[Edit-1]在oauth2配置中增加作用域,添加grafana服务,删除oauth-keycloak-signin。配置是从这个链接引用的
(更新)我能够登录Keycloak页面,但它不能将我路由到Grafana服务。查看OAuth2日志,有些奇怪,Keycloak生成的访问令牌是Github验证的,而不是Keycloak:))) ->这是由于缺少oauth validate_url配置导致的。
Solution:
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.address=http://oauth-keycloak:4185/oauth2/auth'
OAuth2 Proxy日志
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging | 123.28.110.207 - 411d7575-fb97-42ca-87ed-d57cad683b31 - - [2021/09/30 02:04:53] grafana.my-domain.com GET - "/oauth2/start?rd=https%3A%2F%2Fgrafana.my-domain.com%2F" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 302 419 0.000
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging | [2021/09/30 02:05:00] [internal_util.go:74] token validation request failed: status 400 - {"error":"invalid_request","error_description":"Token not provided"}
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging | [2021/09/30 02:05:00] [internal_util.go:69] 400 GET https://keycloak.my-domain.com/auth/realms/staging/protocol/openid-connect/userinfo?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYa1NjbzduRjlaTUpiWDRXVU5mTlhJS2FwOG9ZMHZ1THVZZU1SUk9EQ1J3In0.eyJleHAiOjE2MzI5Njc4MDAsImlhdCI6MTYzMjk2NzUwMCwiYXV0aF90aW1lIjoxNjMyOTY3NDk5LCJqdGkiOiI4NGJjZjdiNC0yN2YzLTQ4NDktYjUzNi05OTNkNTczNzA5OWYiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLnN0YWdpbmcucHJlY2lzaW9uYWcub3JnL2F1dGgvcmVhbG1zL3N0YWdpbmciLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNzk1NjE1YWUtN2VkNi00MWI3LWE5YWUtMjBkZmZhMTc1NjBhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYXV0aGVudGljYXRpb24iLCJzZXNzaW9uX3N0YXRlIjoiZTVjM2FkMDMtNzhmNi00ZmE4LThhOTgtZTdkYjk1YjZiNmEzIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtc3RhZ2luZyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW5... {"error":"invalid_request","error_description":"Token not provided"}
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging | 123.28.110.207 - 39bea317-002b-4366-858c-01aa6f6901b6 - dathuynh@my-domain.com [2021/09/30 02:05:00] [AuthSuccess] Authenticated via OAuth2: Session{email:dathuynh@my-domain.com user: PreferredUsername: token:true groups:[/pader]}
我正在我的系统中设置keycloak和oauth2进行身份验证。系统运行在docker swarm模式下,使用trafik反向代理。我按照以下指南设置oauth2容器:https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/#keycloak-auth-provider
我在"开发"领域创建了一个新的客户端,有效的重定向URL是https://oauth-keycloak.my-domain.com/oauth2/callback(它是Oauth URL),使用流量转发认证将请求路由到Keycloak,如果它是未经认证的。
我得到Invalid parameter: redirect_uri为2例:
- 我访问Grafana,请求被路由到Keycloak
- 我尝试在OAuth配置
https://oauth-keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/auth中访问此链接。
我已经搜索并尝试了一些建议,但他们不适合我。希望你们能帮忙。我真的很感激。
这是我的docker swarm配置:
keycloak:
image: quay.io/keycloak/keycloak:15.0.2
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.keycloak.rule=Host(`keycloak.my-domain.com`)"
- "traefik.http.routers.keycloak.entrypoints=websecure"
- "traefik.http.routers.keycloak.tls=true"
- "traefik.http.routers.keycloak.tls.certresolver=leresolver"
# Set up service
- "traefik.http.routers.keycloak.service=keycloak-svc"
- "traefik.http.services.keycloak-svc.loadbalancer.server.port=8080"
environment:
- "DB_VENDOR=POSTGRES"
- "DB_ADDR=postgis"
- "DB_DATABASE=${POSTGRES_DB}"
- "DB_USER=${POSTGRES_USER}"
- "DB_PASSWORD=${POSTGRES_PASSWORD}"
- "KEYCLOAK_USER="
- "KEYCLOAK_PASSWORD="
- "PROXY_ADDRESS_FORWARDING=true"
- "KEYCLOAK_LOGLEVEL=DEBUG" # DEBUG, ERROR, INFO
grafana:
image: grafana/grafana
deploy:
resources:
limits:
memory: 256M
labels:
- "traefik.enable=true"
- "traefik.http.routers.grafana.rule=Host(`grafana.my-domain.com`)"
- "traefik.http.routers.grafana.entrypoints=websecure"
- "traefik.http.routers.grafana.tls=true"
- "traefik.http.routers.grafana.tls.certresolver=leresolver"
# Basic HTTP authentication
- "traefik.http.routers.grafana.middlewares=oauth-keycloak"
# Set up service
- "traefik.http.services.grafana-svc.loadbalancer.server.port=3000"
- "traefik.http.routers.grafana.service=grafana-svc"
environment:
- GF_SECURITY_ADMIN_USER=my-username
- GF_SECURITY_ADMIN_PASSWORD=my-pasword
- GF_USERS_ALLOW_SIGN_UP=true
volumes:
- "/home/app/grafana:/var/lib/grafana"
oauth-keycloak:
image: quay.io/oauth2-proxy/oauth2-proxy
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.oauth-keycloak.rule=Host(`oauth-keycloak.my-domain.com`) || PathPrefix(`/oauth2`)"
- "traefik.http.routers.oauth-keycloak.entrypoints=websecure"
- "traefik.http.routers.oauth-keycloak.tls=true"
- "traefik.http.routers.oauth-keycloak.tls.certresolver=leresolver"
# Set up service
- "traefik.http.routers.oauth-keycloak.service=oauth-keycloak-svc"
- "traefik.http.services.oauth-keycloak-svc.loadbalancer.server.port=4185"
# Set up middlewares
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.address=http://oauth-keycloak:4185'
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.authResponseHeaders=X-Forwarded-User'
# - "traefik.http.middlewares.oauth-keycloak-signin.errors.service=oauth-keycloak-svc"
# - "traefik.http.middlewares.oauth-keycloak-signin.errors.status=401-403"
# - "traefik.http.middlewares.oauth-keycloak-signin.errors.query=/oauth2/sign_in"
environment:
OAUTH2_PROXY_CLIENT_ID: 'development'
OAUTH2_PROXY_CLIENT_SECRET: ''
OAUTH2_PROXY_PROVIDER: 'keycloak'
OAUTH2_PROXY_SCOPE: 'profile email address phone'
OAUTH2_PROXY_LOGIN_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/auth'
OAUTH2_PROXY_REDEEM_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/token'
OAUTH2_PROXY_PROFILE_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/userinfo'
OAUTH2_PROXY_VALIDATE_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/userinfo'
OAUTH2_PROXY_COOKIE_DOMAINS: 'my-domain.com'
OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4185'
OAUTH2_PROXY_COOKIE_REFRESH: '1h'
OAUTH2_PROXY_COOKIE_SECURE: 'false'
OAUTH2_PROXY_COOKIE_SECRET: '0Y18nYVtNLzKQroYQpi0jw=='
OAUTH2_PROXY_EMAIL_DOMAINS: 'my-domain.com'
OAUTH2_PROXY_REVERSE_PROXY: 'true'
OAUTH2_PROXY_WHITELIST_DOMAINS: 'my-domain.com'
OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR: 'true'
您为https://oauth-keycloak.my-domain.com/oauth2/callback配置了一个有效的重定向URI。在访问grafana的情况下,你的重定向uri应该是https://grafana.my-domain.com/oauth2/callback。您还需要将其添加到有效的重定向uri列表中。