钥匙斗篷 returns 'Invalid parameter: redirect_uri'
Keycloak returns 'Invalid parameter: redirect_uri'
[Edit-1] 在 oauth2 配置中添加范围,添加 grafana 服务,删除 oauth-keycloak-signin。配置参考自this link
[更新] 我可以在 Keycloak 页面登录,但它无法将我路由到 Grafana 服务。查看 OAuth2 日志,有些奇怪,Keycloak 生成的访问令牌已通过 Github 验证,而不是 Keycloak :))) -> 这是由于缺少 oauth validate_url配置
Solution:
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.address=http://oauth-keycloak:4185/oauth2/auth'
OAuth2 代理日志
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging | 123.28.110.207 - 411d7575-fb97-42ca-87ed-d57cad683b31 - - [2021/09/30 02:04:53] grafana.my-domain.com GET - "/oauth2/start?rd=https%3A%2F%2Fgrafana.my-domain.com%2F" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 302 419 0.000
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging | [2021/09/30 02:05:00] [internal_util.go:74] token validation request failed: status 400 - {"error":"invalid_request","error_description":"Token not provided"}
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging | [2021/09/30 02:05:00] [internal_util.go:69] 400 GET https://keycloak.my-domain.com/auth/realms/staging/protocol/openid-connect/userinfo?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYa1NjbzduRjlaTUpiWDRXVU5mTlhJS2FwOG9ZMHZ1THVZZU1SUk9EQ1J3In0.eyJleHAiOjE2MzI5Njc4MDAsImlhdCI6MTYzMjk2NzUwMCwiYXV0aF90aW1lIjoxNjMyOTY3NDk5LCJqdGkiOiI4NGJjZjdiNC0yN2YzLTQ4NDktYjUzNi05OTNkNTczNzA5OWYiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLnN0YWdpbmcucHJlY2lzaW9uYWcub3JnL2F1dGgvcmVhbG1zL3N0YWdpbmciLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNzk1NjE1YWUtN2VkNi00MWI3LWE5YWUtMjBkZmZhMTc1NjBhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYXV0aGVudGljYXRpb24iLCJzZXNzaW9uX3N0YXRlIjoiZTVjM2FkMDMtNzhmNi00ZmE4LThhOTgtZTdkYjk1YjZiNmEzIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtc3RhZ2luZyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW5... {"error":"invalid_request","error_description":"Token not provided"}
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging | 123.28.110.207 - 39bea317-002b-4366-858c-01aa6f6901b6 - dathuynh@my-domain.com [2021/09/30 02:05:00] [AuthSuccess] Authenticated via OAuth2: Session{email:dathuynh@my-domain.com user: PreferredUsername: token:true groups:[/pader]}
我正在设置 keycloak 和 oauth2 以在我的系统中进行身份验证。系统在 docker 群模式下 运行 并使用 traefik 反向代理。我按照本指南设置了 oauth2 容器:https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/#keycloak-auth-provider
我在 'development' 领域创建了一个新客户端,有效重定向 URL 是 https://oauth-keycloak.my-domain.com/oauth2/callback (它是 Oauth URL),使用 traefik forward auth如果未经身份验证,则将请求路由到 Keycloak。
我得到 Invalid parameter: redirect_uri 2 个案例:
- 我访问 Grafana,请求被路由到 Keycloak
- 我尝试在 OAuth 配置
https://oauth-keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/auth 中访问这个 link。
我已经搜索并尝试了一些建议,但它们对我不起作用。希望你们能帮忙。非常感谢。
这是我的 docker 集群配置:
keycloak:
image: quay.io/keycloak/keycloak:15.0.2
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.keycloak.rule=Host(`keycloak.my-domain.com`)"
- "traefik.http.routers.keycloak.entrypoints=websecure"
- "traefik.http.routers.keycloak.tls=true"
- "traefik.http.routers.keycloak.tls.certresolver=leresolver"
# Set up service
- "traefik.http.routers.keycloak.service=keycloak-svc"
- "traefik.http.services.keycloak-svc.loadbalancer.server.port=8080"
environment:
- "DB_VENDOR=POSTGRES"
- "DB_ADDR=postgis"
- "DB_DATABASE=${POSTGRES_DB}"
- "DB_USER=${POSTGRES_USER}"
- "DB_PASSWORD=${POSTGRES_PASSWORD}"
- "KEYCLOAK_USER="
- "KEYCLOAK_PASSWORD="
- "PROXY_ADDRESS_FORWARDING=true"
- "KEYCLOAK_LOGLEVEL=DEBUG" # DEBUG, ERROR, INFO
grafana:
image: grafana/grafana
deploy:
resources:
limits:
memory: 256M
labels:
- "traefik.enable=true"
- "traefik.http.routers.grafana.rule=Host(`grafana.my-domain.com`)"
- "traefik.http.routers.grafana.entrypoints=websecure"
- "traefik.http.routers.grafana.tls=true"
- "traefik.http.routers.grafana.tls.certresolver=leresolver"
# Basic HTTP authentication
- "traefik.http.routers.grafana.middlewares=oauth-keycloak"
# Set up service
- "traefik.http.services.grafana-svc.loadbalancer.server.port=3000"
- "traefik.http.routers.grafana.service=grafana-svc"
environment:
- GF_SECURITY_ADMIN_USER=my-username
- GF_SECURITY_ADMIN_PASSWORD=my-pasword
- GF_USERS_ALLOW_SIGN_UP=true
volumes:
- "/home/app/grafana:/var/lib/grafana"
oauth-keycloak:
image: quay.io/oauth2-proxy/oauth2-proxy
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.oauth-keycloak.rule=Host(`oauth-keycloak.my-domain.com`) || PathPrefix(`/oauth2`)"
- "traefik.http.routers.oauth-keycloak.entrypoints=websecure"
- "traefik.http.routers.oauth-keycloak.tls=true"
- "traefik.http.routers.oauth-keycloak.tls.certresolver=leresolver"
# Set up service
- "traefik.http.routers.oauth-keycloak.service=oauth-keycloak-svc"
- "traefik.http.services.oauth-keycloak-svc.loadbalancer.server.port=4185"
# Set up middlewares
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.address=http://oauth-keycloak:4185'
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.authResponseHeaders=X-Forwarded-User'
# - "traefik.http.middlewares.oauth-keycloak-signin.errors.service=oauth-keycloak-svc"
# - "traefik.http.middlewares.oauth-keycloak-signin.errors.status=401-403"
# - "traefik.http.middlewares.oauth-keycloak-signin.errors.query=/oauth2/sign_in"
environment:
OAUTH2_PROXY_CLIENT_ID: 'development'
OAUTH2_PROXY_CLIENT_SECRET: ''
OAUTH2_PROXY_PROVIDER: 'keycloak'
OAUTH2_PROXY_SCOPE: 'profile email address phone'
OAUTH2_PROXY_LOGIN_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/auth'
OAUTH2_PROXY_REDEEM_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/token'
OAUTH2_PROXY_PROFILE_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/userinfo'
OAUTH2_PROXY_VALIDATE_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/userinfo'
OAUTH2_PROXY_COOKIE_DOMAINS: 'my-domain.com'
OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4185'
OAUTH2_PROXY_COOKIE_REFRESH: '1h'
OAUTH2_PROXY_COOKIE_SECURE: 'false'
OAUTH2_PROXY_COOKIE_SECRET: '0Y18nYVtNLzKQroYQpi0jw=='
OAUTH2_PROXY_EMAIL_DOMAINS: 'my-domain.com'
OAUTH2_PROXY_REVERSE_PROXY: 'true'
OAUTH2_PROXY_WHITELIST_DOMAINS: 'my-domain.com'
OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR: 'true'
您如前所述为 https://oauth-keycloak.my-domain.com/oauth2/callback 配置了一个有效的重定向 URI。在访问 grafana 的情况下,您的重定向 uri 应该是 https://grafana.my-domain.com/oauth2/callback。您还需要将其添加到有效重定向 URI 列表中。
[Edit-1] 在 oauth2 配置中添加范围,添加 grafana 服务,删除 oauth-keycloak-signin。配置参考自this link
[更新] 我可以在 Keycloak 页面登录,但它无法将我路由到 Grafana 服务。查看 OAuth2 日志,有些奇怪,Keycloak 生成的访问令牌已通过 Github 验证,而不是 Keycloak :))) -> 这是由于缺少 oauth validate_url配置
Solution:
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.address=http://oauth-keycloak:4185/oauth2/auth'
OAuth2 代理日志
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging | 123.28.110.207 - 411d7575-fb97-42ca-87ed-d57cad683b31 - - [2021/09/30 02:04:53] grafana.my-domain.com GET - "/oauth2/start?rd=https%3A%2F%2Fgrafana.my-domain.com%2F" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36" 302 419 0.000
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging | [2021/09/30 02:05:00] [internal_util.go:74] token validation request failed: status 400 - {"error":"invalid_request","error_description":"Token not provided"}
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging | [2021/09/30 02:05:00] [internal_util.go:69] 400 GET https://keycloak.my-domain.com/auth/realms/staging/protocol/openid-connect/userinfo?access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYa1NjbzduRjlaTUpiWDRXVU5mTlhJS2FwOG9ZMHZ1THVZZU1SUk9EQ1J3In0.eyJleHAiOjE2MzI5Njc4MDAsImlhdCI6MTYzMjk2NzUwMCwiYXV0aF90aW1lIjoxNjMyOTY3NDk5LCJqdGkiOiI4NGJjZjdiNC0yN2YzLTQ4NDktYjUzNi05OTNkNTczNzA5OWYiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLnN0YWdpbmcucHJlY2lzaW9uYWcub3JnL2F1dGgvcmVhbG1zL3N0YWdpbmciLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNzk1NjE1YWUtN2VkNi00MWI3LWE5YWUtMjBkZmZhMTc1NjBhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYXV0aGVudGljYXRpb24iLCJzZXNzaW9uX3N0YXRlIjoiZTVjM2FkMDMtNzhmNi00ZmE4LThhOTgtZTdkYjk1YjZiNmEzIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtc3RhZ2luZyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW5... {"error":"invalid_request","error_description":"Token not provided"}
paddy_oauth-keycloak.1.nd9v50gfv9kc@staging | 123.28.110.207 - 39bea317-002b-4366-858c-01aa6f6901b6 - dathuynh@my-domain.com [2021/09/30 02:05:00] [AuthSuccess] Authenticated via OAuth2: Session{email:dathuynh@my-domain.com user: PreferredUsername: token:true groups:[/pader]}
我正在设置 keycloak 和 oauth2 以在我的系统中进行身份验证。系统在 docker 群模式下 运行 并使用 traefik 反向代理。我按照本指南设置了 oauth2 容器:https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/#keycloak-auth-provider
我在 'development' 领域创建了一个新客户端,有效重定向 URL 是 https://oauth-keycloak.my-domain.com/oauth2/callback (它是 Oauth URL),使用 traefik forward auth如果未经身份验证,则将请求路由到 Keycloak。
我得到 Invalid parameter: redirect_uri 2 个案例:
- 我访问 Grafana,请求被路由到 Keycloak
- 我尝试在 OAuth 配置
https://oauth-keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/auth中访问这个 link。
我已经搜索并尝试了一些建议,但它们对我不起作用。希望你们能帮忙。非常感谢。
这是我的 docker 集群配置:
keycloak:
image: quay.io/keycloak/keycloak:15.0.2
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.keycloak.rule=Host(`keycloak.my-domain.com`)"
- "traefik.http.routers.keycloak.entrypoints=websecure"
- "traefik.http.routers.keycloak.tls=true"
- "traefik.http.routers.keycloak.tls.certresolver=leresolver"
# Set up service
- "traefik.http.routers.keycloak.service=keycloak-svc"
- "traefik.http.services.keycloak-svc.loadbalancer.server.port=8080"
environment:
- "DB_VENDOR=POSTGRES"
- "DB_ADDR=postgis"
- "DB_DATABASE=${POSTGRES_DB}"
- "DB_USER=${POSTGRES_USER}"
- "DB_PASSWORD=${POSTGRES_PASSWORD}"
- "KEYCLOAK_USER="
- "KEYCLOAK_PASSWORD="
- "PROXY_ADDRESS_FORWARDING=true"
- "KEYCLOAK_LOGLEVEL=DEBUG" # DEBUG, ERROR, INFO
grafana:
image: grafana/grafana
deploy:
resources:
limits:
memory: 256M
labels:
- "traefik.enable=true"
- "traefik.http.routers.grafana.rule=Host(`grafana.my-domain.com`)"
- "traefik.http.routers.grafana.entrypoints=websecure"
- "traefik.http.routers.grafana.tls=true"
- "traefik.http.routers.grafana.tls.certresolver=leresolver"
# Basic HTTP authentication
- "traefik.http.routers.grafana.middlewares=oauth-keycloak"
# Set up service
- "traefik.http.services.grafana-svc.loadbalancer.server.port=3000"
- "traefik.http.routers.grafana.service=grafana-svc"
environment:
- GF_SECURITY_ADMIN_USER=my-username
- GF_SECURITY_ADMIN_PASSWORD=my-pasword
- GF_USERS_ALLOW_SIGN_UP=true
volumes:
- "/home/app/grafana:/var/lib/grafana"
oauth-keycloak:
image: quay.io/oauth2-proxy/oauth2-proxy
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.routers.oauth-keycloak.rule=Host(`oauth-keycloak.my-domain.com`) || PathPrefix(`/oauth2`)"
- "traefik.http.routers.oauth-keycloak.entrypoints=websecure"
- "traefik.http.routers.oauth-keycloak.tls=true"
- "traefik.http.routers.oauth-keycloak.tls.certresolver=leresolver"
# Set up service
- "traefik.http.routers.oauth-keycloak.service=oauth-keycloak-svc"
- "traefik.http.services.oauth-keycloak-svc.loadbalancer.server.port=4185"
# Set up middlewares
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.address=http://oauth-keycloak:4185'
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.oauth-keycloak.forwardauth.authResponseHeaders=X-Forwarded-User'
# - "traefik.http.middlewares.oauth-keycloak-signin.errors.service=oauth-keycloak-svc"
# - "traefik.http.middlewares.oauth-keycloak-signin.errors.status=401-403"
# - "traefik.http.middlewares.oauth-keycloak-signin.errors.query=/oauth2/sign_in"
environment:
OAUTH2_PROXY_CLIENT_ID: 'development'
OAUTH2_PROXY_CLIENT_SECRET: ''
OAUTH2_PROXY_PROVIDER: 'keycloak'
OAUTH2_PROXY_SCOPE: 'profile email address phone'
OAUTH2_PROXY_LOGIN_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/auth'
OAUTH2_PROXY_REDEEM_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/token'
OAUTH2_PROXY_PROFILE_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/userinfo'
OAUTH2_PROXY_VALIDATE_URL: 'https://keycloak.my-domain.com/auth/realms/development/protocol/openid-connect/userinfo'
OAUTH2_PROXY_COOKIE_DOMAINS: 'my-domain.com'
OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4185'
OAUTH2_PROXY_COOKIE_REFRESH: '1h'
OAUTH2_PROXY_COOKIE_SECURE: 'false'
OAUTH2_PROXY_COOKIE_SECRET: '0Y18nYVtNLzKQroYQpi0jw=='
OAUTH2_PROXY_EMAIL_DOMAINS: 'my-domain.com'
OAUTH2_PROXY_REVERSE_PROXY: 'true'
OAUTH2_PROXY_WHITELIST_DOMAINS: 'my-domain.com'
OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR: 'true'
您如前所述为 https://oauth-keycloak.my-domain.com/oauth2/callback 配置了一个有效的重定向 URI。在访问 grafana 的情况下,您的重定向 uri 应该是 https://grafana.my-domain.com/oauth2/callback。您还需要将其添加到有效重定向 URI 列表中。