在将Springboot Webapp部署到Docker时,Keycloak适配器无法验证令牌

时间:2019-12-09 03:13:51

标签: docker keycloak

我正在开发运行在Tomcat上的Springboot应用程序和React前端,以及Hasura Graphql和Keycloak。所有3个项目都在具有以下stack.yml的一个Docker堆栈中运行:

version: '3.7'

services:
  timescale-primary:
    image: timescale-replication:latest
    env_file:
      - primary.env
    networks:
      - public-network
    ports:
      - 5432:5432
    volumes:
      - timescale-primary-storage:/var/lib/postgresql/data
    deploy:
      placement:
        constraints:
          - node.labels.type == primary

  timescale-replica:
    image: timescale-replication:latest
    env_file:
      - replica.env
    networks:
      - public-network
    volumes:
      - timescale-replica-storage:/var/lib/postgresql/data
    deploy:
      placement:
        constraints:
          - node.labels.type != primary

  hasura:
    image: hasura/graphql-engine
    networks:
      - public-network
    ports:
      - 6080:8080
    env_file:
      - hasura.env
    volumes:
      - hasura-storage:/var/lib/hasura
    depends_on:
      - timescale-primary

  keycloak:
    image: keycloak
    networks:
      - public-network
    ports:
      - 9080:8080
    env_file:
      - keycloak.env
    volumes:
      - keycloak-storage:/opt/jboss/keycloak/themes
    depends_on:
      - timescale-primary

  tomcat:
    image: tomcat:v1
    networks:
      - public-network
    ports:
      - 8086:8080
    volumes:
      - tomcat-storage:/usr/local/tomcat/webapps:Z
      - tomcat-log-storage:/var/log/tomcat:Y

networks:
  public-network:

volumes:
  timescale-primary-storage:
  timescale-replica-storage:
  hasura-storage:
  keycloak-storage:
  tomcat-storage:
  tomcat-log-storage:

SpringBoot Web应用程序是在http://tomcat:8080/backend下运行的graphql服务器,而React应用程序则在http://tomcat:8080/ui下部署。

在Hasura内部,我设置了一个远程模式以指向该服务器http://tomcat:8080/backend/graphql,并转发了所有客户端标头。

基本上,React应用通过Hasura间接访问“后端”。

在Keycloak中,我为“ ui”应用程序设置了公共客户端,为“后端”应用程序设置了机密客户端。

然后,我将获得如下身份验证流程:

  1. 在Docker的主机上,致电http://localhost:8086/ui
  2. 已转发到localhost:9080 / auth / ...(Keycloak的登录屏幕)
  3. 成功登录后,重定向到“ ui”应用
  4. React应用调用Hasura
  5. Hasura调用“后端”并获得“无法验证令牌”,“无效的授权标头,有关详细信息,请参见WWW-Authenticate标头” 
2019-12-09 02:47:59.163 DEBUG 1 --- [io-8080-exec-30] o.k.adapters.PreAuthActionsHandler       : adminRequest http://tomcat:8080/backend/graphql
2019-12-09 02:47:59.164 DEBUG 1 --- [io-8080-exec-30] f.KeycloakAuthenticationProcessingFilter : Request is to process authentication
2019-12-09 02:47:59.164 DEBUG 1 --- [io-8080-exec-30] f.KeycloakAuthenticationProcessingFilter : Attempting Keycloak authentication
2019-12-09 02:47:59.165 TRACE 1 --- [io-8080-exec-30] o.k.adapters.RequestAuthenticator        : --> authenticate()
2019-12-09 02:47:59.165 TRACE 1 --- [io-8080-exec-30] o.k.adapters.RequestAuthenticator        : try bearer
2019-12-09 02:47:59.165 DEBUG 1 --- [io-8080-exec-30] o.k.a.BearerTokenRequestAuthenticator    : Found [1] values in authorization header, selecting the first value for Bearer.
2019-12-09 02:47:59.165 DEBUG 1 --- [io-8080-exec-30] o.k.a.BearerTokenRequestAuthenticator    : Verifying access_token
2019-12-09 02:47:59.165 TRACE 1 --- [io-8080-exec-30] o.k.a.BearerTokenRequestAuthenticator    :        access_token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJyb1NzQ2I1VWJPeDYyZHltWThzUm9qR2lGMHpINDJXQWdOU0JFd0Q2TEFFIn0.eyJqdGkiOiIyOWJlZmQ4MC04NGU3LTQ5NzMtOGQyMS0zOWE3ZTZiZjZiMjMiLCJleHAiOjE1NzU4NTk5NzksIm5iZiI6MCwiaWF0IjoxNTc1ODU5Njc5LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjkwODAvYXV0aC9yZWFsbXMvdGQyMSIsInN1YiI6ImRlNWM2NjRhLWY0NTQtNDI0NC05OTY4LWJmYzAwZDg2YjA2ZSIsInR5cCI6IkJlYXJlciIsImF6cCI6InRkMjEtd2ViLXVpIiwibm9uY2UiOiJmZWE1NjE4My1kNDE2LTQ3NTktOWI0Yi1kNzI1NTVjZTA5OTAiLCJhdXRoX3RpbWUiOjE1NzU4NTg5NDksInNlc3Npb25fc3RhdGUiOiJiMmY2MjBhMC00MDRjLTRiYTctOGNlYy04OGQ2Y2Y3MDZmZmUiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5zIjpbIioiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIkFETUlOIl19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiJ9.signature
2019-12-09 02:47:59.167 DEBUG 1 --- [io-8080-exec-30] o.k.a.BearerTokenRequestAuthenticator    : Failed to verify token
2019-12-09 02:47:59.167 DEBUG 1 --- [io-8080-exec-30] o.k.adapters.RequestAuthenticator        : Bearer FAILED
2019-12-09 02:47:59.167 DEBUG 1 --- [io-8080-exec-30] f.KeycloakAuthenticationProcessingFilter : Auth outcome: FAILED
2019-12-09 02:47:59.167 DEBUG 1 --- [io-8080-exec-30] f.KeycloakAuthenticationProcessingFilter : Authentication request failed: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details

org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
        at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:158) ~[keycloak-spring-security-adapter-7.0.0.jar:7.0.0]

如果我将React和Springboot应用程序直接安装在Docker主机上的Tomcat中,则对后端的身份验证很好。仅在将所有内容都部署到Docker中时,才会发生此问题。

我是Keycloak和Docker的新手,感谢您的帮助。

1 个答案:

答案 0 :(得分:0)

为了使身份验证有效,React应用程序和springboot应用程序的Keycloak URL必须相同。即您不能将localhost用于另一个,而将Docker容器名称用于另一个。

就我而言,可以使用公共IP或实际域名。

相关问题
最新问题