0

我正在尝试设置单点登录 (SSO) 以访问 apache 2.4 上的私有目录,并为 keycloak 登录用户分配弹性搜索 (opendistro) 中的角色。在 keycloak 中为用户分配角色没有真正的问题(并且也成功连接到 openldap 服务器)。如果我将 Bearer 令牌发送到 ES,它将角色链接到后端角色。一切都迎接。

问题是elasticsearch是无状态的,它似乎没有读取从keycloak和mod_auth_openidc获得的cookie(无法正确设置config.xml)。所以,我无法让 ES 使用 opendid 连接会话。

所以,我决定为 ES 选择 Bearer Authentication,我需要在对 ES 的每个 http 请求中添加 Bearer http 标头。

我通过添加以下内容从 mod_auth_openidc 获得 Bearer 令牌:

标头集授权“承载 %{OIDC_access_token}e” env=OIDC_access_token

到我在 apache conf 中受保护的位置(启用的标头模块)。但是当我尝试将该令牌与 curl (for testing) 一起使用时,它不会工作

 curl -i -k --noproxy '*' -H "Authorization: thebearerfromapache" https://es.*****.com:9200/protectedresources

我得到 401 未经授权。弹性搜索日志:

[2020-11-22T14:58:58,404][DEBUG][c.a.o.s.a.BackendRegistry] [node-1] Check authdomain for rest noop/0 or 2 in total
[2020-11-22T14:58:58,405][DEBUG][c.a.o.s.a.BackendRegistry] [node-1] 'java.lang.IllegalArgumentException: No enum constant org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm.R{"alg":"RS256","typ" : "JWT","kid" : "BHQ5Qu3GJKSAUYKPy3itq5oZLmmrAD_eFdZQa88oX8c' extracting credentials from jwt-key-by-oidc http authenticator
java.lang.IllegalArgumentException: No enum constant org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm.R{"alg":"RS256","typ" : "JWT","kid" : "BHQ5Qu3GJKSAUYKPy3itq5oZLmmrAD_eFdZQa88oX8c
        at java.lang.Enum.valueOf(Enum.java:273) ~[?:?]

编辑:我将 keycloak 中访问令牌的算法更改为 HS256,现在我得到了

[2020-11-22T15:27:31,195][INFO ][c.a.d.a.h.j.k.JwtVerifier] [node-1] Escaped Key ID from JWT Token
[2020-11-22T15:27:31,196][DEBUG][c.a.d.a.h.j.k.SelfRefreshingKeySet] [node-1] performRefresh(c3145a71-0a3c-4b99-86e0-a8bf30c33f23)
[2020-11-22T15:27:31,197][INFO ][c.a.d.a.h.j.k.SelfRefreshingKeySet] [node-1] Performing refresh 1
[2020-11-22T15:27:31,450][INFO ][c.a.d.a.h.j.k.SelfRefreshingKeySet] [node-1] KeySetProvider finished
[2020-11-22T15:27:31,452][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [node-1] Extracting JWT token from eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjMzE0NWE3MS0wYTNjLTRiOTktODZlMC1hOGJmMzBjMzNmMjMifQ.eyJleHAiOjE2MDYwNTkwMzEsImlhdCI6MTYwNjA1ODczMSwiYXV0aF90aW1lIjoxNjA2MDU4NzMxLCJqdGkiOiI2MzFjYmIyZS1hODhjLTQwZmItYjU1My1lYzM0YmI2NTQ5YzEiLCJpc3MiOiJodHRwczovL2F1dGguc2VhcmNoZXZvbHV0aW9uLmNvbTo4NDQzL2F1dGgvcmVhbG1zL3dlYiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJkNDgxNTE5OS0zZTExLTQyOTktYmY3My1jZGUzYmI3MDMwM2UiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcGFjaGUtbm9kZTEiLCJub25jZSI6IjFwd3lQUUpOZlhFOTlTaTVNbjF2NGd2MXBtdkZQdWtqZEpYS3pnd3RiM0EiLCJzZXNzaW9uX3N0YXRlIjoiOGZjMTk0ZDQtMjY2Yy00ZTc0LWE0MGQtNmFjOGY0ZDU2NDEyIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIiLCJodHRwczovL25vZGUxLnNlYXJjaGV2b2x1dGlvbi5jb20vIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImhyIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImhyIiwidW1hX2F1dGhvcml6YXRpb24iXSwibmFtZSI6IkpvaG4gRG9lIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamRvZSIsImdpdmVuX25hbWUiOiJKb2huIiwiZmFtaWx5X25hbWUiOiJEb2UifQ.dpX_F5r-KqSYr7atK7K9B3FzJ9VbDiIdqmhYBMsHyV0 failed
com.amazon.dlic.auth.http.jwt.keybyoidc.BadCredentialsException: Unknown kid c3145a71-0a3c-4b99-86e0-a8bf30c33f23

这个 shell 脚本有效:

RESULT=`curl -k --noproxy '*' -d 'client_id=apache-node1' -d 'username=jdoe' -d 'password=*****' -d 'grant_type=password' -d 'client_secret=6a7a0299-e420-4206-ae02-9e68bf7044ff' -d 'scope=openid' 
'https://auth.****.com:8443/auth/realms/web/protocol/openid-connect/token'`

TOKEN=`echo $RESULT | sed 's/.*access_token":"\([^"]*\).*/\1/'`

curl -i -k --noproxy '*' -H "Authorization: Bearer $TOKEN" https://es.****.com:9200/humanresources/_search

opendistro 安全插件配置:

 jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            jwt_header: Authorization
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://auth.****.com:8443/auth/realms/web/.well-known/openid-configuration

            jwks_uri: https://auth.****.com:8443/auth/realms/web/protocol/openid-connect/certs
        authentication_backend:
          type: noop

任何想法如何设置弹性搜索来识别该令牌?

4

1 回答 1

1

最后,正确的 apache 配置是包含 ID 令牌(不是访问令牌)

所以,

 Header set Authorization "Bearer %{OIDC_id_token}e" env=OIDC_id_token

并在虚拟主机的全局配置中(否则 id 令牌未添加到 http 标头中)

OIDCPassIDTokenAs serialized

我在 keycloak 管理中使用了“ES256”:Fine Grain OpenID Connect Configuration ID Token Signature Algorithm

于 2020-11-22T19:04:42.610 回答