密钥斗篷invalid_token找不到指定孩子的publicKey

时间:2019-01-30 09:33:55

标签: load-balancing access-token keycloak keycloak-services wildfly-12

我正在使用keycloak来保护我的休息服务,并且能够获得令牌,但是当我使用此令牌来获取我的休息服务响应时,出现以下错误:

server {
    listen   443 default ssl;
    server_name www.erp.mysite.hr;
    ssl on;
    ssl_certificate /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.crt;
    ssl_certificate_key /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.key;
    ssl_session_timeout 30m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    location / {
        #do whatever you need here
    }
}

server {
    listen  80;
    server_name www.erp.mysite.hr;
    location / {
        return 301 https://$host$request_uri$is_args$args;
    }
}

我关注了以下链接,但没有任何输出来解决此问题。

keycloak bearer token error - Didn't find publicKey for specified kid

Didn't find publicKey for kid ,Keycloak?

编辑1-

根据详细令牌,可以使用以下命令正确生成

HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, no-store, must-revalidate, private
X-Powered-By: Undertow/1
X-XSS-Protection: 1; mode=block
Server: WildFly/11
X-Frame-Options: SAMEORIGIN
Date: Wed, 30 Jan 2019 07:42:45 GMT
Connection: keep-alive
WWW-Authenticate: Bearer realm="demorealm", error="invalid_token", error_description="Didn't find publicKey for specified kid"
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=UTF-8
Content-Length: 71
<html><head><title>Error</title></head><body>Unauthorized</body></html>

但是当使用此令牌击中rest-api时,上面的声明异常就要来了

curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' -i 'https://<IP-ADDRESS>/auth/realms/apirealm/protocol/openid-connect/token' --data 'username=cwlcadmin&password=password@123&client_id=api-client-id&grant_type=password&client_secret=a682049d-587c-4c38-a594-814f08b0ca76'a@123&client_id=api-client-id

FYI-使用Wildfly和Wildfly提供的负载均衡器

1 个答案:

答案 0 :(得分:1)

经过几天的苦苦挣扎,我们终于能够解决问题,并且将问题添加到Wildfly服务器中的子系统中,应该是这样

<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
            <secure-deployment name="sure-admin-web.war">
                <realm>Realm_Name</realm>
                <resource>CLIENT_APP</resource>
                <use-resource-role-mappings>true</use-resource-role-mappings>
                <auth-server-url>https://<KEYCLOAK-IP>:8666/auth/</auth-server-url>
                <ssl-required>NONE</ssl-required>
                <credential name="secret">7df18c0d-d4c7-47b1-b959-af972684dab0</credential>
            </secure-deployment>
        </subsystem>

在我们的情况下,我们错过了<ssl-required>NONE</ssl-required>,在<auth-server-url>中,我们添加了错误的负载均衡器URL,而它应该是Keycloak URL。

FYI - 负载平衡器在上工作的HTTPS而keycloak上运行http