Keycloak 凭证后的密钥斗篷网守404_Keycloak_Keycloak Gatekeeper

Keycloak 凭证后的密钥斗篷网守404

keycloak

Keycloak 凭证后的密钥斗篷网守404,keycloak,keycloak-gatekeeper,Keycloak,Keycloak Gatekeeper,我有一个后端hello world应用程序，使用以下ACL match-claims: aud: appserver iss: http://192.168.1.132/auth/realms/master resources: - uri: /app methods: - GET roles: - user require-any-role: true 登录后立即导致404，日志如下 gatekeeper_1 | 1.

我有一个后端hello world应用程序，使用以下ACL

match-claims:
  aud: appserver
  iss: http://192.168.1.132/auth/realms/master

resources:
  - uri: /app
    methods:
      - GET
    roles:
      - user
    require-any-role: true

登录后立即导致404，日志如下


gatekeeper_1      | 1.5576708594647906e+09      error   keycloak-gatekeeper/middleware.go:108   no session found in request, redirecting for authorization   {"error": "authentication session not found"} 
nginx_1           | 172.23.0.1 - - [12/May/2019:22:20:59 +0800] "GET /app HTTP/1.1" 307 95 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131
Safari/537.36"
gatekeeper_1      | 1.5576708594775462e+09      debug   keycloak-gatekeeper/handlers.go:88      incoming authorization request from client address   {"access_type": "", "auth_url": "http://192.168.1.132/auth/realms/master/protocol/openid-connect/auth?client_id=appserver&redirect_uri=http%3A%2F%2Flocalhost%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=9e9edff9-b532-45e8-8b57-ed30783b38d6", "client_ip": "172.23.0.6:42310"}
nginx_1           | 172.23.0.1 - - [12/May/2019:22:20:59 +0800] "GET /oauth/authorize?state=9e9edff9-b532-45e8-8b57-ed30783b38d6 HTTP/1.1" 307 284 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"
nginx_1           | 172.23.0.1 - - [12/May/2019:22:20:59 +0800] "GET /auth/realms/master/protocol/openid-connect/auth?client_id=appserver&redirect_uri=http%3A%2F%2Flocalhost%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=9e9edff9-b532-45e8-8b57-ed30783b38d6 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"
nginx_1           | 172.23.0.1 - appserver [12/May/2019:22:20:59 +0800] "POST /auth/realms/master/protocol/openid-connect/token HTTP/1.1" 200 3507 "-" "Go-http-client/1.1"                                
gatekeeper_1      | 1.557670859584654e+09       info    keycloak-gatekeeper/handlers.go:167     issuing access token for user        {"email": "benjamin.hon@biomind.ai", "expires": "2019-05-12T14:21:59Z", "duration": "59.4153639s"}
nginx_1           | 172.23.0.1 - - [12/May/2019:22:20:59 +0800] "GET /oauth/callback?state=9e9edff9-b532-45e8-8b57-ed30783b38d6&session_state=bea8afff-1137-4a60-beb5-cf05a9974b34&code=ce737cdb-f3b2-4c8f-9198-5f5e0d80e2f4.bea8afff-1137-4a60-beb5-cf05a9974b34.10d7e9eb-226b-4ac8-890e-6c640ab53059 HTTP/1.1" 307 37 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"
nginx_1           | 172.23.0.1 - - [12/May/2019:22:20:59 +0800] "GET / HTTP/1.1" 404 555 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"
nginx_1           | 172.23.0.1 - - [12/May/2019:22:20:59 +0800] "GET /auth/realms/master/protocol/openid-connect/auth?client_id=appserver&redirect_uri=http%3A%2F%2Flocalhost%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=9e9edff9-b532-45e8-8b57-ed30783b38d6 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"
nginx_1           | 172.23.0.1 - appserver [12/May/2019:22:20:59 +0800] "POST /auth/realms/master/protocol/openid-connect/token HTTP/1.1" 200 3507 "-" "Go-http-client/1.1"                                
gatekeeper_1      | 1.5576708598920956e+09      info    keycloak-gatekeeper/handlers.go:167     issuing access token for user        {"email": "benjamin.hon@biomind.ai", "expires": "2019-05-12T14:21:59Z", "duration": "59.107928s"}
nginx_1           | 172.23.0.1 - - [12/May/2019:22:20:59 +0800] "GET /oauth/callback?state=9e9edff9-b532-45e8-8b57-ed30783b38d6&session_state=bea8afff-1137-4a60-beb5-cf05a9974b34&code=fc79909a-3b36-4140-ac6a-cc340b621398.bea8afff-1137-4a60-beb5-cf05a9974b34.10d7e9eb-226b-4ac8-890e-6c640ab53059 HTTP/1.1" 307 37 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"

但是，如果我使用以下ACL，它就可以工作

resources:
  - uri: /app
    methods:
      - GET
    white-listed: true

我已经检查了一切，角色已经分配和创建

这是我登录后得到的JWT

{
  "jti": "04de181a-bf9a-4db3-bfcc-006a12d00892",
  "exp": 1557672962,
  "nbf": 0,
  "iat": 1557672902,
  "iss": "http://192.168.1.132/auth/realms/master",
  "aud": [
    "account",
    "appserver"
  ],
  "sub": "d7a580b3-7987-40fa-905d-5be1662392ee",
  "typ": "Bearer",
  "azp": "appserver",
  "auth_time": 1557672902,
  "session_state": "71353c04-3e7c-4cf4-9203-fea485990fe9",
  "acr": "1",
  "realm_access": {
    "roles": [
      "offline_access",
      "uma_authorization",
      "user"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid profile email",
  "email_verified": true,
  "name": "john doe",
  "preferred_username": "john",
  "given_name": "john",
  "family_name": "doe",
  "email": "xxx"
}

在我看来，身份验证正在工作，但在授权之后，它似乎没有将其重定向到后端应用程序的内部代理，而是重定向到

我真的不知道如何调试这个虽然，任何帮助将不胜感激

啊，我让它工作了有两件事需要安排

secure-cookie: false
redirect-url: <gatekeeper url>

securecookie:false
重定向url:

我没有看到来自gatekeeper的404响应，只有一些nginx的响应。请提供更多关于您的设置和详细的网守日志的详细信息。您好@JanGaraj，刚刚在/oauth/callback之后，我会发布我的设置，谢谢您完成了复杂的设置。从简单的gatekeeper/app开始，然后添加更复杂的配置。@JanGaraj我不能，这是将其用作api网关的最简单方法