keycloak - 应用策略执行器时连接被拒绝 Keycloak
问题描述
我在应用策略执行器 quarkus api 应用程序时遇到问题,它是一个机密类型的客户端。两个应用程序都应该在 nginx 代理后面运行。这是我的 nginx.conf 文件
nginx.conf
location /api/ {
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Connection "";
proxy_pass http://my-api:8085/;
}
location /auth {
proxy_pass http://my-keycloak:8080;
proxy_http_version 1.1;
proxy_set_header X-Script-Name /keycloak;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
:80/api -> my-api:8085
:80/auth -> my-keycloak:8080
这是我的 quarkus application.yml 文件。
应用程序.yml
oidc:
enabled: true
auth-server-url: http://localhost/auth/realms/my-realm
client-id: my-api
credentials:
secret: secret
tls:
verification: none
tenant-enabled: false
# Enable Policy Enforcement
# keycloak:
# policy-enforcer:
# enable: true
# enforcement-mode: enforcing
码头工人-compose.yml
my-keycloak:
image: jboss/keycloak:12.0.4
container_name: my-keycloak
volumes:
- ./realm-export.json:/home/realm-export.json
environment:
DB_VENDOR: POSTGRES
DB_ADDR: my-db
DB_DATABASE: my_db
DB_USER: user
DB_PASSWORD: pass
KEYCLOAK_FRONTEND_URL: 'http://localhost/auth/'
PROXY_ADDRESS_FORWARDING: "true"
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin
KEYCLOAK_IMPORT: /home/realm-export.json
command: [
-Dkeycloak.profile.feature.upload_scripts=enabled
]
networks:
- mynet
depends_on:
- db-postgres
当我启用keycloak-policy-enforcement(注释行application.yml)时发生错误说
应用程序日志
2021-06-22 04:54:22,552 ERROR [io.qua.run.Application] (Quarkus Main Thread) Failed to start application (with profile docker-compose): java.net.ConnectException: Connection refused
my-api | at java.base/sun.nio.ch.Net.connect0(Native Method)
my-api | at java.base/sun.nio.ch.Net.connect(Net.java:576)
my-api | at java.base/sun.nio.ch.Net.connect(Net.java:565)
my-api | at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:588)
my-api | at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:333)
my-api | at java.base/java.net.Socket.connect(Socket.java:645)
fc-api | at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFactory.java:121)
my-api | at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
my-api | at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
my-api | at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)
my-api | at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:605)
my-api | at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:440)
my-api | at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
my-api | at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
fc-api | at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
my-api | at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
my-api | at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:84)
my-api | at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
my-api | at org.keycloak.authorization.client.AuthzClient.<init>(AuthzClient.java:253)
my-api | at org.keycloak.authorization.client.AuthzClient.create(AuthzClient.java:99)
my-api | at org.keycloak.adapters.authorization.PolicyEnforcer.<init>(PolicyEnforcer.java:65)
my-api | at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer.init(KeycloakPolicyEnforcerAuthorizer.java:139)
my-api | at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer_Subclass.init$$superaccessor1(KeycloakPolicyEnforcerAuthorizer_Subclass.zig:515)
my-api | at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer_Subclass$$function$$1.apply(KeycloakPolicyEnforcerAuthorizer_Subclass$$function$$1.zig:53)
my-api | at io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:54)
my-api | at io.quarkus.arc.runtime.devconsole.InvocationInterceptor.proceed(InvocationInterceptor.java:63)
my-api | at io.quarkus.arc.runtime.devconsole.InvocationInterceptor.monitor(InvocationInterceptor.java:51)
my-api | at io.quarkus.arc.runtime.devconsole.InvocationInterceptor_Bean.intercept(InvocationInterceptor_Bean.zig:521)
my-api | at io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:41)
my-api | at io.quarkus.arc.impl.AroundInvokeInvocationContext.perform(AroundInvokeInvocationContext.java:41)
my-api | at io.quarkus.arc.impl.InvocationContexts.performAroundInvoke(InvocationContexts.java:32)
my-api | at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer_Subclass.init(KeycloakPolicyEnforcerAuthorizer_Subclass.zig:466)
my-api | at io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerRecorder.setup(KeycloakPolicyEnforcerRecorder.java:20)
my-api | at io.quarkus.deployment.steps.KeycloakPolicyEnforcerBuildStep$setup-429927437.deploy_0(KeycloakPolicyEnforcerBuildStep$setup-429927437.zig:126)
my-api | at io.quarkus.deployment.steps.KeycloakPolicyEnforcerBuildStep$setup-429927437.deploy(KeycloakPolicyEnforcerBuildStep$setup-429927437.zig:40)
my-api | at io.quarkus.runner.ApplicationImpl.doStart(ApplicationImpl.zig:861)
my-api | at io.quarkus.runtime.Application.start(Application.java:90)
my-api | at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:100)
my-api | at io.quarkus.runtime.Quarkus.run(Quarkus.java:66)
my-api | at io.quarkus.runtime.Quarkus.run(Quarkus.java:42)
my-api | at io.quarkus.runtime.Quarkus.run(Quarkus.java:119)
my-api | at io.quarkus.runner.GeneratedMain.main(GeneratedMain.zig:29)
my-api | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
my-api | at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:78)
my-api | at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
my-api | at java.base/java.lang.reflect.Method.invoke(Method.java:567)
my-api | at io.quarkus.runner.bootstrap.StartupActionImpl$3.run(StartupActionImpl.java:134)
my-api | at java.base/java.lang.Thread.run(Thread.java:831)
无法对 api 应用策略执行。我认为 api 应用程序无法连接到 keycloak。
{
"issuer": "http://localhost/auth/realms/my-realm",
"authorization_endpoint": "http://localhost/auth/realms/my-realm/protocol/openid-connect/auth",
"token_endpoint": "http://localhost/auth/realms/my-realm/protocol/openid-connect/token",
"introspection_endpoint": "http://localhost/auth/realms/my-realm/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost/auth/realms/my-realm/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost/auth/realms/my-realm/protocol/openid-connect/logout",
"jwks_uri": "http://localhost/auth/realms/my-realm/protocol/openid-connect/certs",
"check_session_iframe": "http://localhost/auth/realms/my-realm/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public",
"pairwise"
],
...
此处提供示例应用程序
解决方案
推荐阅读
- sql-server - 如何将生产数据库模式同步到 SQL Server 中的 DEV 和 QC?
- ios - 错误:ReactNative 错误 ENOENT:没有这样的文件或目录,uv_cwd(null
- python - Apache Flume 从 python 脚本中获取数据
- java - Java/Kotlin Kafka Consumer 用于 Web 应用程序中的多个实例(容器)
- windows - 如何逐行遍历硬编码的键值对并将每一对解析为键和值?
- gremlin - 如何在 Tinkerpop 中替换、合并或插入新边
- algorithm - 任务队列并发
- javascript - 按钮禁用在表单内不起作用
- spring - spring-boot 双向关系或多重查询
- c# - 如何将 OneNote 的页面导出为 html 文件或文本?