我在 k8s 中部署了 keycloak bitnami 图表和 krakend。我还有一个测试 api,我希望在访问它之前进行身份验证。我能够从 keycloak 获取有效的 jwt 令牌,但是当我尝试通过 krakend 访问我的 api 时,它返回 401 错误 非常感谢任何帮助。
软件版本: 钥匙斗篷:16.1.1 克拉肯德:2.0.4
{
"$schema": "https://www.krakend.io/schema/v3.json",
"version": 3,
"timeout": "3000ms",
"cache_ttl": "300s",
"output_encoding": "json",
"port": 8080,
"endpoints": [
{
"endpoint": "/mock/parents/{id}",
"method": "GET",
"input_headers": [
"Authorization"
],
"extra_config": {
"auth/validator": {
"alg": "RS256",
"jwk-url": "http://keycloak-headless:8080/auth/realms/master/protocol/openid-connect/certs",
"disable_jwk_security": true,
"roles_key_is_nested": true,
"roles_key": "realm_access.roles",
"roles": ["test-app-parent"],
"operation_debug": true
}
},
"output_encoding": "json",
"concurrent_calls": 1,
"backend": [
{
"url_pattern": "/parents/{id}",
"encoding": "json",
"sd": "static",
"extra_config": {},
"host": [
"http://testapp-service:8400"
],
"disable_host_sanitize": false,
"blacklist": [
"super_secret_field"
]
},
{
"url_pattern": "/siblings/{id}",
"encoding": "json",
"sd": "static",
"extra_config": {},
"host": [
"http://testapp-service:8400"
],
"blacklist": [
"sibling_id"
],
"group": "extra_info",
"disable_host_sanitize": false
},
{
"url_pattern": "/parents/{id}/children",
"encoding": "json",
"sd": "static",
"extra_config": {},
"host": [
"http://testapp-service:8400"
],
"disable_host_sanitize": false,
"mapping": {
"content": "cars"
},
"whitelist": [
"content"
]
}
]
},
{
"endpoint": "/mock/bogus-new-api/{path}",
"method": "GET",
"extra_config": {
"auth/validator": {
"alg": "RS256",
"jwk-url": "http://keycloak-headless:8080/auth/realms/master/protocol/openid-connect/certs",
"disable_jwk_security": true
},
"github.com/devopsfaith/krakend/proxy": {
"static": {
"data": {
"new_field_a": 123,
"new_field_b": [
"arr1",
"arr2"
],
"new_field_c": {
"obj": "obj1"
}
},
"strategy": "always"
}
}
},
"output_encoding": "json",
"concurrent_calls": 1,
"backend": [
{
"url_pattern": "/not-finished-yet",
"encoding": "json",
"sd": "static",
"extra_config": {},
"host": [
"nothing-here"
],
"disable_host_sanitize": false
}
]
}
]
}
天哪,这让我发疯了。
在最后一个版本更新中,他们将 jwk-url 更改为 jwk_url。
https://github.com/krakendio/krakend-ce/issues/495#issuecomment-1138397005
我修复后它对我有用。
我改变后它对我有用
"jwk_url": "http://KEYCLOAK-SERVICE-NAME:8080/auth/realms/master/protocol/openid-connect/certs""jwk_url": "http://host.docker.internal:8080/auth/realms/master/protocol/openid-connect/certs"创建新的领域角色“test-app-parent”并且
转到用户部分并将该角色分配给该用户。 您可以从 https://jwt.io/ 检查 is_your 令牌在“realm_access.roles”中包含“test-app-parent”此角色。就像下面的示例
“realm_access”:{ “角色”:[ “默认角色-krakend”, “离线访问”, “测试应用程序父级”, “uma_授权” ] }