我在另一个无法自己提供 A&A 的应用程序前面设置oauth2-proxy ( https://github.com/oauth2-proxy/oauth2-proxy )。
- Keycloak-OIDC 提供者被配置用于身份管理,
- 在最终状态下,应用程序将作为 pod sidecar 在 K8s 上运行,它应该向 pod 中的应用程序容器添加身份验证。但我认为这在此刻无关紧要,
- 目前,如果它被配置为在 localhost 上运行。
“实验”在 docker-compose 文件之上运行:
version: "3.7"
services:
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
ports:
- 4180:4180
environment:
OAUTH2_PROXY_PROVIDER: keycloak-oidc
OAUTH2_PROXY_CLIENT_ID: changeme
OAUTH2_PROXY_CLIENT_SECRET: changeme
OAUTH2_PROXY_OIDC_ISSUER_URL: https://<keycloak-host>/auth/realms/operations
OAUTH2_PROXY_UPSTREAMS: "http://localhost:4440"
OAUTH2_PROXY_COOKIE_SECRET: q_6A1CtSYFi-GK9crHCKszRxQ2g9op7-DZ6ShUbzoyc=
OAUTH2_PROXY_COOKIE_DOMAINN: "http://localhost:4180"
OAUTH2_PROXY_EMAIL_DOMAINS: "*"
OAUTH2_PROXY_SSL_UPSTREAM_INSECURE_SKIP_VERIFY: "true"
OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY: "true"
OAUTH2_PROXY_ERRORS_TO_INFO_LOG: "true"
OAUTH2_PROXY_REDIRECT_URL: "http://localhost:4180/oauth2/callback"
OAUTH2_PROXY_HTTP_ADDRESS: http://:4180
whoami:
image: containous/whoami
ports:
- 4440:80
每当我向 发出呼叫时http://localhost:4180/
,我都可以在 Keycloak IDP 上对自己进行身份验证。不幸的是,oauth2-proxy之后无法将流量转发到我配置的上游应用程序,说明Connection refused
. 不涉及 TLS 设置。
日志:
Docker Compose is now in the Docker CLI, try `docker compose up`
Starting oauth2-proxy_whoami_1 ... done
Starting oauth2-proxy_oauth2-proxy_1 ... done
Attaching to oauth2-proxy_whoami_1, oauth2-proxy_oauth2-proxy_1
whoami_1 | Starting up on port 80
oauth2-proxy_1 | [2021/10/29 12:36:08] [proxy.go:89] mapping path "/" => upstream "http://localhost:4440"
oauth2-proxy_1 | [2021/10/29 12:36:08] [oauthproxy.go:148] OAuthProxy configured for Keycloak OIDC Client ID: changeme
oauth2-proxy_1 | [2021/10/29 12:36:08] [oauthproxy.go:154] Cookie settings: name:_oauth2_proxy secure(https):false httponly:true expiry:168h0m0s domains: path:/ samesite: refresh:disabled
oauth2-proxy_1 | [2021/10/29 12:36:13] [error_page.go:93] Error proxying to upstream server: dial tcp 127.0.0.1:4440: connect: connection refused
oauth2-proxy_1 | 172.22.0.1 - ae2cb8ba-e1d5-4664-8ba7-6c42e1795235 - <mymail> [2021/10/29 12:36:13] localhost:4180 GET / "/" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36" 502 2303 0.011
当我直接访问“http://localhost:4440”时,一切正常。
感谢您的帮助/评论。