Keycloak、oauth2-proxy 和 nginx.ingress.kubernetes

Posted

技术标签:

【中文标题】Keycloak、oauth2-proxy 和 nginx.ingress.kubernetes【英文标题】:Keycloak, oauth2-proxy and nginx.ingress.kubernetes 【发布时间】:2021-06-13 16:38:01 【问题描述】:

我在通过 oauth2-proxy/keycloak 验证 kubernetes webapp 时遇到问题。你不知道怎么回事

Webapp (test-app.domain.com) oauth2-proxy (oauth2-proxy.domain.com) keycloak (keycloak-test.domain.com)

这三个应用程序分开运行。

认证过程说明:

打开后test.domain.com被重定向到https://keycloak-test.domain.com/auth/realms/local/protocol/openid-connect/auth?approval_prompt=force&client_id=k8s2&redirect_uri=https%3A%2F%2Foauth2-proxy.domain.com%2Foauth2%2Fcallback&response_type=code&scope=openid+profile+email+users&state=7a6504626c89d85dad9337f57072d7e4%3Ahttps%3A%2F%2Ftest-app%2F

Keycloak 登录页面显示正确,但用户登录后我得到:500 Internal Server Error with URL https://oauth2-proxy.domain.com/oauth2/callback?state=753caa3a281921a02b97d3efeabe7adf%3Ahttps%3A%2F%2Ftest-app.domain.com%2F&session_state=f5d45a13-5383-4a79-aa7a-56bbaa16056f&code=5344ae72-a9ee-448f-95ef-45e413f69f4b.f5d45a13-5383-4a79-aa7a-56bbaa16056f.78732ee5-af17-43fc-9f52-856e06bfce04

来自 oauth2-proxy 的日志

[2021/03/16 11:25:35] [stored_session.go:76] Error loading cookied session: cookie "_oauth2_proxy" not present, removing session
10.30.21.14:35382 - - [2021/03/16 11:25:35] oauth2-proxy.domain.com GET - "/oauth2/auth" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (Khtml, like Gecko) Version/14.0.3 Safari/605.1.15" 401 13 0.000
10.96.5.198:35502 - - [2021/03/16 11:25:35] oauth2-proxy.domain.com GET - "/oauth2/start?rd=https://test-app.domain.com/" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15" 302 400 0.000
[2021/03/16 11:25:39] [oauthproxy.go:753] Error redeeming code during OAuth2 callback: email in id_token (user1@user.com) isn't verified
10.96.5.198:35502 - - [2021/03/16 11:25:39] oauth2-proxy.domain.com GET - "/oauth2/callback?state=1fe22deb33ce4dc7e316f23927b8d821%3Ahttps%3A%2F%2Ftest-app.domain.com%2F&session_state=c69d7a8f-32f2-4a84-a6af-41b7d2391561&code=4759cce8-1c1c-4da3-ba94-9987c2ce3e02.c69d7a8f-32f2-4a84-a6af-41b7d2391561.78732ee5-af17-43fc-9f52-856e06bfce04" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15" 500 345 0.030

测试应用入口

    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "oauth2-proxy.domain.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "oauth2-proxy.domain.com/oauth2/start?rd=$scheme://$best_http_host$request_uri"
    nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user, x-auth-request-email, x-auth-request-access-token"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
  name: test-app
  namespace: its
spec:
  rules:
    - host: test-app.domain.com
      http:
        paths:
          - path: /
            backend:
              serviceName: test-app
              servicePort: http

  tls:
    - hosts:
      - test-app.domain.com
      secretName: cert-wild.test-proxy.domain.com

oauth2-proxy 配置和入口

 containers:
      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:latest
        ports:
        - containerPort: 8091
        args:
        - --provider=oidc
        - --client-id=k8s2
        - --client-secret=Sd28cf1-1e14-4db1-8ed1-5ba64e1cd421
        - --cookie-secret=x-1vrrMhC-886ITuz8ySNw==
        - --oidc-issuer-url=https://keycloak-test.domain.com/auth/realms/local
        - --email-domain=*
        - --scope=openid profile email users
        - --cookie-domain=.domain.com
        - --whitelist-domain=.domain.com
        - --pass-authorization-header=true
        - --pass-access-token=true
        - --pass-user-headers=true
        - --set-authorization-header=true
        - --set-xauthrequest=true
        - --cookie-refresh=1m
        - --cookie-expire=30m
        - --http-address=0.0.0.0:8091
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy
  labels:
    name: oauth2-proxy
spec:
  ports:
  - name: http
    port: 8091
    targetPort: 8091
  selector:
    name: oauth2-proxy
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
  name: oauth2-proxy
  namespace: its
spec:
  rules:
    - host: oauth2-proxy.domain.com
      http:
        paths:
          - path: /oauth2
            backend:
              serviceName: oauth2-proxy
              servicePort: 8091
  tls:
    - hosts:
      - oauth2-proxy.domain.com
      secretName: cert-wild.oauth2-proxy.domain.com

【问题讨论】:

【参考方案1】:

您可以尝试在您的 oauth2-proxy 配置中设置 --insecure-oidc-allow-unverified-email。 或者,在 keycloak 中,在用户设置中标记用户电子邮件已验证..

【讨论】:

以上是关于Keycloak、oauth2-proxy 和 nginx.ingress.kubernetes的主要内容,如果未能解决你的问题,请参考以下文章

使用 KeycloakAutoConfiguration 无法使用 Spring Boot Security UnsatisfiedDependencyException 设置 Keycloak

Keycloak:如何将 Keycloak 用户自动重定向到 OKTA SSO 页面而不是单击按钮?

Keycloak 访问令牌与 UserInfo 令牌?

Keycloak 3.4.3 和 springboot 2.0

Keycloak 和 Spring Security

keycloak 到 keycloak 数据同步