配置元数据中提供的颁发者与请求的颁发者不匹配,在 DockerCompose 中使用 Keycloak 和 Springboot

问题描述 投票:0回答:1

我想为连接到 keycloak 服务器的 springboot 后端创建一个 docker-compose 配置。

启动服务时出现以下错误:

Caused by: java.lang.IllegalStateException: The Issuer "http://localhost:8080/realms/RepitRealm" provided in the configuration metadata did not match the requested issuer "http://keycloak:8080/realms/RepitRealm"

这是我的 docker-compose.yml 中的相关行:

networks:
  local-keycloak:

volumes:
[...]

services:

  keycloak-db:
[...]

  keycloak:
    build: ./keycloak/
    container_name: repit-keycloak
    ports:
      - "8881:8080"
      - "8443:8443"
    volumes:
      - ./keycloak/data:/opt/keycloak/data/import
    environment:
      KEYCLOAK_ADMIN: "admin"
      KEYCLOAK_ADMIN_PASSWORD: "admin"
#      KC_HOSTNAME: "keycloak"
    networks:
      - local-keycloak
    depends_on:
      - keycloak-db
    restart: unless-stopped
    command:
      - start-dev
      - --import-realm

  backend:
    image: [...]
    container_name: repit-backend
    environment:
      spring_profiles_active: "external"
      KEYCLOAK_URL: "http://keycloak:8080/realms/RepitRealm"
      APPLICATION_PORT: "8880"
    ports:
      - "8880:8880"
    networks:
      - local-keycloak
    depends_on:
      - keycloak
    restart: unless-stopped

这里是用于构建keycloak服务的dockerfile

FROM quay.io/keycloak/keycloak:latest as builder

# Enable health and metrics support
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true

# Configure a database vendor
ENV KC_DB=postgres

WORKDIR /opt/keycloak
# for demonstration purposes only, please make sure to use proper certificates in production instead
RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore
RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:latest
COPY --from=builder /opt/keycloak/ /opt/keycloak/

# change these values to point to a running postgres instance
ENV KC_DB=postgres
ENV KC_DB_URL=jdbc:postgresql://keycloak-db:5432/keycloak
ENV KC_DB_USERNAME=keycloak
ENV KC_DB_PASSWORD=password
ENV KC_HOSTNAME=localhost
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

这是我的 springboot 后端的“外部”配置文件的相关行

spring.security.oauth2.client.registration.keycloak.client-id=repit
spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.keycloak.scope=openid
spring.security.oauth2.client.provider.keycloak.issuer-uri=${KEYCLOAK_URL}
spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_username
spring.security.oauth2.resourceserver.jwt.issuer-uri=${KEYCLOAK_URL}

注意:如果我从 docker-compose 中删除后端服务并直接从 IDE 启动后端应用程序,它就像一个魅力。

我尝试将 keycloak 服务中的 

KC_HOSTNAME
更改为 
keycloak
而不是 
localhost
,它确实启动了,但是当我从前端应用程序在浏览器中进行身份验证时,我被重定向到 
http://keycloak:8881/realms/RepitRealm

spring-boot docker-compose keycloak spring-boot-security
1个回答
0
投票

您是否尝试从 docker-compose.yml 中删除 KC_HOSTNAME?该参数用于管理控制台的主机名。如果不存在,keycloak 应该从请求标头中解析主机。 此外,Keycloak 的端口转发效果不太好。所以我会改变顺序:

ports:
  - "8881:8080"

致:

command: 
  - start-dev
  - --http-port=8881
ports:
  - "8881:8881"
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.