我使用keycloak 11.0.2作为身份代理,并添加了几个带有OpenID Connect V1的身份提供程序。
当用户尝试在一个Identity提供程序中登录时,用户在UI中出现意外错误,并且这种行为并没有一直被观察到(1/10(。在检查密钥斗篷日志时,我发现userinfo端点中存在超时。
日志:
2022-01-20T08:32:53.013077386Z stdout F Caused by: java.net.SocketTimeoutException: Read timed out
......
org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
2022-01-20T08:32:53.012493482Z stdout F at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:393)
2022-01-20T08:32:53.012485382Z stdout F at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:432)
2022-01-20T08:32:53.012477382Z stdout F at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:543)
2022-01-20T08:32:53.012467282Z stdout F at org.jboss.resteasy.resteasy-jaxrs@3.12.1.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
2022-01-20T08:32:53.012456182Z stdout F at java.base/java.lang.reflect.Method.invoke(Method.java:566)
2022-01-20T08:32:53.012432882Z stdout F at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
2022-01-20T08:32:53.011913079Z stdout F at jdk.internal.reflect.GeneratedMethodAccessor568.invoke(Unknown Source)
2022-01-20T08:32:53.011900478Z stdout F at org.keycloak.keycloak-services@11.0.2//org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:472)
2022-01-20T08:32:53.011880878Z stdout F at org.keycloak.keycloak-services@11.0.2//org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:386)
2022-01-20T08:32:53.011803978Z stdout F 08:32:53,010 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-21) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Could not fetch attributes from userinfo endpoint.
我的假设是userinfo端点在某个特定时间内没有响应。我说得对吗?
当密钥斗篷对IDP进行API调用时,读取时间是多少?
如何更改此超时?
在这里,我使用Docker镜像来运行带有mariaDB的keycloft。
我使用keycapture作为docker容器,并增加了套接字超时,如下所示,它对我有效:
FROM jboss/keycloak:15.0.2
ARG GIT_COMMIT_SHA=unspecified
LABEL GIT_COMMIT_SHA=$GIT_COMMIT_SHA
#Add socket timeout for outgoing http requests
RUN sed -i -e '/^ <spi name="connectionsHttpClient">/!b;n;c
<provider name="default" enabled="true">
<properties>
<property name="connection-pool-size" value="256"/>
<property name="socket-timeout-millis" value="120000"/>
</properties>
</provider>' $JBOSS_HOME/standalone/configuration/standalone.xml
RUN sed -i -e '/^ <spi name="connectionsHttpClient">/!b;n;c
<provider name="default" enabled="true">
<properties>
<property name="connection-pool-size" value="256"/>
<property name="socket-timeout-millis" value="120000"/>
</properties>
</provider>' $JBOSS_HOME/standalone/configuration/standalone-ha.xml
注意:根据上述更改,套接字超时将更新。但是,有时我还是会看到这个问题。https://github.com/keycloak/keycloak/discussions/13309(FYI(
sed命令中的上述空格是自组织的。如果有人知道如何在sed命令中提供选项卡空间,请提出建议。