JHipster Keyclope docker生产配置
我的JHipster(v4.11.1)项目使用具有OAuth 2.0身份验证类型的单片体系结构。我在生产服务器上托管它时确实遇到了一些问题。目前这里还没有固定的: 单击“登录”链接后,我将重定向到以下url: https://my-domain-name/auth/realms/jhipster/protocol/openid-connect/auth?client_id=web_app&redirect_uri=http://我的docker服务名称/login&response\u type=code&scope=openid%20profile%20email&state=hO2NCQ 第一个问题是,这里我需要我的docker服务名作为我的域名(并使用https) 注意:在这里,我确实看到了带有以下错误消息的KeyClope登录页面:JHipster Keyclope docker生产配置,jhipster,keycloak,Jhipster,Keycloak,我的JHipster(v4.11.1)项目使用具有OAuth 2.0身份验证类型的单片体系结构。我在生产服务器上托管它时确实遇到了一些问题。目前这里还没有固定的: 单击“登录”链接后,我将重定向到以下url: https://my-domain-name/auth/realms/jhipster/protocol/openid-connect/auth?client_id=web_app&redirect_uri=http://我的docker服务名称/login&response\u type
无效参数:redirect\u uriredirect_uri无效参数:redirect\u uri/auth/nginx.confadd\u header严格的传输安全性…https://my-example.com/auth/realms/jhipster/.well-known/openid-configuration{
"issuer": "http://my-example.com/auth/realms/jhipster",
"authorization_endpoint": "http://my-example.com/auth/realms/jhipster/protocol/openid-connect/auth",
"token_endpoint": "http://my-example.com/auth/realms/jhipster/protocol/openid-connect/token",
"token_introspection_endpoint": "http://my-example.com/auth/realms/jhipster/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://my-example.com/auth/realms/jhipster/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://my-example.com/auth/realms/jhipster/protocol/openid-connect/logout",
"jwks_uri": "http://my-example.com/auth/realms/jhipster/protocol/openid-connect/certs",
"check_session_iframe": "http://my-example.com/auth/realms/jhipster/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials"],
"response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"],
"subject_types_supported": ["public", "pairwise"],
"id_token_signing_alg_values_supported": ["RS256"],
"userinfo_signing_alg_values_supported": ["RS256"],
"request_object_signing_alg_values_supported": ["none", "RS256"],
"response_modes_supported": ["query", "fragment", "form_post"],
"registration_endpoint": "http://my-example.com/auth/realms/jhipster/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post"],
"token_endpoint_auth_signing_alg_values_supported": ["RS256"],
"claims_supported": ["sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email"],
"claim_types_supported": ["normal"],
"claims_parameter_supported": false,
"scopes_supported": ["openid", "offline_access"],
"request_parameter_supported": true,
"request_uri_parameter_supported": true
}
http://my-example.com/...显示的是https://my-example.com/...“sslRequired”:“外部”“sslRequired”:“无”,我不知道这是不是坏事?考虑到(1)当我测试登录工作流时,我的浏览器从不离开https;(2)我的KeyClope实例不可通过任何公共端口访问
我不会接受我自己的答案,因为正如我之前所说,我觉得事情可以做得更好,更安全。谢谢
更新
我对使用https协议做了以下更改:
Dockerfile
standalone.xml
jhipster-realm.json
嗯,谢谢 我发现以下问题:与此问题非常相似,并提供了解决方法:作为一种前进的方式。但正如该解决方案的作者所提到的,缺点是每个请求都必须通过web来查找KeyClope实例!而且,我们无法从本地网络中受益,无法与keydove实例进行通信。
{
"issuer": "http://my-example.com/auth/realms/jhipster",
"authorization_endpoint": "http://my-example.com/auth/realms/jhipster/protocol/openid-connect/auth",
"token_endpoint": "http://my-example.com/auth/realms/jhipster/protocol/openid-connect/token",
"token_introspection_endpoint": "http://my-example.com/auth/realms/jhipster/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://my-example.com/auth/realms/jhipster/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://my-example.com/auth/realms/jhipster/protocol/openid-connect/logout",
"jwks_uri": "http://my-example.com/auth/realms/jhipster/protocol/openid-connect/certs",
"check_session_iframe": "http://my-example.com/auth/realms/jhipster/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials"],
"response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"],
"subject_types_supported": ["public", "pairwise"],
"id_token_signing_alg_values_supported": ["RS256"],
"userinfo_signing_alg_values_supported": ["RS256"],
"request_object_signing_alg_values_supported": ["none", "RS256"],
"response_modes_supported": ["query", "fragment", "form_post"],
"registration_endpoint": "http://my-example.com/auth/realms/jhipster/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post"],
"token_endpoint_auth_signing_alg_values_supported": ["RS256"],
"claims_supported": ["sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email"],
"claim_types_supported": ["normal"],
"claims_parameter_supported": false,
"scopes_supported": ["openid", "offline_access"],
"request_parameter_supported": true,
"request_uri_parameter_supported": true
}
FROM jboss/keycloak:3.4.1.Final
<server name="default-server">
...
<http-listener name="default" socket-binding="http" redirect-socket="proxy-https" proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING}" certificate-forwarding="true" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING}" certificate-forwarding="true" enable-http2="true"/>
...
<socket-binding-group ...
<socket-binding name="proxy-https" port="443"/>
...
upstream keycloak {
server keycloak:9443;
}
...
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
...
location /auth {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass https://keycloak;
}
...
...
"sslRequired": "external",