Java.net.ConnectException:Keycloak 的客户端在 Auth 路由时在 Docker 上被拒绝连接

Java.net.ConnectException: Keycloak's Client gets Connection refused on Docker while Auth routing

如果我有一个 Keycloak 服务器 运行ning 在本地 docker 桌面和一个客户端应用程序 运行ning 在本地(非 dockerized 场景), 效果很好。

如果我在本地 docker 桌面上有 Keycloak 服务器和客户端应用程序 运行ning,它会抛出

Caused by: java.net.ConnectException: Connection refused (Connection refused)
        at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:399)
        at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:242)
        at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:224)
        at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.base/java.net.Socket.connect(Socket.java:609)
        at com.mysql.jdbc@8.0.22//com.mysql.cj.protocol.StandardSocketFactory.connect(StandardSocketFactory.java:155)
        at com.mysql.jdbc@8.0.22//com.mysql.cj.protocol.a.NativeSocketConnection.connect(NativeSocketConnection.java:63)
        ... 64 more

如果我 运行 我的客户端应用程序在本地(非 docker 化)环境中并指向云实例的 docker 化 keycloak 服务器,我得到以下信息错误。

2022-02-18 12:59:55.039  WARN 1192 --- [nio-8080-exec-7] o.keycloak.adapters.KeycloakDeployment   : Failed to load URLs from http://XXXX.CLOUD.XXXX:8180/auth/realms/SampleKeycloakApp/.well-known/openid-configuration


java.lang.Exception: Forbidden
        at org.keycloak.adapters.KeycloakDeployment.getOidcConfiguration(KeycloakDeployment.java:233) ~[keycloak-adapter-core-16.1.1.jar!/:16.1.1]
        at org.keycloak.adapters.KeycloakDeployment.resolveUrls(KeycloakDeployment.java:182) ~[keycloak-adapter-core-16.1.1.jar!/:16.1.1]
        at org.keycloak.adapters.KeycloakDeployment.getAuthUrl(KeycloakDeployment.java:251) ~[keycloak-adapter-core-16.1.1.jar!/:16.1.1]
        at org.keycloak.adapters.OAuthRequestAuthenticator.getRedirectUri(OAuthRequestAuthenticator.java:175) ~[keycloak-adapter-core-16.1.1.jar!/:16.1.1]
        at org.keycloak.adapters.OAuthRequestAuthenticator.loginRedirect(OAuthRequestAuthenticator.java:213) ~[keycloak-adapter-core-16.1.1.jar!/:16.1.1]
        at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:275) ~[keycloak-adapter-core-16.1.1.jar!/:16.1.1]
        at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:138) ~[keycloak-adapter-core-16.1.1.jar!/:16.1.1]
        at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:154) ~[keycloak-spring-security-adapter-16.1.1.jar!/:16.1.1]
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
        at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:96) ~[keycloak-spring-security-adapter-16.1.1.jar!/:16.1.1]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
        at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.1.10.RELEASE.jar!/:5.1.10.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:74) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.1.10.RELEASE.jar!/:5.1.10.RELEASE]
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-5.1.6.RELEASE.jar!/:5.1.6.RELEASE]

分享 docker-compose 文件以供参考,当我 运行 docker 中的两个服务时。

version: "3"

services:   springboot:
    build: .
    container_name: springboot
    ports:
      - 8081:8081
    restart: always
    depends_on:
      - db
      - keycloak
    environment:
      SPRING_DATASOURCE_URL: jdbc:mysql://db:3306/todolist
      SPRING_DATASOURCE_USERNAME: admin
      SPRING_DATASOURCE_PASSWORD: admin
      KEYCLOAK_URI: https://keycloak:8443/auth
      REALM: SpringBootKeycloakApp
    networks:
      - common-network    keycloak:
    image: jboss/keycloak:14.0.0
    container_name: keycloak
    ports:
      - "8180:8180"
      - "8443:8443"
    command: ["-Djboss.socket.binding.port-offset=100"]
    environment:
      DB_VENDOR: POSTGRES
      DB_ADDR: postgres
      DB_DATABASE: keycloak
      DB_USER: keycloak
      DB_PASSWORD: password
      DB_SCHEMA: public
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: admin
    depends_on:
      - postgres
    networks:
      - common-network   db:
    image: mysql:5.7
    ports:
      - "3307:3306"
    restart: always
    environment:
      MYSQL_DATABASE: todolist
      MYSQL_USER: admin
      MYSQL_PASSWORD: admin
      MYSQL_ROOT_PASSWORD: root
    volumes:
      - db-data:/var/lib/mysql
    networks:
      - common-network   postgres:
    image: postgres
    volumes:
      - postgres_data:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: keycloak
      POSTGRES_USER: keycloak
      POSTGRES_PASSWORD: password
    networks:
      - common-network networks:   common-network:
    driver: bridge 
    volumes:   
      db-data:
        driver: local   
      postgres_data:
        driver: local

并且当我 运行 客户端应用程序在非 docker 环境中分开时,我 运行 它与 java -jar ClientApp.jar

当我在 docker 环境中单独 运行 客户端应用程序时,我使用以下 Dockerfile

FROM adoptopenjdk/openjdk11:latest
ARG JAR_FILE=./build/libs/*.jar
COPY ${JAR_FILE} ClientApp.jar
EXPOSE 8081
ENTRYPOINT ["java", "-jar", "ClientApp.jar"]

我很乐意了解这背后的真正根本原因,运行 docker 化云实例中的 keycloak 服务器和客户端应用程序没有任何问题。谢谢

如果你在云端同时使用keycloak服务器和客户端,使用ssl-required=none

  keycloak.ssl-required=none

如果您在本地主机中同时使用 keycloak 服务器和客户端,请使用 ssl-required=external

keycloak.ssl-required=external