nginx - Keycloak、oauth2-proxy 和 nginx.ingress.kubernetes

标签 nginx kubernetes proxy keycloak oauth2-proxy

我在通过 oauth2-proxy/keycloak 进行身份验证 kubernetes webapp 时遇到问题。你不知道怎么了

  • Webapp (test-app.domain.com)
  • oauth2-proxy (oauth2-proxy.domain.com)
  • keycloak (keycloak-test.domain.com)

    • 这三个应用程序分别运行。
    认证过程描述:
    开通后 test.domain.com 重定向到 https://keycloak-test.domain.com/auth/realms/local/protocol/openid-connect/auth?approval_prompt=force&client_id=k8s2&redirect_uri=https%3A%2F%2Foauth2-proxy.domain.com%2Foauth2%2Fcallback&response_type=code&scope=openid+profile+email+users&state=7a6504626c89d85dad9337f57072d7e4%3Ahttps%3A%2F%2Ftest-app%2F
    Keycloak 登录页面显示正确,但在用户登录后我得到: 500 Internal Server Error with URL https://oauth2-proxy.domain.com/oauth2/callback?state=753caa3a281921a02b97d3efeabe7adf%3Ahttps%3A%2F%2Ftest-app.domain.com%2F&session_state=f5d45a13-5383-4a79-aa7a-56bbaa16056f&code=5344ae72-a9ee-448f-95ef-45e413f69f4b.f5d45a13-5383-4a79-aa7a-56bbaa16056f.78732ee5-af17-43fc-9f52-856e06bfce04
    来自 oauth2-proxy 的日志 
    [2021/03/16 11:25:35] [stored_session.go:76] Error loading cookied session: cookie "_oauth2_proxy" not present, removing session
10.30.21.14:35382 - - [2021/03/16 11:25:35] oauth2-proxy.domain.com GET - "/oauth2/auth" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15" 401 13 0.000
10.96.5.198:35502 - - [2021/03/16 11:25:35] oauth2-proxy.domain.com GET - "/oauth2/start?rd=https://test-app.domain.com/" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15" 302 400 0.000
[2021/03/16 11:25:39] [oauthproxy.go:753] Error redeeming code during OAuth2 callback: email in id_token (user1@user.com) isn't verified
10.96.5.198:35502 - - [2021/03/16 11:25:39] oauth2-proxy.domain.com GET - "/oauth2/callback?state=1fe22deb33ce4dc7e316f23927b8d821%3Ahttps%3A%2F%2Ftest-app.domain.com%2F&session_state=c69d7a8f-32f2-4a84-a6af-41b7d2391561&code=4759cce8-1c1c-4da3-ba94-9987c2ce3e02.c69d7a8f-32f2-4a84-a6af-41b7d2391561.78732ee5-af17-43fc-9f52-856e06bfce04" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15" 500 345 0.030
    测试应用入口 
        apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "oauth2-proxy.domain.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "oauth2-proxy.domain.com/oauth2/start?rd=$scheme://$best_http_host$request_uri"
    nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user, x-auth-request-email, x-auth-request-access-token"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
  name: test-app
  namespace: its
spec:
  rules:
    - host: test-app.domain.com
      http:
        paths:
          - path: /
            backend:
              serviceName: test-app
              servicePort: http

  tls:
    - hosts:
      - test-app.domain.com
      secretName: cert-wild.test-proxy.domain.com
    oauth2-proxy 配置和入口 
     containers:
      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:latest
        ports:
        - containerPort: 8091
        args:
        - --provider=oidc
        - --client-id=k8s2
        - --client-secret=Sd28cf1-1e14-4db1-8ed1-5ba64e1cd421
        - --cookie-secret=x-1vrrMhC-886ITuz8ySNw==
        - --oidc-issuer-url=https://keycloak-test.domain.com/auth/realms/local
        - --email-domain=*
        - --scope=openid profile email users
        - --cookie-domain=.domain.com
        - --whitelist-domain=.domain.com
        - --pass-authorization-header=true
        - --pass-access-token=true
        - --pass-user-headers=true
        - --set-authorization-header=true
        - --set-xauthrequest=true
        - --cookie-refresh=1m
        - --cookie-expire=30m
        - --http-address=0.0.0.0:8091
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy
  labels:
    name: oauth2-proxy
spec:
  ports:
  - name: http
    port: 8091
    targetPort: 8091
  selector:
    name: oauth2-proxy
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
  name: oauth2-proxy
  namespace: its
spec:
  rules:
    - host: oauth2-proxy.domain.com
      http:
        paths:
          - path: /oauth2
            backend:
              serviceName: oauth2-proxy
              servicePort: 8091
  tls:
    - hosts:
      - oauth2-proxy.domain.com
      secretName: cert-wild.oauth2-proxy.domain.com

    最佳答案

    您可以尝试在 oauth2-proxy 配置中设置 --insecure-oidc-allow-unverified-email 。
    或者,在 keycloak 中,标记在用户设置中验证的用户电子邮件..

    关于nginx - Keycloak、oauth2-proxy 和 nginx.ingress.kubernetes,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/66654485/

    上一篇:ios - SwiftUI 如何在 HStack 中对齐 subview

    下一篇:java - IntelliJ : Cannot resolve method 'run(java.lang.Class, String[])'

    相关文章:

    linux - nginx 已安装但站点未加载

    docker - 在没有 Kubernetes 的本地开发环境中运行 Ambassador

    docker - kubernetes pod 中的管理员

    python - 如何将代理 PAC 文件用于 python urllib 或请求?

    docker - 是否可以在同一主机上运行多个 nginx docker 容器?

    nginx - 在 nginx 配置中定义服务器 block 的最优化方法是什么?

    proxy - 代理时如何包含原始 url 作为请求参数?

    kubernetes - 如何从本地机器向远程Kubernetes集群提交Dask作业

    JavaFX Webview 设置每个实例的代理

    c# - 检查特定网站上的大代理列表的最快方法是什么?

    ©2024 IT工具网  联系我们