我正在使用keycloak来保护我的休息服务,并且能够获得令牌,但是当我使用此令牌来获取我的休息服务响应时,出现以下错误:
server {
listen 443 default ssl;
server_name www.erp.mysite.hr;
ssl on;
ssl_certificate /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.crt;
ssl_certificate_key /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location / {
#do whatever you need here
}
}
server {
listen 80;
server_name www.erp.mysite.hr;
location / {
return 301 https://$host$request_uri$is_args$args;
}
}
我关注了以下链接,但没有任何输出来解决此问题。
keycloak bearer token error - Didn't find publicKey for specified kid
Didn't find publicKey for kid ,Keycloak?
编辑1-
根据详细令牌,可以使用以下命令正确生成
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, no-store, must-revalidate, private
X-Powered-By: Undertow/1
X-XSS-Protection: 1; mode=block
Server: WildFly/11
X-Frame-Options: SAMEORIGIN
Date: Wed, 30 Jan 2019 07:42:45 GMT
Connection: keep-alive
WWW-Authenticate: Bearer realm="demorealm", error="invalid_token", error_description="Didn't find publicKey for specified kid"
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=UTF-8
Content-Length: 71
<html><head><title>Error</title></head><body>Unauthorized</body></html>
但是当使用此令牌击中rest-api时,上面的声明异常就要来了
curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' -i 'https://<IP-ADDRESS>/auth/realms/apirealm/protocol/openid-connect/token' --data 'username=cwlcadmin&password=password@123&client_id=api-client-id&grant_type=password&client_secret=a682049d-587c-4c38-a594-814f08b0ca76'a@123&client_id=api-client-id
FYI-使用Wildfly和Wildfly提供的负载均衡器
答案 0 :(得分:1)
经过几天的苦苦挣扎,我们终于能够解决问题,并且将问题添加到Wildfly服务器中的子系统中,应该是这样
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="sure-admin-web.war">
<realm>Realm_Name</realm>
<resource>CLIENT_APP</resource>
<use-resource-role-mappings>true</use-resource-role-mappings>
<auth-server-url>https://<KEYCLOAK-IP>:8666/auth/</auth-server-url>
<ssl-required>NONE</ssl-required>
<credential name="secret">7df18c0d-d4c7-47b1-b959-af972684dab0</credential>
</secure-deployment>
</subsystem>
在我们的情况下,我们错过了<ssl-required>NONE</ssl-required>
,在<auth-server-url>
中,我们添加了错误的负载均衡器URL,而它应该是Keycloak URL。
FYI - 负载平衡器在上工作的HTTPS
而keycloak上运行http