Dockerized环境中的Keycloak和Spring Boot Web应用程序 [英] Keycloak and Spring Boot web app in dockerized environment

问题描述

请考虑以下环境：

• 一个docker容器是keycloak


• 另一个docker容器是我们使用keycloak进行身份验证的Web应用程序

该Web应用程序是一个Spring Boot应用程序，其中应用了 keycloak-spring-boot-starter 。在application.properties中：

The web app is a Spring Boot application with "keycloak-spring-boot-starter" applied. In application.properties:

keycloak.auth-server-url = http：// localhost：8028 / auth

访问我们的网络应用程序的用户将使用keycloak docker容器公开端口的URL重定向到keycloak。登录完成后，密钥库中没有问题，并且用户（浏览器）再次重定向到我们的Web应用程序。现在，需要将授权代码交换为访问令牌。因此，我们的Web应用程序（keycloak客户端）尝试连接到 keycloak.auth-server-url 中配置的相同主机和端口。但这是一个问题，因为Web应用程序驻留在Docker容器中而不在主机上，因此它应该访问 http ：// keycloak：8080 或其中 keycloak 是链接的keycloak docker容器的东西。

A user accessing our web app will be redirected to keycloak using the URL for the exposed port of the keycloak docker container. Login is done without problems in keycloak and the user (browser) is redirected to our web app again. Now, the authorization code needs to be exchanged for an access token. Hence, our web app (keycloak client) tries to connect to the same host and port configured in keycloak.auth-server-url. But this is a problem because the web app resides in a docker container and not on the host machine, so it should rather access http://keycloak:8080 or something where keycloak is the linked keycloak docker container.

所以这个问题是：如何配置Keycloak客户端以为浏览器重定向和访问令牌端点应用不同的URL？

推荐答案

曾经有另一个属性 auth-server-url-for-backend-requests ，但是它是已被拉取请求＃2506 删除，作为在Keycloak的JIRA上发出第2623号问题。在此问题的说明中，您将找到原因和可能的解决方法的原因：应在DNS级别或通过将条目添加到主机文件来解决。

There used to be another property auth-server-url-for-backend-requests but was removed by pull request #2506 as a solution to issue #2623 on Keycloak's JIRA. In the description of this issue, you'll find the reasons why and possible workarounds: that should be solved at the DNS level or by adding entries to the host file.

因此，除非更改代码并创建自己的适配器版本，否则在客户端配置中您无能为力，但是您可以在Docker级别。为了使它正常工作，首先我建议您使用完全限定的域名，而不是 public 主机名，使用 localhost ，例如。 keycloak.mydomain.com 。如果您只是将伪造的（而不是在DNS服务器中注册的）伪造文件添加到主机的 / etc / hosts 文件（或Windows等效文件）中，作为 localhost 。

So there is not much you can do in the client configuration, unless you change the code and make your own version of the adapter, but there is something you can do at the Docker level. For this to work properly, first I suggest you use a fully qualified domain name instead of localhost for the public hostname, as you would in production anyway, eg. keycloak.mydomain.com. You can use a fake one (not registered in DNS servers) if you just add it to the host's /etc/hosts file (or Windows equivalent) as an alias next to localhost.

然后，如果您使用的是Docker Compose，则可以设置 别名 （替代主机名），用于连接容器的docker网络上的密钥库服务（请参阅doc：撰写文件参考/服务配置参考/网络/别名）。例如：

Then, if you are using Docker Compose, you can set aliases (alternative hostnames) for the keycloak service on the docker network to which the containers are connected (see doc: Compose File reference / Service configuration reference / networks / aliases). For example:

version: "3.7"

services:
  keycloak:
    image: jboss/keycloak
    networks:
      # Replace 'mynet' with whatever user-defined network you are using or want to use
      mynet:
        aliases:
          - keycloak.mydomain.com

  webapp:
    image: "nginx:alpine"
    networks:
      - mynet

networks:
  mynet:

如果您仅使用普通Docker，则可以等价，其中<$ c $ docker network connect 命令的c>-alias 标志（请参阅文档：容器网络/ IP地址和主机名）。

If you are just using plain Docker, you can do the equivalent with --alias flag of docker network connect command (see doc: Container networking / IP address and hostname).

这篇关于Dockerized环境中的Keycloak和Spring Boot Web应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！