如何配置Keycloak与Guacamole的OpenID插件一起使用? [英] How to configure Keycloak to work with Guacamole's OpenID plugin?

问题描述

我正在尝试使用KeyCloak将Apache Guacamole设置为OpenID Connect授权服务器.

I'm trying to setup Apache Guacamole with KeyCloak as OpenID Connect Authorization Server.

Guacamole将我重定向到KeyCloak，我可以使用在KeyCloak上创建的用户登录，然后又重定向回Guacamole，但是那里说我的令牌无效

Guacamole is redirecting me to KeyCloak, I can Log in with my user I created on KeyCloak and I get redirected back to Guacamole, but there it says that my token is invalid

08:08:11.477 [http-nio-4432-exec-7] INFO  o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"alg":"RS256","typ" : "JWT","kid" : "8ZNpgh_vnmG0HMMNYdOz1lw4ECoWxmsiUGte1mJfvyI"} due to an unexpected exception (javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty) while obtaining or using keys from JWKS endpoint at https://172.16.47.229:12345/auth/realms/Guacamole-test/protocol/openid-connect/certs): JsonWebSignature{"alg":"RS256","typ" : "JWT","kid" : "8ZNpgh_vnmG0HMMNYdOz1lw4ECoWxmsiUGte1mJfvyI"}->eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI4Wk5wZ2hfdm5tRzBITU1OWWRPejFsdzRFQ29XeG1zaVVHdGUxbUpmdnlJIn0.eyJleHAiOjE2MDIzOTczODgsImlhdCI6MTYwMjM5NjQ4OCwiYXV0aF90aW1lIjoxNjAyMzk2NDcwLCJqdGkiOiI5Y2RiZDVjZC01MDJhLTRjNmItYTM3Mi1jZDIxMTNjNTE1NTMiLCJpc3MiOiJodHRwczovLzE3Mi4xNi40Ny4yMjk6MTIzNDUvYXV0aC9yZWFsbXMvR3VhY2Ftb2xlLXRlc3QiLCJhdWQiOiJHdWFjYW1vbGUiLCJzdWIiOiI1YzQ3N2NiZC04ZjIzLTRlMjEtYmNhMi1kMzNlMTRhZGY0ZDYiLCJ0eXAiOiJJRCIsImF6cCI6Ikd1YWNhbW9sZSIsIm5vbmNlIjoiaTQyZDBpZTc4c2s0MjRjMHJzMmJvdTM4YnUiLCJzZXNzaW9uX3N0YXRlIjoiMjNlZjdhMTYtMDhhNS00YTNkLTgxYTItYTQ2ZmE1NmM1NjE3IiwiYWNyIjoiMCIsImlzX3N1cGVydXNlciI6IlRydWUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJ0ZXN0IHRlc3QiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciIsImdpdmVuX25hbWUiOiJ0ZXN0IiwiZmFtaWx5X25hbWUiOiJ0ZXN0IiwiZW1haWwiOiJ0ZXN0QHRlc3QuY29tIn0.eOhkDqcgfdJnO12PRDqLIHACRNVdVHoSDFjThHWc6Ug1gdoz9t_T2K7F_B6dJSbNygAJrGvc5BVRx9XCJH1fVFSYhpXVqCO0jrHm0XJKhw_kBce4x3ZluGAtktx614j9qFzUwZHXOkFAUGPtyPQKuRTfdzHqQUILLJhVdSRPmou40rX31-l7VwqWZk_Yp1JCdQsA61XvJcQrU_aiKivZFaDGiY5GrnpL8zcEwJcFemptVoGKrG63O_LjxDCxhLpO1C1fi8GjngMSfco9aAp4AaGpHWy8ofJAu-TWbLGf-UPLUhC3lf903-Q_BU3eehYxtMyN1eet0HeGm0x_gV_wvA

在KeyCloak中，我创建了一个客户端，如下所示:

In KeyCloak I created a Client as follows:

(一旦有效，将更改有效重定向URI)

(Will change the Valid Redirect URI`s once I have it working)

我的鳄梨酱.properites看起来像这样:

And my guacamole.properites look like this:

guacd-port: 4822
guacd-hostname: localhost

# OpenID Connect Properties
openid-authorization-endpoint: https://172.16.47.229:12345/auth/realms/Guacamole-test/protocol/openid-connect/auth
openid-jwks-endpoint: https://172.16.47.229:12345/auth/realms/Guacamole-test/protocol/openid-connect/certs
openid-issuer: https://172.16.47.229:12345/auth/realms/Guacamole-test
openid-client-id: Guacamole
openid-redirect-uri: http://172.16.47.229:4432/guacamole/

# Postgresql Properties
postgresql-hostname: 172.16.47.229
postgresql-port: 4444
postgresql-database: guacamoledb
postgresql-username: guacamoleuser
postgresql-password: test

鳄梨调味酱必须接受哪些更改才能接受令牌?

What do I have to change for guacamole to accept the token?

更新:如果我将KeyCloak与HTTP而不是HTTPS一起使用，我发现配置可以正常工作，但这不是所希望的.现在，我还配置了鳄梨酱，或更确切地说是承载鳄梨酱的tomcat，以使用https，但是我仍然无法使其正常工作(而不必为KeyCloak使用HTTP).

Update: I found the configuration to be working, if I use KeyCloak with HTTP instead of HTTPS, but that is not desirable. I have now also configured Guacamole, or more precisely the tomcat that's hosting guacamole, to use https, but I still can not get it to work (without having to use HTTP for KeyCloak).

推荐答案

我也遇到了同样的问题.很有可能您只需要为您的IdP(密钥斗篷)提供有效的SSL证书即可.

I've caught the same issue. Most probably you just have to provide valid SSL certificate for your IdP (Keycloak).

可能的解决方法在此处找到:如何进行配置可以与Guacamole的OpenID插件一起使用的Keycloak吗?.

Possible workaround was found here: How to configure Keycloak to work with Guacamole's OpenID plugin?.

我使用以下更改重新编译了guacamole-auth-openid扩展名:

I've re-compiled guacamole-auth-openid extension with this change:

diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
index 5efb09dab..27d818ee5 100644
--- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
+++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
@@ -79,6 +79,7 @@ public class TokenValidationService {
 
         // Create JWT consumer for validating received token
         JwtConsumer jwtConsumer = new JwtConsumerBuilder()
+               .setSkipSignatureVerification()
                 .setRequireExpirationTime()
                 .setMaxFutureValidityInMinutes(confService.getMaxTokenValidity())
                 .setAllowedClockSkewInSeconds(confService.getAllowedClockSkew())

这解决了问题.认为它不适用于生产需求，但在生产中不应使用自签名证书.

And this solved the issue. Don't think it's applicable for production needs but in production self-signed certificates should not be used.

这篇关于如何配置Keycloak与Guacamole的OpenID插件一起使用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！