问题描述
我在通过 oauth2-proxy/keycloak 验证 kubernetes webapp 时遇到问题。你不知道怎么回事
- Web 应用程序 (test-app.domain.com)
- oauth2-proxy (oauth2-proxy.domain.com)
- keycloak (keycloak-test.domain.com)
这三个应用分别运行。
身份验证程序说明:
打开后 test.domain.com 被重定向到 https://keycloak-test.domain.com/auth/realms/local/protocol/openid-connect/auth?approval_prompt=force&client_id=k8s2&redirect_uri=https%3A%2F%2Foauth2-proxy.domain.com%2Foauth2%2Fcallback&response_type=code&scope=openid+profile+email+users&state=7a6504626c89d85dad9337f57072d7e4%3Ahttps%3A%2F%2Ftest-app%2F
Keycloak 登录页面显示正确,但在用户登录后我得到:500 Internal Server Error with URL https://oauth2-proxy.domain.com/oauth2/callback?state=753caa3a281921a02b97d3efeabe7adf%3Ahttps%3A%2F%2Ftest-app.domain.com%2F&session_state=f5d45a13-5383-4a79-aa7a-56bbaa16056f&code=5344ae72-a9ee-448f-95ef-45e413f69f4b.f5d45a13-5383-4a79-aa7a-56bbaa16056f.78732ee5-af17-43fc-9f52-856e06bfce04
来自 oauth2-proxy 的日志
[2021/03/16 11:25:35] [stored_session.go:76] Error loading cookied session: cookie "_oauth2_proxy" not present,removing session
10.30.21.14:35382 - - [2021/03/16 11:25:35] oauth2-proxy.domain.com GET - "/oauth2/auth" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML,like Gecko) Version/14.0.3 Safari/605.1.15" 401 13 0.000
10.96.5.198:35502 - - [2021/03/16 11:25:35] oauth2-proxy.domain.com GET - "/oauth2/start?rd=https://test-app.domain.com/" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML,like Gecko) Version/14.0.3 Safari/605.1.15" 302 400 0.000
[2021/03/16 11:25:39] [oauthproxy.go:753] Error redeeming code during OAuth2 callback: email in id_token (user1@user.com) isn't verified
10.96.5.198:35502 - - [2021/03/16 11:25:39] oauth2-proxy.domain.com GET - "/oauth2/callback?state=1fe22deb33ce4dc7e316f23927b8d821%3Ahttps%3A%2F%2Ftest-app.domain.com%2F&session_state=c69d7a8f-32f2-4a84-a6af-41b7d2391561&code=4759cce8-1c1c-4da3-ba94-9987c2ce3e02.c69d7a8f-32f2-4a84-a6af-41b7d2391561.78732ee5-af17-43fc-9f52-856e06bfce04" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML,like Gecko) Version/14.0.3 Safari/605.1.15" 500 345 0.030
测试应用入口
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
Metadata:
annotations:
Nginx.ingress.kubernetes.io/auth-url: "oauth2-proxy.domain.com/oauth2/auth"
Nginx.ingress.kubernetes.io/auth-signin: "oauth2-proxy.domain.com/oauth2/start?rd=$scheme://$best_http_host$request_uri"
Nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user,x-auth-request-email,x-auth-request-access-token"
Nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
name: test-app
namespace: its
spec:
rules:
- host: test-app.domain.com
http:
paths:
- path: /
backend:
serviceName: test-app
servicePort: http
tls:
- hosts:
- test-app.domain.com
secretName: cert-wild.test-proxy.domain.com
oauth2-proxy 配置和入口
containers:
- name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:latest
ports:
- containerPort: 8091
args:
- --provider=oidc
- --client-id=k8s2
- --client-secret=Sd28cf1-1e14-4db1-8ed1-5ba64e1cd421
- --cookie-secret=x-1vrrMhC-886ITuz8ySNw==
- --oidc-issuer-url=https://keycloak-test.domain.com/auth/realms/local
- --email-domain=*
- --scope=openid profile email users
- --cookie-domain=.domain.com
- --whitelist-domain=.domain.com
- --pass-authorization-header=true
- --pass-access-token=true
- --pass-user-headers=true
- --set-authorization-header=true
- --set-xauthrequest=true
- --cookie-refresh=1m
- --cookie-expire=30m
- --http-address=0.0.0.0:8091
---
apiVersion: v1
kind: Service
Metadata:
name: oauth2-proxy
labels:
name: oauth2-proxy
spec:
ports:
- name: http
port: 8091
targetPort: 8091
selector:
name: oauth2-proxy
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
Metadata:
annotations:
Nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
name: oauth2-proxy
namespace: its
spec:
rules:
- host: oauth2-proxy.domain.com
http:
paths:
- path: /oauth2
backend:
serviceName: oauth2-proxy
servicePort: 8091
tls:
- hosts:
- oauth2-proxy.domain.com
secretName: cert-wild.oauth2-proxy.domain.com
解决方法
您可以尝试在 oauth2-proxy 配置中设置 --insecure-oidc-allow-unverified-email。 或者,在 keycloak 中,标记在用户设置中验证的用户电子邮件..