我想为连接到 keycloak 服务器的 springboot 后端创建一个 docker-compose 配置。
启动服务时出现以下错误:
Caused by: java.lang.IllegalStateException: The Issuer "http://localhost:8080/realms/RepitRealm" provided in the configuration metadata did not match the requested issuer "http://keycloak:8080/realms/RepitRealm"
这是我的 docker-compose.yml 中的相关行:
networks:
local-keycloak:
volumes:
[...]
services:
keycloak-db:
[...]
keycloak:
build: ./keycloak/
container_name: repit-keycloak
ports:
- "8881:8080"
- "8443:8443"
volumes:
- ./keycloak/data:/opt/keycloak/data/import
environment:
KEYCLOAK_ADMIN: "admin"
KEYCLOAK_ADMIN_PASSWORD: "admin"
# KC_HOSTNAME: "keycloak"
networks:
- local-keycloak
depends_on:
- keycloak-db
restart: unless-stopped
command:
- start-dev
- --import-realm
backend:
image: [...]
container_name: repit-backend
environment:
spring_profiles_active: "external"
KEYCLOAK_URL: "http://keycloak:8080/realms/RepitRealm"
APPLICATION_PORT: "8880"
ports:
- "8880:8880"
networks:
- local-keycloak
depends_on:
- keycloak
restart: unless-stopped
这里是用于构建keycloak服务的dockerfile
FROM quay.io/keycloak/keycloak:latest as builder
# Enable health and metrics support
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true
# Configure a database vendor
ENV KC_DB=postgres
WORKDIR /opt/keycloak
# for demonstration purposes only, please make sure to use proper certificates in production instead
RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore
RUN /opt/keycloak/bin/kc.sh build
FROM quay.io/keycloak/keycloak:latest
COPY --from=builder /opt/keycloak/ /opt/keycloak/
# change these values to point to a running postgres instance
ENV KC_DB=postgres
ENV KC_DB_URL=jdbc:postgresql://keycloak-db:5432/keycloak
ENV KC_DB_USERNAME=keycloak
ENV KC_DB_PASSWORD=password
ENV KC_HOSTNAME=localhost
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
这是我的 springboot 后端的“外部”配置文件的相关行
spring.security.oauth2.client.registration.keycloak.client-id=repit
spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.keycloak.scope=openid
spring.security.oauth2.client.provider.keycloak.issuer-uri=${KEYCLOAK_URL}
spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_username
spring.security.oauth2.resourceserver.jwt.issuer-uri=${KEYCLOAK_URL}
注意:如果我从 docker-compose 中删除后端服务并直接从 IDE 启动后端应用程序,它就像一个魅力。
我尝试将 keycloak 服务中的
KC_HOSTNAME
更改为 keycloak
而不是 localhost
,它确实启动了,但是当我从前端应用程序在浏览器中进行身份验证时,我被重定向到 http://keycloak:8881/realms/RepitRealm
。
您是否尝试从 docker-compose.yml 中删除 KC_HOSTNAME?该参数用于管理控制台的主机名。如果不存在,keycloak 应该从请求标头中解析主机。 此外,Keycloak 的端口转发效果不太好。所以我会改变顺序:
ports:
- "8881:8080"
致:
command:
- start-dev
- --http-port=8881
ports:
- "8881:8881"