Keycloak重定向URI将端口0添加到url [英] Keycloak Redirect URI is adding port zero to the url
问题描述
在密钥斗篷中遇到了redirect_uri错误.发现相同的问题记录在JIRA KEYCLOAK-7237 中,只是想检查周围的任何地方?有人可以帮忙吗?预先谢谢你.
Encountered redirect_uri error in keycloak. Found same issue logged at JIRA KEYCLOAK-7237, just want to check any work around? Anyone can help? Thank you in advance.
2018-06-30 11:34:13,996警告[org.keycloak.events](默认任务8),type = LOGIN_ERROR,realmId = Victz,clientId = portal,userId = null,ipAddress =,error = invalid_redirect_uri,redirect_uri = https://www.example.com:0/home
2018-06-30 11:34:13,996 WARN [org.keycloak.events] (default task-8) type=LOGIN_ERROR, realmId=Victz, clientId=portal, userId=null, ipAddress=, error=invalid_redirect_uri, redirect_uri=https://www.example.com:0/home
我正在使用在centos7(疯狂地是10,密钥斗篷3.4.3)上运行的apache http反向代理.也曾在以下环境中尝试过,但存在相同的错误.
I am using apache http reverse proxy running on centos7, wildly 10, keycloak 3.4.3. has also tried in below environment but same error.
尝试过疯狂地10,疯狂地11,jboss 7.1,Keycloak 3.4.3以及keycloak 4.0
Tried in wildly 10, wildly 11, jboss 7.1, Keycloak 3.4.3 as well as keycloak 4.0
还尝试了关闭Apache http并直接访问 http://www.example.org:8080/home,但似乎return_uri已自动通过端口0转换为https.
Also tried shutdown apache http and access directly to http://www.example.org:8080/home , but seems return_uri automatically been converted to https with port 0.
请参见以下standalone.xml,尝试在proxy-peer和request-dumper配置下删除,但没有运气.
Please see below standalone.xml, tried removed below proxy-peer and request-dumper config but no luck.
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" enable-http2="true"/>
<https-listener name="https" socket-binding="https" proxy-address-forwarding="true" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<location name="/drive" handler="drive"/>
<access-log pattern="%h %l %u %t "%r" %s %b "%{i,Referer}" "%{i,User-Agent}" "%{i,COOKIE}" "%{o,SET-COOKIE}" %S "%I %T"" prefix="access."/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
<host name="example1" alias="example.com1,www.example.com1" default-web-module="example1-0.1.war">
<location name="/drive" handler="drive"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="request-dumper" priority="30"/>
</host>
<host name="example2" alias="example.com2,www.example.com2" default-web-module="example2-0.1.war">
<location name="/drive" handler="drive"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="request-dumper" priority="30"/>
</host>
<host name="example3" alias="example.com3,www.example.com3" default-web-module="example3-0.1.war">
<location name="/drive" handler="drive"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="request-dumper" priority="30"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
<file name="drive" path="/app/drive"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
<filter name="proxy-peer" class-name="io.undertow.server.handlers.ProxyPeerAddressHandler" module="io.undertow.core"/>
<filter name="request-dumper" class-name="io.undertow.server.handlers.RequestDumpingHandler" module="io.undertow.core"/>
</filters>
</subsystem>
推荐答案
上下文
在反向代理后面使用Keycloak的 Spring Boot客户端适配器时,URL查询参数 redirect_uri 由
When using Keycloak's Spring Boot client adapter behind a reverse proxy, the URL query parameter redirect_uri set by OAuthRequestAuthenticator.java may contain a port suffix :0 due to incomplete or false configuration.
基本问题
为了构造 redirect_uri ,Spring Boot应用程序需要猜测其公共URL,至少包括协议和主机名,还可能包括IP端口.在反向代理后面,这需要与代理合作和/或进行显式配置.
In order to construct the redirect_uri, the Spring Boot app needs to guess its public URL, including at least protocol and hostname, and possibly also the IP port. Behind a reverse proxy, this requires cooperation with the proxy, and/or explicit configuration.
:0的解释
The :0, if present, was probably set by OAuthRequestAuthenticator.java (This loose handling may be considered a bug, but in the present case stems from incomplete configuration.): Keycloak recognized that the Spring Boot app is talking HTTPS, but it found no HTTPS port configuration, so it defaulted to zero.
解决步骤
假设:
- 这是关于Spring Boot应用的
- 在反向代理后面运行
- 充当Keycloak客户端
您需要确保解决以下问题:
you need to ensure following things to solve the problem:
- 配置反向代理以添加以下标头
-
x-forwarded-for告诉主机名 -
x-forwarded-proto告知连接是否安全
-
- configure the reverse proxy to add following headers
x-forwarded-fortelling the hostnamex-forwarded-prototelling whether the connection is secure or not
- 只需阅读当前的Spring Boot 操作方法";在代理服务器后运行的指南(一个简洁的页面)
- just read the current Spring Boot "How-to" Guide on running behind a proxy server (one concise screen page)
- 也许您需要将
机密端口显式设置为443
- maybe you need to explicitly set the
confidential-portto443
故障排除/交叉检查
仅一点:假设这与反向代理后面的Spring Boot应用有关,您应该能够使用 tcpdump 或类似的方法来监视未加密的流量(例如 -i lo-s0 -A ),然后查看HTTP标头.发送到Spring Boot应用程序的所有请求均应具有上述提到的Spring Boot安全性指南所要求的标头( x-forwarded-for 和 x-forwarded-proto ),否则代理配置不正确.
Only one point: Assuming that this is about a Spring Boot app behind a reverse proxy, you should be able to use tcpdump or similar to monitor the unencrypted traffic (like -i lo -s0 -A) and see the HTTP headers. Any requests sent to the Spring Boot app should feature the headers required according to the Spring Boot Security How-to mentioned above (x-forwarded-for and x-forwarded-proto), otherwise, the proxy is misconfigured.
这篇关于Keycloak重定向URI将端口0添加到url的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
