1

使用 kyecloak 的身份验证没有按预期工作,它被用于 Istio vs Keycloak。配置的 Istio 组件:Gateway、Virtualservice、AuthorizationPolicy、RequestAuthentication

使用有效令牌:401 Jwt 发行者未配置

在此处输入图像描述

ISTIO 安全配置:

---  
 kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: "jwt-example"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "http://localhost:30080/auth/realms/master"
    jwksUri: "http://localhost:30080/auth/realms/master/protocol/openid-connect/certs"
    forwardOriginalToken: true
    outputPayloadToHeader: x-jwt-payload
    EOF
---
 kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
  name: "frontend-ingress"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: DENY
  rules:
  - from:
    - source:
        notRequestPrincipals: ["*"]
  principalBinding: USE_ORIGIN
    EOF
---

一旦没有授权 Bearer

在此处输入图像描述

为了仔细检查,我使用了 istio 的示例并工作:

 kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-example"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "testing@secure.istio.io"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"
EOF
kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
  name: "frontend-ingress"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: DENY
  rules:
  - from:
    - source:
        notRequestPrincipals: ["*"]
EOF

ISTIO GTW 和 VS:

apiVersion: networking.istio.io/v1alpha3    
kind: Gateway                               
metadata:                                   
  name: keycloak-gateway
  namespace: default
spec:                                       
  selector:                                 
    istio: ingressgateway                   
  servers:                                  
  - hosts:                                  
    - '*'                                   
    port:                                   
      name: http                            
      number: 80                            
      protocol: HTTP

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: enterprise-vs
spec:
  hosts:
    - '*'
  gateways:
    - default/keycloak-gateway
  http:
    - match:
        - uri:
            prefix: '/enterprise/'
      rewrite:
        uri: /
      fault:
        delay:
          fixedDelay: 1s
      route:
        - destination:
            host: enterprise
            port:
              number: 8080
            subset: enterprise-s1
          weight: 90
        - destination:
            host: enterprise
            port:
              number: 8080
            subset: enterprise-s2
          weight: 10
4

2 回答 2

2

我遇到了类似的问题。

JWT 令牌对颁发者具有以下值:“iss”:“http://localhost:8080/auth/realms/dev”

我在我的 JwtRules 即 localhost 中匹配了相同的值。但是我将 jwksUri 更改为 Keycloak 的集群 IP 地址。这似乎奏效了。

jwt规则:

- issuer: 'http://localhost:8080/auth/realms/dev'

  jwksUri: 'http://10.105.250.41:8080/auth/realms/dev/protocol/openid-connect/certs'
于 2021-11-15T09:28:55.240 回答
0

您可以检查 ingressgateway 是否可以实际访问您的 jwks_uri。我猜你会得到 404,因为它在不同的集群上或在本地 docker 上旋转,等等。人。

kubectl exec -i -t -n istio-system YOUR_ISTIOINGRESS_GATEWAY_POD -c istio-proxy -- sh -c "clear; (bash || ash || sh)"

> curl -i http://YOUR_DOMAIN:YOUR_PORT/auth/realms/master/protocol/openid-connect/certs

HTTP/1.1 404 Not Found
date: Thu, 23 Dec 2021 16:11:17 GMT
server: istio-envoy
content-length: 0

我的本地测试解决方法是运行 ngrok 以公开在端口 8080 上运行的 keycloak。

npm install -g ngrok
ngrok http 8080

将 localhost 替换为您的资源中为我工作jwksUri的生成的 ngrok 域。RequestAuthentication

于 2021-12-23T16:17:54.393 回答