elasticsearch,keycloak,elasticsearch-opendistro,mod-auth-openidc,Apache,elasticsearch,Keycloak,Elasticsearch Opendistro,Mod Auth Openidc" /> elasticsearch,keycloak,elasticsearch-opendistro,mod-auth-openidc,Apache,elasticsearch,Keycloak,Elasticsearch Opendistro,Mod Auth Openidc" />
Fatal编程技术网
  • apache/
  • 密钥斗篷、Apache、mod_auth_openidc、elasticsearch opendistro

密钥斗篷、Apache、mod_auth_openidc、elasticsearch opendistro

apache keycloak

密钥斗篷、Apache、mod_auth_openidc、elasticsearch opendistro,apache,elasticsearch,keycloak,elasticsearch-opendistro,mod-auth-openidc,Apache,elasticsearch,Keycloak,Elasticsearch Opendistro,Mod Auth Openidc,我正在尝试在Apache2.4上设置单点登录(SSO)以访问私有目录,并为Keyclope登录用户分配elasticsearch(opendistro)中的角色。在keydape中将角色分配给用户没有真正的问题(并且成功连接到openldap服务器)。如果我向ES发送承载令牌,它会将角色链接到后端角色。万事如意 问题是elasticsearch是无状态的,它似乎无法读取从KeyClope和mod_auth_openidc获得的cookie(无法正确地成功设置config.xml)。因此,我无法让

我正在尝试在Apache2.4上设置单点登录(SSO)以访问私有目录,并为Keyclope登录用户分配elasticsearch(opendistro)中的角色。在keydape中将角色分配给用户没有真正的问题(并且成功连接到openldap服务器)。如果我向ES发送承载令牌,它会将角色链接到后端角色。万事如意

问题是elasticsearch是无状态的,它似乎无法读取从KeyClope和mod_auth_openidc获得的cookie(无法正确地成功设置config.xml)。因此,我无法让ES使用opendid connect会话

所以,我决定为ES选择承载身份验证,我需要在ES的每个http请求中添加承载http头

我通过添加以下内容从mod_auth_openidc获得一个承载令牌:

头集授权“承载%{OIDC\U访问\U令牌}e”env=OIDC\U访问\U令牌

到apache conf(启用的头文件模块)中我的受保护位置。但是,当我尝试将该标记用于curl(用于测试)时,它不会起作用

 curl -i -k --noproxy '*' -H "Authorization: thebearerfromapache" https://es.*****.com:9200/protectedresources
我没有得到授权。弹性搜索日志:

[2020-11-22T14:58:58,404][DEBUG][c.a.o.s.a.BackendRegistry] [node-1] Check authdomain for rest noop/0 or 2 in total
[2020-11-22T14:58:58,405][DEBUG][c.a.o.s.a.BackendRegistry] [node-1] 'java.lang.IllegalArgumentException: No enum constant org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm.R{"alg":"RS256","typ" : "JWT","kid" : "BHQ5Qu3GJKSAUYKPy3itq5oZLmmrAD_eFdZQa88oX8c' extracting credentials from jwt-key-by-oidc http authenticator
java.lang.IllegalArgumentException: No enum constant org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm.R{"alg":"RS256","typ" : "JWT","kid" : "BHQ5Qu3GJKSAUYKPy3itq5oZLmmrAD_eFdZQa88oX8c
        at java.lang.Enum.valueOf(Enum.java:273) ~[?:?]
编辑:我将KeyClope中访问令牌的算法更改为HS256,现在我得到了

[2020-11-22T15:27:31,195][INFO ][c.a.d.a.h.j.k.JwtVerifier] [node-1] Escaped Key ID from JWT Token
[2020-11-22T15:27:31,196][DEBUG][c.a.d.a.h.j.k.SelfRefreshingKeySet] [node-1] performRefresh(c3145a71-0a3c-4b99-86e0-a8bf30c33f23)
[2020-11-22T15:27:31,197][INFO ][c.a.d.a.h.j.k.SelfRefreshingKeySet] [node-1] Performing refresh 1
[2020-11-22T15:27:31,450][INFO ][c.a.d.a.h.j.k.SelfRefreshingKeySet] [node-1] KeySetProvider finished
[2020-11-22T15:27:31,452][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [node-1] Extracting JWT token from eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjMzE0NWE3MS0wYTNjLTRiOTktODZlMC1hOGJmMzBjMzNmMjMifQ.eyJleHAiOjE2MDYwNTkwMzEsImlhdCI6MTYwNjA1ODczMSwiYXV0aF90aW1lIjoxNjA2MDU4NzMxLCJqdGkiOiI2MzFjYmIyZS1hODhjLTQwZmItYjU1My1lYzM0YmI2NTQ5YzEiLCJpc3MiOiJodHRwczovL2F1dGguc2VhcmNoZXZvbHV0aW9uLmNvbTo4NDQzL2F1dGgvcmVhbG1zL3dlYiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJkNDgxNTE5OS0zZTExLTQyOTktYmY3My1jZGUzYmI3MDMwM2UiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcGFjaGUtbm9kZTEiLCJub25jZSI6IjFwd3lQUUpOZlhFOTlTaTVNbjF2NGd2MXBtdkZQdWtqZEpYS3pnd3RiM0EiLCJzZXNzaW9uX3N0YXRlIjoiOGZjMTk0ZDQtMjY2Yy00ZTc0LWE0MGQtNmFjOGY0ZDU2NDEyIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIiLCJodHRwczovL25vZGUxLnNlYXJjaGV2b2x1dGlvbi5jb20vIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImhyIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImhyIiwidW1hX2F1dGhvcml6YXRpb24iXSwibmFtZSI6IkpvaG4gRG9lIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamRvZSIsImdpdmVuX25hbWUiOiJKb2huIiwiZmFtaWx5X25hbWUiOiJEb2UifQ.dpX_F5r-KqSYr7atK7K9B3FzJ9VbDiIdqmhYBMsHyV0 failed
com.amazon.dlic.auth.http.jwt.keybyoidc.BadCredentialsException: Unknown kid c3145a71-0a3c-4b99-86e0-a8bf30c33f23
此shell脚本可以工作:

RESULT=`curl -k --noproxy '*' -d 'client_id=apache-node1' -d 'username=jdoe' -d 'password=*****' -d 'grant_type=password' -d 'client_secret=6a7a0299-e420-4206-ae02-9e68bf7044ff' -d 'scope=openid' 
'https://auth.****.com:8443/auth/realms/web/protocol/openid-connect/token'`

TOKEN=`echo $RESULT | sed 's/.*access_token":"\([^"]*\).*/\1/'`

curl -i -k --noproxy '*' -H "Authorization: Bearer $TOKEN" https://es.****.com:9200/humanresources/_search
opendistro安全插件配置:

 jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            jwt_header: Authorization
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://auth.****.com:8443/auth/realms/web/.well-known/openid-configuration

            jwks_uri: https://auth.****.com:8443/auth/realms/web/protocol/openid-connect/certs
        authentication_backend:
          type: noop
您知道如何设置elasticsearch来识别该令牌吗?

最后,正确的apache配置是包含ID令牌(而不是访问令牌)

所以

以及在virtualhost的全局配置中(否则id令牌不会添加到http头中)

我在Keyclope管理中使用了“ES256”: 细粒度OpenID连接配置 身份令牌签名算法

 Header set Authorization "Bearer %{OIDC_id_token}e" env=OIDC_id_token

OIDCPassIDTokenAs serialized