Keycloak 和 Nginx：auth_request

Posted 2023-02-19

【中文标题】Keycloak 和 Nginx：auth_request

【英文标题】：Keycloak and Nginx: auth_request

【发布时间】：2019-02-08 12:58:18

【问题描述】：

我正在尝试使用 keycloak 代理设置 auth_request，但它不起作用（nginx 返回 500 状态代码）。

这是我的例子：

nginx.conf

upstream target_host 
    server prometheus:9090;


upstream oauth_host 
    server keycloak-proxy:8181;


server 

  listen 80;
  server_name myexample.com;


  location = /oauth2/ 
    proxy_pass       http://oauth_host/oauth2/;
    proxy_redirect              default;
    proxy_set_header   Host             $host;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_set_header   X-Original-URI $request_uri;
    proxy_set_header   Content-Length   "";
    proxy_pass_request_body           off;
  

  location / 
      auth_request /oauth2/; 
      proxy_pass http://target_host/;
  

proxy.json

    "target-url": "http://myexample.com/",
    "target-request-timeout": "60000",
    "send-access-token": true,
    "bind-address": "0.0.0.0",
    "http-port": "8181",
    "applications": [
        
            "base-path": "/oauth2/",
            "proxy-address-forwarding": true,
            "adapter-config": 
                "realm": "test",
                "disable-trust-manager": true,
                "resource": "account",
                "auth-server-url": "https://keycloak:8443/auth",
                "ssl-required" : "external",
                "credentials": 
                    "secret": "75ddbbd9-e98c-437e-9815-a8b66e9e58ec"
                
            
            ,
            "constraints": [
                
                    "pattern": "/*",
                    "roles-allowed": [
                        "custom_role"
                    ]
                
            ]
        
    ]

Nginx 日志：

172.19.0.1 - - [03/Sep/2018:14:50:14 +0200] "GET / HTTP/1.1" 500 193 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0" "-"
172.19.0.1 - - [03/Sep/2018:14:50:14 +0200] "GET / HTTP/1.1" 500 193 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0" "-"
2018/09/03 14:50:14 [error] 8#8: *21 auth request unexpected status: 302 while sending to client, client: 172.19.0.1, server: myexample.com, request: "GET / HTTP/1.1", host: "myexample.com"
2018/09/03 14:50:14 [error] 8#8: *23 auth request unexpected status: 302 while sending to client, client: 172.19.0.1, server: myexample.com, request: "GET / HTTP/1.1", host: "myexample.com"

http://keycloak-proxy:8181 -> Keycloak 代理 https://keycloak:443 -> 钥匙斗篷 http://prometheus:9090 -> 普罗米修斯 http://myexample.com -> Nginx

我想知道如何正确设置 auth_request。 任何人都可以帮忙吗？

谢谢

【问题讨论】：

你用 nginx 代理隐藏 keycloak 吗？如果是，您会错过那里的 KC 配置。

不，实际上在 /oauth2 位置有重定向到 keycloak 的工作，但我想知道它是否正确......我想我也应该对 keycloak 本身进行代理传递。 keycloak-proxy和keycloak生成的redirect uri可能有问题

您使用新的 keycloak 网守是否成功？

【参考方案1】：

您对 oAuth2 服务的请求正在使用302 HTTP 代码重定向，如果您遵循重定向，它可能会给您希望的响应。

location = /oauth2/ 
    # Other stuff..
    # You may need to comment out this:
    # proxy_redirect default;
    # Then, add this:
    proxy_intercept_errors on;
    error_page 302 = @handle_redirect;

location @handle_redirect 
    set $saved_redirect_location '$upstream_http_location';
    proxy_pass $saved_redirect_location;