azure - 504 网关超时错误 Keycloak 与 Microsoft SSO
问题描述
我正在运行一个使用 Keycloak 进行身份验证的节点应用程序。我将 Microsoft 添加为我的身份提供者。身份验证流程有时有效,但有时也会给我一个504 Gateway Time-out错误。我无法在这里查明问题,而且它似乎以一种不确定的方式表现出来,这使得调试它非常痛苦。也许有人可以对这个问题有所了解。以下是有关我在 Keycloak 中的设置的一些信息:
我正在使用 docker 映像在 Openshift pod 中部署 Keycloak jboss/keycloak:12.0.4。我将身份提供者配置为一个OpenID Connect v1.0而不是Microsoft列出的选项。原因是该Microsoft选项给了我一个错误,因为我的应用程序不支持多个租户。我注意到我Authorization URL和我Token URL使用的 oauth2 v2.0 和 Keycloak 支持的 OpenID 协议是 v1.0,这可能是罪魁祸首吗?
以下是我在OpenID Connect v1.0身份提供者中使用的设置:
| 环境 | 价值 |
|---|---|
| 重定向 URI | https://{myURL}/auth/realms/{myRealm}/broker/microsoft/endpoint |
| 显示名称 | 微软 SSO |
| 启用 | 真的 |
| 存储令牌 | 错误的 |
| 存储令牌可读 | 错误的 |
| 信任电子邮件 | 真的 |
| 仅帐户关联 | 错误的 |
| 在登录页面隐藏 | 错误的 |
| GUI订单页面 | |
| 首次登录流程 | 首次经纪人登录 |
| 登录后流程 | |
| 同步模式 | 进口 |
| 授权网址 | https://login.microsoftonline.com/{myTenantId}/oauth2/v2.0/authorize |
| 通过 login_hint | 错误的 |
| 通过当前语言环境 | 错误的 |
| 令牌网址 | https://login.microsoftonline.com/{myTenantId}/oauth2/v2.0/token |
| 注销网址 | |
| 反向通道注销 | 错误的 |
| 禁用用户信息 | 错误的 |
| 用户信息网址 | |
| 客户端认证 | 客户端密码作为邮件发送 |
| 客户编号 | {myClientId} |
| 客户秘密 | **** |
| 发行人 | |
| 默认范围 | 个人资料电子邮件 |
| 迅速的 | 未指定 |
| 接受提示=无从客户端转发 | 错误的 |
| 验证签名 | 错误的 |
| 允许的时钟偏差 | 30 |
| 转发查询参数 |
当我尝试登录 Keycloak 站点时,出现如下超时错误:
有时我在单击“使用 Microsoft 登录”按钮后直接在 Kecloak 登录站点中获取它。其他时候,我确实被重定向到 login.microsoftonline.com 网页,在那里我使用我的凭据登录,并在询问我是否要保持登录状态后卡在最后一个屏幕上。有时流程有效,我最终在内部进行了身份验证我的申请...
这是我在等待一段时间后得到的错误响应:
Request URL: https://{myURL}/auth/realms/{myRealm}/broker/microsoft/endpoint?code=0.AXMA7rFZoACDkkmxG1e0i4BPEZ2cuYMZnDRNtktAE1vudc9zAAA.AQABAAIAAAD--DLA3VO7QrddgJg7WevrbG5Onmk6dlEN-ouVhfpouPkxBHIMaTipydQjf5IPHzHiiF047jqUMeFyZsK2MS_SFivrQzEHsLKCwb1cxoqNflANN5M61kRmWAPl3aMaS-Ss2UyBjRWvDa6uWHm91RYglSSu5KYle1iuuGQy6lbCDylPxGvYuvg0-JYX607C416_BCPWv54T2OseM1FouKs9ZjWTtshbfMphilE7xoY6ELTOza12SitW3-d0XzTpQxBBI4hJYVq1SWMa6LlOPqrFnofmTdQxbzLJrzWgbvXPXD_Mq-y2MABWv1Vp4cC-BWQp7LAvgt5YM4qODrO16hhbRsIoVpGx8Fo4hdGHfz5gzYJSZ7l1JKVm0mPN3EUB36Bxu6nU5H_WEzQKnPgEuWM_XwF1FF3zCEC_T7OCFk8eclh_Ltkj4_6bbvIzq4fkhQHi5ip95JVZCf363JufQfpMwwXuEkBpoA7r_sJZf7eovktt_yF_TY2n6eg2Buhss86fRNplj6lJarUk1wfPg8UtQfIM03Q6ibOdFUbdXKlTNTzBtEXPE09Oq-k58lY54WEuc-6CoI0TVacj5uPAMchIiT9W5zh6Hngrch_JO3_AFY2y4AyZ5z4ztPdmNbI-H5SrTgL6su0B3AW-1ZaSbbtvt5IjuE_BsgDCyUcleELMoScxVTu209iqv1PSJGHm6zX0JLT314nNhv_vft-11mVzn5PnEUvMjnq-SIblkVBFJNo_aHuHZ6YKA5bkTJzRmJsgAA&state=bkT6WkO40z5T_nZmjgWjyr0Yrig9aubRO4tIWzw6FyE.XNF2CybyXuc.express-server&session_state=1406bf80-2d5a-4e76-a526-a68c92369bfd
Request Method: GET
Status Code: 504 Gateway Time-out
Remote Address: **.***.***.***:443
Referrer Policy: no-referrer
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: keep-alive
Cookie: AUTH_SESSION_ID=0adf14f3-e2e7-45ad-81f0-41ba2ef14b00.fv-keycloak-dbs-7-zjzrr; AUTH_SESSION_ID_LEGACY=0adf14f3-e2e7-45ad-81f0-41ba2ef14b00.fv-keycloak-dbs-7-zjzrr; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJmYzk5ZmY2Yy01ZTYzLTRhZDYtOGQ1MS0zNjUzODc4ZTI3NWEifQ.eyJjaWQiOiJleHByZXNzLXNlcnZlciIsInB0eSI6Im9wZW5pZC1jb25uZWN0IiwicnVyaSI6Imh0dHA6Ly9kYnMtc2VydmVyLWZpbGV2ZXJpZmljYXRvci5iZXJsaW4uZGJjcy5kYi5kZS9sb2dpbj9zaGFyZXBvaW50T249ZmFsc2UmYXV0aF9jYWxsYmFjaz0xIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQiLCJpc3MiOiJodHRwczovL2Ricy1mdi1rZXljbG9hay1maWxldmVyaWZpY2F0b3IuYmVybGluLmRiY3MuZGIuZGUvYXV0aC9yZWFsbXMvZmlsZXZlcmlmaWNhdG9yIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vZGJzLXNlcnZlci1maWxldmVyaWZpY2F0b3IuYmVybGluLmRiY3MuZGIuZGUvbG9naW4_c2hhcmVwb2ludE9uPWZhbHNlJmF1dGhfY2FsbGJhY2s9MSIsInN0YXRlIjoiYzE5MTZkNDMtNTRkYi00NjdiLWFkOTEtYTk1YThiZTkzYjA5In19.SUlsPCDZ3cOdhWYxGlyjw_5fE97VtVQ3m4JICGwEadE; f7ab773005f1250ab8c4988c6f4d7351=e1353a733014b755be89489617967322
Host: {myKeycloakHost}
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
code: 0.AXMA7rFZoACDkkmxG1e0i4BPEZ2cuYMZnDRNtktAE1vudc9zAAA.AQABAAIAAAD--DLA3VO7QrddgJg7WevrbG5Onmk6dlEN-ouVhfpouPkxBHIMaTipydQjf5IPHzHiiF047jqUMeFyZsK2MS_SFivrQzEHsLKCwb1cxoqNflANN5M61kRmWAPl3aMaS-Ss2UyBjRWvDa6uWHm91RYglSSu5KYle1iuuGQy6lbCDylPxGvYuvg0-JYX607C416_BCPWv54T2OseM1FouKs9ZjWTtshbfMphilE7xoY6ELTOza12SitW3-d0XzTpQxBBI4hJYVq1SWMa6LlOPqrFnofmTdQxbzLJrzWgbvXPXD_Mq-y2MABWv1Vp4cC-BWQp7LAvgt5YM4qODrO16hhbRsIoVpGx8Fo4hdGHfz5gzYJSZ7l1JKVm0mPN3EUB36Bxu6nU5H_WEzQKnPgEuWM_XwF1FF3zCEC_T7OCFk8eclh_Ltkj4_6bbvIzq4fkhQHi5ip95JVZCf363JufQfpMwwXuEkBpoA7r_sJZf7eovktt_yF_TY2n6eg2Buhss86fRNplj6lJarUk1wfPg8UtQfIM03Q6ibOdFUbdXKlTNTzBtEXPE09Oq-k58lY54WEuc-6CoI0TVacj5uPAMchIiT9W5zh6Hngrch_JO3_AFY2y4AyZ5z4ztPdmNbI-H5SrTgL6su0B3AW-1ZaSbbtvt5IjuE_BsgDCyUcleELMoScxVTu209iqv1PSJGHm6zX0JLT314nNhv_vft-11mVzn5PnEUvMjnq-SIblkVBFJNo_aHuHZ6YKA5bkTJzRmJsgAA
state: bkT6WkO40z5T_nZmjgWjyr0Yrig9aubRO4tIWzw6FyE.XNF2CybyXuc.express-server
session_state: 1406bf80-2d5a-4e76-a526-a68c92369bfd
当它成功并且我最终登录到我的应用程序时,这里是相同的响应:
Request URL: https://{myURL}/auth/realms/{myRealm}/broker/microsoft/endpoint?code=0.AXMA7rFZoACDkkmxG1e0i4BPEZ2cuYMZnDRNtktAE1vudc9zAAA.AQABAAIAAAD--DLA3VO7QrddgJg7Wevr54rmOYKEJxCvOnbTf08bIkW6-wYHMPW02S7p1GH83rt_I4HcFoQWc-UTr6E59PQtmKVvhJwPVOtCaloEntwSxyUOjU-ioLUqabuXrOgCK9z0YCAZfPt0i3en6yRq5_8cXTwb3mw_tdC4r72UhRy0-5lZtw0QK6nIBt5csBVe2aecbuUqSgujb342mI2yncyCtTzEDyHK68705BUc5CfZ_G1KrKY4XhOT2gJntasYNZ8W1cEaiRUINe3lJPChcdFSsK1_cXbt8cpcA-ATZII31pYDIj4naXf3TE03OazX_rbTAY9Wv9FemrDD81zoPpWvw-_0C10ZSyVKkiuDpijfLbXPds1PLXqO5_UHVi-L0PTo7Ol_mvy89wX7R7nzXcxQhFJ9N4tBk7_xsnJb84ra2FohF8Fc3nUQlpHKpyVOBF8ZiHmSDbKNFiYwPlO8eGwYl7bDKGezpBGNNyTHQgdh_sUr_JRxo3hAH-KBN5jQbarSPYVcju7DzGbEqdCEjyz2WbNwSw9-iSfFDloUNtiVG_67ZNJTFfuLR3_JkIZi3oOkFnAJXioaRLvijvPFsIcAAf8gvK1GTVyB4Hjqsh4UGFu3zEydKCAfBc-adK8Hh_OBa0_aqNe3vxGXmHdXxwUoK1CRCWXJKGWudyryfsgAZFSSCpoBgGRfVXezW03cHPW3OnLz_yxXZNgsDBY1RxY9v_FG0H1Y3WUXZswQGZ-EFRsLzYlbs1h-xscOc5a8mtAgAA&state=ZuSmElb8DZVi2RfJqty-GXjEI6JTHhgDYsQIj3iLnR0.tXmQN28xbw8.express-server&session_state=e2530203-3269-4f2a-b08c-27955bed47d2
Request Method: GET
Status Code: 302 Found
Remote Address: **.***.***.**:443
Referrer Policy: strict-origin-when-cross-origin
Connection: close
Content-Length: 0
Date: Tue, 06 Apr 2021 11:52:29 GMT
Location: http://{myURL}/login?auth_callback=1&state=143f770b-8de8-4083-8dab-3124bd097b98&session_state=ca4e579e-e22f-4b53-b33b-3bbc161c3ace&code=ca8be1ac-2bcf-420d-be27-9c830d7d6c31.ca4e579e-e22f-4b53-b33b-3bbc161c3ace.960c20e3-4c92-4bba-afea-785097c6fc69
P3P: CP="This is not a P3P policy!"
Referrer-Policy: no-referrer
Set-Cookie: KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/fileverificator/; HttpOnly
Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/fileverificator/; HttpOnly
Set-Cookie: KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJmYzk5ZmY2Yy01ZTYzLTRhZDYtOGQ1MS0zNjUzODc4ZTI3NWEifQ.eyJleHAiOjE2MTc3NDU5NDksImlhdCI6MTYxNzcwOTk0OSwianRpIjoiNTU0YmU1ZTEtZTA5My00ZWMzLTk0MjQtNDljMjhiMmIzYzlmIiwiaXNzIjoiaHR0cHM6Ly9kYnMtZnYta2V5Y2xvYWstZmlsZXZlcmlmaWNhdG9yLmJlcmxpbi5kYmNzLmRiLmRlL2F1dGgvcmVhbG1zL2ZpbGV2ZXJpZmljYXRvciIsInN1YiI6IjE2ZGZhN2UzLTQ1ZmMtNDNkZi05MjA1LTM5NTM4ZGRmY2M5MyIsInR5cCI6IlNlcmlhbGl6ZWQtSUQiLCJzZXNzaW9uX3N0YXRlIjoiY2E0ZTU3OWUtZTIyZi00YjUzLWIzM2ItM2JiYzE2MWMzYWNlIiwic3RhdGVfY2hlY2tlciI6IjlMZTV0Vy1WVVRGbUJOQ1B3TG1lN3NMWlMwd1piQnVKcEo0QXlGa1oyVVEifQ.d0cKuvmJcQp9dkyord6jzIIRqq9dHVoT5J-gOoOS3hU; Version=1; Path=/auth/realms/{myRealm}/; SameSite=None; Secure; HttpOnly
Set-Cookie: KEYCLOAK_IDENTITY_LEGACY=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJmYzk5ZmY2Yy01ZTYzLTRhZDYtOGQ1MS0zNjUzODc4ZTI3NWEifQ.eyJleHAiOjE2MTc3NDU5NDksImlhdCI6MTYxNzcwOTk0OSwianRpIjoiNTU0YmU1ZTEtZTA5My00ZWMzLTk0MjQtNDljMjhiMmIzYzlmIiwiaXNzIjoiaHR0cHM6Ly9kYnMtZnYta2V5Y2xvYWstZmlsZXZlcmlmaWNhdG9yLmJlcmxpbi5kYmNzLmRiLmRlL2F1dGgvcmVhbG1zL2ZpbGV2ZXJpZmljYXRvciIsInN1YiI6IjE2ZGZhN2UzLTQ1ZmMtNDNkZi05MjA1LTM5NTM4ZGRmY2M5MyIsInR5cCI6IlNlcmlhbGl6ZWQtSUQiLCJzZXNzaW9uX3N0YXRlIjoiY2E0ZTU3OWUtZTIyZi00YjUzLWIzM2ItM2JiYzE2MWMzYWNlIiwic3RhdGVfY2hlY2tlciI6IjlMZTV0Vy1WVVRGbUJOQ1B3TG1lN3NMWlMwd1piQnVKcEo0QXlGa1oyVVEifQ.d0cKuvmJcQp9dkyord6jzIIRqq9dHVoT5J-gOoOS3hU; Version=1; Path=/auth/realms/fileverificator/; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=fileverificator/16dfa7e3-45fc-43df-9205-39538ddfcc93/ca4e579e-e22f-4b53-b33b-3bbc161c3ace; Version=1; Expires=Tue, 06-Apr-2021 21:52:29 GMT; Max-Age=36000; Path=/auth/realms/fileverificator/; SameSite=None; Secure
Set-Cookie: KEYCLOAK_SESSION_LEGACY=fileverificator/16dfa7e3-45fc-43df-9205-39538ddfcc93/ca4e579e-e22f-4b53-b33b-3bbc161c3ace; Version=1; Expires=Tue, 06-Apr-2021 21:52:29 GMT; Max-Age=36000; Path=/auth/realms/fileverificator/
Set-Cookie: KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/fileverificator/; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cache-Control: max-age=0
Connection: keep-alive
Cookie: AUTH_SESSION_ID=ca4e579e-e22f-4b53-b33b-3bbc161c3ace.fv-keycloak-dbs-7-zjzrr; AUTH_SESSION_ID_LEGACY=ca4e579e-e22f-4b53-b33b-3bbc161c3ace.fv-keycloak-dbs-7-zjzrr; KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJmYzk5ZmY2Yy01ZTYzLTRhZDYtOGQ1MS0zNjUzODc4ZTI3NWEifQ.eyJjaWQiOiJleHByZXNzLXNlcnZlciIsInB0eSI6Im9wZW5pZC1jb25uZWN0IiwicnVyaSI6Imh0dHA6Ly9kYnMtc2VydmVyLWZpbGV2ZXJpZmljYXRvci5iZXJsaW4uZGJjcy5kYi5kZS9sb2dpbj9zaGFyZXBvaW50T249ZmFsc2UmYXV0aF9jYWxsYmFjaz0xIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQiLCJpc3MiOiJodHRwczovL2Ricy1mdi1rZXljbG9hay1maWxldmVyaWZpY2F0b3IuYmVybGluLmRiY3MuZGIuZGUvYXV0aC9yZWFsbXMvZmlsZXZlcmlmaWNhdG9yIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vZGJzLXNlcnZlci1maWxldmVyaWZpY2F0b3IuYmVybGluLmRiY3MuZGIuZGUvbG9naW4_c2hhcmVwb2ludE9uPWZhbHNlJmF1dGhfY2FsbGJhY2s9MSIsInN0YXRlIjoiMTQzZjc3MGItOGRlOC00MDgzLThkYWItMzEyNGJkMDk3Yjk4In19.L7zIusN60YSeALEIPEUNdchas_9ey-ZDqtWXjgynC5Q; f7ab773005f1250ab8c4988c6f4d7351=e1353a733014b755be89489617967322
Host: {myKeycloakHost}
Referer: https://login.microsoftonline.com/
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
code: 0.AXMA7rFZoACDkkmxG1e0i4BPEZ2cuYMZnDRNtktAE1vudc9zAAA.AQABAAIAAAD--DLA3VO7QrddgJg7Wevr54rmOYKEJxCvOnbTf08bIkW6-wYHMPW02S7p1GH83rt_I4HcFoQWc-UTr6E59PQtmKVvhJwPVOtCaloEntwSxyUOjU-ioLUqabuXrOgCK9z0YCAZfPt0i3en6yRq5_8cXTwb3mw_tdC4r72UhRy0-5lZtw0QK6nIBt5csBVe2aecbuUqSgujb342mI2yncyCtTzEDyHK68705BUc5CfZ_G1KrKY4XhOT2gJntasYNZ8W1cEaiRUINe3lJPChcdFSsK1_cXbt8cpcA-ATZII31pYDIj4naXf3TE03OazX_rbTAY9Wv9FemrDD81zoPpWvw-_0C10ZSyVKkiuDpijfLbXPds1PLXqO5_UHVi-L0PTo7Ol_mvy89wX7R7nzXcxQhFJ9N4tBk7_xsnJb84ra2FohF8Fc3nUQlpHKpyVOBF8ZiHmSDbKNFiYwPlO8eGwYl7bDKGezpBGNNyTHQgdh_sUr_JRxo3hAH-KBN5jQbarSPYVcju7DzGbEqdCEjyz2WbNwSw9-iSfFDloUNtiVG_67ZNJTFfuLR3_JkIZi3oOkFnAJXioaRLvijvPFsIcAAf8gvK1GTVyB4Hjqsh4UGFu3zEydKCAfBc-adK8Hh_OBa0_aqNe3vxGXmHdXxwUoK1CRCWXJKGWudyryfsgAZFSSCpoBgGRfVXezW03cHPW3OnLz_yxXZNgsDBY1RxY9v_FG0H1Y3WUXZswQGZ-EFRsLzYlbs1h-xscOc5a8mtAgAA
state: ZuSmElb8DZVi2RfJqty-GXjEI6JTHhgDYsQIj3iLnR0.tXmQN28xbw8.express-server
session_state: e2530203-3269-4f2a-b08c-27955bed47d2
关于可能导致问题的任何想法?正如我所说,它有时确实有效,所以我真的很好奇为什么会发生这种行为。
解决方案
推荐阅读
- c++ - 当同一个命名空间中有两个具有相同签名的函数时会发生什么?
- javascript - 如何使用dom找出反应中的元素是否有onClick事件
- swift - 用强制展开来写这个 if 条件的更好方法?
- c++ - 编译包含字符串的代码时遇到问题
- python - Python 不断为列表抛出“TypeError”错误,我不知道如何修复它
- python - 生成器/产量的示例 python 实现
- excel - 更改带壳程序的窗口样式
- sql - 根据层次深度分配权重
- c# - ASP.NET Core 3.1,仅将特定消息记录到 Azure 日志流控制台
- linq - SQL 列级加密的 EF Core 解密