security - Keycloak 支持一个域名上的一个领域，同时服务于多个域

问题描述

我正在使用 keycloak 作为身份验证/授权提供者在 kubernetes 上构建应用程序生态系统。我正在（或可能正在）计划通过 OpenId(OAuth2) 将所有内容与其集成，并且用户凭据和其他私人信息永远不要以未加密的形式离开 keycloak 实例。

我试图在考虑以下配置的情况下实现整个身份验证方案。

领域

myservice: Realm containing the public and back-office users of my application. 
           All microservices that I have are authenticating users against this realm.

master:    Contains admins, keycloak administrators and other resources which 
           should not be ever exposed to the public or intranet users. No microservice 
           ever performs authentication on this realm.

域

 1. domain: account.myservice.com
    access: public
    cors: allow requests from app.myservice.com
    config: kubernetes-ingress
    exposes: configured themes to support login, registration, etc.. Endpoints 
        for public front-end application token validation
    description: Only exposes access to a realm called "myservice" in keycloak. 
        No users from other realms can login or interact.

2.  domain: account.internal.myservice.com
    access: intranet/admins
    cors: allow requests from back-office.internal.myservice.com
    config: kubernetes-ingress
    exposes: configured themes to support login, registration, etc.. Endpoints 
        for back-end front-end application token validation
    description: Exposes all the realms and provides access to keycloak 
        administrative UI.

3.  domain: keycloak (keycloak.default.svc.cluster.local)
    access: cluster-internal
    cors: none
    config: kubernetes service, visible only inside the cluster
    exposes: endpoints for back-end application token validation
    description: Only exposes realm "myservice" and is used for other services to 
        validate user tokens and similar stuff.

在尝试实现上述配置方案时，我确实遇到了许多问题。如果我在 Keycloak 中进行 SSL 终止，我将无法通过反向代理或类似方法配置不同的域，这反过来意味着 Keycloak 应该提供一种功能来监听单独的 SSL 加密端口并且只创建一个域在那里可用。它没有。所以我想要一些奇怪的东西吗？最佳实践与我想要的不同吗？

标签： securityopenidkeycloak