问题描述
组件:
- 钥匙斗篷:11
- Hawkbit-MysqL
运行时:
- Docker(Docker 组合)
嗨, 我使用 Keycloak 11 将 OpenId 集成到 Hawkbit。这适用于管理 API,但不适用于管理 UI。
我按照 docs 中的说明添加了 application.properties。
使用的流是 authorization_code
,这是 Hawkbit 所期望的。
DOCKER-COMPOSE
这是我的环境。我的撰写文件的变量:
- spring.security.oauth2.client.registration.oidc.client-id=hawkbit-client
- spring.security.oauth2.client.registration.oidc.client-secret= XXX
- spring.security.oauth2.client.registration.oidc.scope=openid,profile
- spring.security.oauth2.client.provider.oidc.issuer-uri=http://keycloak:8080/auth/realms/master
- spring.security.oauth2.client.provider.oidc.authorization-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/auth
- spring.security.oauth2.client.provider.oidc.token-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/token
- spring.security.oauth2.client.provider.oidc.user-info-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/userinfo
- spring.security.oauth2.client.provider.oidc.jwk-set-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/certs
- spring.security.oauth2.client.registration.oidc.authorization-grant-type=authorization_code
另外,我在compose中修改了hawkbit的端口
端口:
- 8081:8080
钥匙斗篷:
我的客户使用 direct access grant
和 standard flow
。我的用户拥有客户角色 READ_TARGET
和 SYstem_ADMIN
日志:
我启用了更细粒度的日志,并且 Keycloak 和 Hawkbit 之间存在通信。但是当我使用管理 UI 执行登录时,它失败了。
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@ff9b1cf2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 10.0.2.2; SessionId: node01o0pnlb0ekeez180l4o6axsvmt0; Granted Authorities: ROLE_ANONYMOUS'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 13 of 16 in additional filter chain; firing Filter: 'OAuth2AuthorizationCodeGrantFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 14 of 16 in additional filter chain; firing Filter: 'SessionManagementFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 15 of 16 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 16 of 16 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/UI/UIDL/'; against '/UI/login/**'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/UI/UIDL/'; against '/UI/UIDL/**'
2021-01-15 09:18:09.608 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /UI/UIDL/?v-uiId=0; Attributes: [permitAll]
2021-01-15 09:18:09.608 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : PrevIoUsly Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@ff9b1cf2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 10.0.2.2; SessionId: node01o0pnlb0ekeez180l4o6axsvmt0; Granted Authorities: ROLE_ANONYMOUS
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.access.Vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6de64288,returned: 1
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 reached end of additional filter chain; proceeding with original chain
2021-01-15 09:18:09.719 DEBUG 1 --- [tp1234905692-18] o.s.s.authentication.ProviderManager : Authentication attempt using org.eclipse.hawkbit.autoconfigure.security.InMemoryUserManagementAutoConfiguration$TenantDaoAuthenticationProvider
2021-01-15 09:18:10.076 DEBUG 1 --- [tp1234905692-18] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@694b6660
2021-01-15 09:18:10.078 DEBUG 1 --- [tp1234905692-18] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2021-01-15 09:18:10.081 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2021-01-15 09:18:10.082 DEBUG 1 --- [tp1234905692-18] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder Now cleared,as request processing completed
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : Secure object: ReflectiveMethodInvocation: public void org.eclipse.hawkbit.repository.jpa.Jpasystemmanagement.forEachTenant(java.util.function.Consumer); target is of class [org.eclipse.hawkbit.repository.jpa.Jpasystemmanagement]; Attributes: [[authorize: 'hasAuthority('ROLE_SYstem_CODE')',filter: 'null',filterTarget: 'null']]
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : PrevIoUsly Authenticated: org.eclipse.hawkbit.security.SystemSecurityContext$SystemCodeAuthentication@2233a89d
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] o.s.s.access.Vote.AffirmativeBased : Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@3e6c0950,returned: 1
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : Authorization successful
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : RunAsManager did not change Authentication object
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : Secure object: ReflectiveMethodInvocation: public void org.eclipse.hawkbit.repository.jpa.Jpasystemmanagement.forEachTenant(java.util.function.Consumer); target is of class [org.eclipse.hawkbit.repository.jpa.Jpasystemmanagement]; Attributes: [[authorize: 'hasAuthority('ROLE_SYstem_CODE')',filterTarget: 'null']]
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : PrevIoUsly Authenticated: org.eclipse.hawkbit.security.SystemSecurityContext$SystemCodeAuthentication@73f49ea6
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] o.s.s.access.Vote.AffirmativeBased : Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@3e6c0950,returned: 1
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : Authorization successful
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : RunAsManager did not change Authentication object
我的想法:
我对正在发生的事情感到非常困惑,因为在 hawkbit 和 keycloak 中都没有抛出异常。 Keycloak 确实如此,也启用了细粒度日志,甚至不记录身份验证请求。
同样令人困惑的是,即使启用了 oauth,我仍然可以使用标准用户 admin
admin
登录。我不认为 keycloak 有问题,因为根据日志创建了连接并使用了通过众所周知的端点进行的配置。
问题:
- 我还需要在 Keycloak 中配置其他内容吗?
- 是否还有其他环境变量可供使用?
- 我已经看到 hawkbit 项目使用
Spring boot 2.1.4.RELEASE
作为父项。 (虽然今天有一个更新到 2.4 的拉取请求。版本中是否存在已知问题?
解决方法
这适用于管理 API,但不适用于管理 UI
听起来像登录 hawkBit UI 在技术上是有效的,但您在导航栏中看不到任何菜单项。如果是这样,请尝试将“READ_REPOSITORY”添加到您用户的客户端角色。
我还需要在 Keycloak 中配置其他东西吗?
不,正如您所解释的,一切都应该到位:客户端(访问类型为“机密”,因此您可以获取机密)、客户端的角色以及最后但并非最不重要的将客户端角色分配给您的用户 - 完成>
编辑:确保您也为您的客户端设置了正确的重定向 URL (例如 http://localhost:8081/*)
还有其他环境变量可以使用吗?
不,我的工作设置与您的相似。我将以下道具设置为 hawkBit:
spring.security.oauth2.client.registration.oidc.client-id=hawkbit
spring.security.oauth2.client.registration.oidc.client-secret=cd161bd1-1e4f-448a-a257-2394615f4e98
spring.security.oauth2.client.provider.oidc.issuer-uri=http://localhost:8080/auth/realms/master
spring.security.oauth2.client.provider.oidc.authorization-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/auth
spring.security.oauth2.client.provider.oidc.token-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/token
spring.security.oauth2.client.provider.oidc.user-info-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo
spring.security.oauth2.client.provider.oidc.jwk-set-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/certs
我看到hawkbit项目使用Spring boot 2.1.4.RELEASE作为父
两个 Spring Boot 版本都可以与 OAuth2 一起正常工作。由于 Boot 2.1.x 即将失效,因此需要上述 Boot 升级