我需要设置标志以启用keycloak 19.0.3-legacy的默认redirect_uri行为。
然而,到目前为止,我所尝试的都没有效果。我们使用的是standalone-ha.xml配置文件。(不确定这是否是配置这个的正确位置)
我需要设置以下标志:
spi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true
spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
https://www.keycloak.org/docs/19.0.3/upgrading/openid-connect-logout-prompthttps://www.keycloak.org/docs/latest/upgrading/openid-connect-logout
但是,我运行一个独立的实例,不使用kc.sh运行。
我尝试设置环境变量没有成功:
KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI=true
KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true
and
KEYCLOAK_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI=true
KEYCLOAK_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true
and
SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI=true
SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true
and
LEGACY_LOGOUT_REDIRECT_URI=true
SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true
我也试过添加到配置文件,但它似乎没有从它被放在Dockerfile的地方捡起来。
Dockerfile:
COPY conf.d/keycloak.conf /opt/jboss/keycloak/conf/keycloak.conf
and
COPY conf.d/keycloak.conf /opt/keycloak/conf/keycloak.conf
keycloak.conf
spi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true
spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
and
suppress-logout-confirmation-screen=true
legacy-logout-redirect-uri=true
我还尝试将它添加到docker-entrypoint.sh参数中:
exec /opt/jboss/tools/docker-entrypoint.sh $@ -Dspi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true -Dspi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
and
--This one won't even start up. It fails stating that the parameters are invalid.
exec /opt/jboss/tools/docker-entrypoint.sh $@ --spi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
更新1/24/23
尝试更新standalone-ha.xml,但似乎被忽略了:
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
<providers>
<provider>
classpath:${jboss.home.dir}/providers/*
</provider>
<provider>
module:org.keycloak.storage.ldap.LDAPSyncOnly
</provider>
</providers>
<master-realm-name>master</master-realm-name>
<scheduled-task-interval>900</scheduled-task-interval>
<theme>
<staticMaxAge>2592000</staticMaxAge>
<cacheThemes>false</cacheThemes>
<cacheTemplates>false</cacheTemplates>
<welcomeTheme>${env.KEYCLOAK_WELCOME_THEME:keycloak}</welcomeTheme>
<default>${env.KEYCLOAK_DEFAULT_THEME:keycloak}</default>
<dir>${jboss.home.dir}/themes</dir>
</theme>
... Bunch of other spi tags. ...
<spi name="login-protocol">
<provider name="openid-connect" enabled="true">
<properties>
<property name="suppress-logout-confirmation-screen" value="true"/>
<property name="legacy-logout-redirect-uri" value="true"/>
</properties>
</provider>
</spi>
</subsystem>
的有用链接:
- https://github.com/keycloak/keycloak/blob/10b7475b0431ed380d45b840578bc666ecb3263a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocolFactory.java L106-L121
- 显示如果设置正确,将打印到日志中的警告消息。
- https://www.keycloak.org/server/configuration _example_configuring_the_db_url_host_parameter
- 显示配置keycloak的替代方法。
- https://github.com/keycloak/keycloak-containers/tree/19.0.3
- https://quay.io/repository/keycloak/keycloak?选项卡标签=
我们算出来了。
通过添加以下CLI命令,我们可以正确地更新高可用性配置文件以启用遗留标志。
embed-server --server-config=standalone-ha.xml --std-out=echo
/subsystem=keycloak-server/spi=login-protocol:add
/subsystem=keycloak-server/spi=login-protocol/provider=openid-connect:add(enabled=true)
/subsystem=keycloak-server/spi=login-protocol/provider=openid-connect:write-attribute(name=properties.legacy-logout-redirect-uri,value=true)
/subsystem=keycloak-server/spi=login-protocol/provider=openid-connect:write-attribute(name=properties.suppress-logout-confirmation-screen,value=true)
stop-embedded-server
我不知道为什么这个工作,但手动编辑standalone-ha.xml配置没有。