service configuration dependent on the load balancer URL is a bit weird. What what be more appropriate is to use internal keycloak auth URL inside of the micro-services or even short URI. But in this case token will not be validated because of issuer validation problem. How to configure this in good and flexible manner? Can I simply override realmInfoUrl in order to change the validation? Can I define what issuer will be used for client based token.
另一个问题是如何更好地处理多租户方案?首先,在客户端,我想我们对多租户没有任何特定的支持.我应该通过在不同的URL/标题之间切换并使用适当的Config Resolver来手动处理此问题.在服务器端,我需要为每种情况动态提供适当的KeycloakDeployment实例.还有其他建议吗?
Another problem is how to better handle multi-tenant scenario? First on the client side I guess we don't have any specific support for multi-tenancy. I should handle this manually by switching between different URLs/headers and use proper Config Resolver. On the server side I need to dynamically provide a proper KeycloakDeployment instance for each case. Any other recommendations?
推荐答案
不幸的是,根据令牌中的发行者("iss")字段,Keycloak对其令牌验证的限制过于严格.它要求用于验证令牌的URL与"iss"字段中的URL相匹配.
Unfortunately Keycloak is too restrictive with its token validation according to the issuer ("iss") field in the token. It requires that the URL used to validate the token matches the URL in the "iss" field.
前一段时间,我已针对该问题打开了JIRA票证(对此进行投票!): https://issues.jboss.org/browse/KEYCLOAK-5045
A while ago I have opened a JIRA ticket for that problem (vote for it!): https://issues.jboss.org/browse/KEYCLOAK-5045
这篇关于Keycloak发行人验证和多租户方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
