我正在使用keycloak作为身份验证/授权提供程序的kubernetes上构建应用程序生态系统。我正在(或可能正在)计划通过OpenId(OAuth2)与之集成的所有内容,以及用户凭证和其他私人信息,永远不要以未加密的形式离开密钥斗篷实例。
我正在尝试在实现以下配置时考虑整个身份验证方案。
myservice: Realm containing the public and back-office users of my application.
All microservices that I have are authenticating users against this realm.
master: Contains admins, keycloak administrators and other resources which
should not be ever exposed to the public or intranet users. No microservice
ever performs authentication on this realm.
1. domain: account.myservice.com
access: public
cors: allow requests from app.myservice.com
config: kubernetes-ingress
exposes: configured themes to support login, registration, etc.. Endpoints
for public front-end application token validation
description: Only exposes access to a realm called "myservice" in keycloak.
No users from other realms can login or interact.
2. domain: account.internal.myservice.com
access: intranet/admins
cors: allow requests from back-office.internal.myservice.com
config: kubernetes-ingress
exposes: configured themes to support login, registration, etc.. Endpoints
for back-end front-end application token validation
description: Exposes all the realms and provides access to keycloak
administrative UI.
3. domain: keycloak (keycloak.default.svc.cluster.local)
access: cluster-internal
cors: none
config: kubernetes service, visible only inside the cluster
exposes: endpoints for back-end application token validation
description: Only exposes realm "myservice" and is used for other services to
validate user tokens and similar stuff.
在尝试实现上述配置方案时,确实遇到了许多问题。如果我在Keycloak内进行SSL终止,则将无法通过反向代理或类似方法配置不同的域,这反过来意味着Keycloak应该提供一种功能来侦听单独的SSL加密端口,并且只能建立一个域在那里可用。它没有。那我想在这里有些奇怪吗?最佳做法与我想要的不同吗?