文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
首页
学习
活动
专区
圈层
工具
MCP广场
返回腾讯云官网
社区首页 >问答首页 >如何使用oauth2和keycloak实现istio授权

如何使用oauth2和keycloak实现istio授权
EN

Stack Overflow用户
提问于 2022-08-18 12:26:48
回答 1查看 447关注 0票数 0

我一直试图使用Oauth2和keycloak来实现istio授权。我跟踪了几篇关于这个API身份验证:配置Istio IngressGateway、OAuth2-代理和密钥披风授权策略的文章。

预期输出:,我的想法是在ingress网关中实现oauth2作为外部Auth提供者的密钥披风身份验证。当用户试图在<ingress host>/app中访问我的应用程序时,它应该自动重定向到keycloak登录页面。

如何正确地将页面重定向到密钥披风登录屏幕以进行身份验证?

问题:当我尝试访问<ingress host>/app时,页面将花费10秒的时间加载,并拒绝状态403访问。如果我在10秒内删除授权策略(kubectl删除-f授权- policy . will ),它将重定向到登录屏幕(keycloak)

oauth2.yaml

代码语言:javascript
运行
复制
apiVersion: v1
kind: Service
metadata:
  labels:
    app: oauth-proxy
  name: oauth-proxy
spec:
  type: NodePort
  selector:
    app: oauth-proxy
  ports:
  - name: http-oauthproxy
    port: 4180
    nodePort: 31023
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: oauth-proxy
  name: oauth-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: "oauth-proxy"
  template:
    metadata:
      labels:
        app: oauth-proxy
    spec:
      containers:
      - name: oauth-proxy
        image: "quay.io/oauth2-proxy/oauth2-proxy:v7.2.0"
        ports:
        - containerPort: 4180
        args:
          - --http-address=0.0.0.0:4180
          - --upstream=http://test-web-app:3000
          - --set-xauthrequest=true
          - --pass-host-header=true
          - --pass-access-token=true
        env:
          # OIDC Config
          - name: "OAUTH2_PROXY_PROVIDER"
            value: "keycloak-oidc"
          - name: "OAUTH2_PROXY_OIDC_ISSUER_URL"
            value: "http://192.168.1.2:31020/realms/my_login_realm"
          - name: "OAUTH2_PROXY_CLIENT_ID"
            value: "my_nodejs_client"
          - name: "OAUTH2_PROXY_CLIENT_SECRET"
            value: "JGEQtkrdIc6kRSkrs89BydnfsEv3VoWO"
          # Cookie Config
          - name: "OAUTH2_PROXY_COOKIE_SECURE"
            value: "false"
          - name: "OAUTH2_PROXY_COOKIE_SECRET"
            value: "ZzBkN000Wm0pQkVkKUhzMk5YPntQRUw_ME1oMTZZTy0="
          - name: "OAUTH2_PROXY_COOKIE_DOMAINS"
            value: "*"
          # Proxy config
          - name: "OAUTH2_PROXY_EMAIL_DOMAINS"
            value: "*"
          - name: "OAUTH2_PROXY_WHITELIST_DOMAINS"
            value: "*"
          - name: "OAUTH2_PROXY_HTTP_ADDRESS"
            value: "0.0.0.0:4180"
          - name: "OAUTH2_PROXY_SET_XAUTHREQUEST"
            value: "true"
          - name: OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER
            value: "true"
          - name: OAUTH2_PROXY_SSL_UPSTREAM_INSECURE_SKIP_VERIFY
            value: "true"
          - name: OAUTH2_PROXY_SKIP_PROVIDER_BUTTON
            value: "true"
          - name: OAUTH2_PROXY_SET_AUTHORIZATION_HEADER
            value: "true"

keycloak.yaml

代码语言:javascript
运行
复制
apiVersion: v1
kind: Service
metadata:
  name: keycloak
spec:
  type: NodePort
  selector:
    app: keycloak
  ports:
  - name: http-keycloak
    port: 8080
    nodePort: 31020
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
spec:
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      containers:
      - name: keycloak
        image: quay.io/keycloak/keycloak:17.0.0
        ports:
        - containerPort: 8080
        args: ["start-dev"]
        env:
        - name: KEYCLOAK_ADMIN
          value: "admin"
        - name: KEYCLOAK_ADMIN_PASSWORD
          value: "admin"

istio-operator.yaml

代码语言:javascript
运行
复制
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    accessLogFile: /dev/stdout
    extensionProviders:
    - name: "oauth2-proxy"
      envoyExtAuthzHttp:
        service: "oauth-proxy.default.svc.cluster.local"
        port: "4180" # The default port used by oauth2-proxy.
        includeHeadersInCheck: ["authorization", "cookie","x-forwarded-access-token","x-forwarded-user","x-forwarded-email","x-forwarded-proto","proxy-authorization","user-agent","x-forwarded-host","from","x-forwarded-for","accept","x-auth-request-redirect"] # headers sent to the oauth2-proxy in the check request.
        headersToUpstreamOnAllow: ["authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token","x-forwarded-access-token"] # headers sent to backend application when request is allowed.
        headersToDownstreamOnDeny: ["content-type", "set-cookie"] # headers sent back to the client when request is denied.

gateway.yaml

代码语言:javascript
运行
复制
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: test-gateway
  namespace : istio-system
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - '*'

virtual-service.yaml

代码语言:javascript
运行
复制
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: gateway-vs
spec:
  hosts:
    - '*'
  gateways: 
    - istio-system/test-gateway
  http:
    - match:
      - uri:
          prefix: /oauth2
      route:
      - destination:
          host: oauth-proxy.default.svc.cluster.local
          port:
            number: 4180
    - match:
      - uri:
          prefix: /app
      route:
      - destination:
          host: test-web-app.default.svc.cluster.local
          port:
            number: 3000

authorization-policy.yaml

代码语言:javascript
运行
复制
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example-auth-policy
spec:
  action: CUSTOM
  provider:
    name: "oauth2-proxy"
  rules:
  - to:
    - operation:
        paths: ["/app"]
        notPaths: ["/oauth2/*"]
istio-gateway
kubernetes
oauth-2.0
keycloak
istio
EN

回答 1

Stack Overflow用户

回答已采纳

发布于 2022-08-18 15:54:36

通过更新授权策略解决重定向问题

代码语言:javascript
运行
复制
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: example-auth-policy
  namespace: istio-system
spec:
  action: CUSTOM
  provider:
    name: "oauth2-proxy"
  rules:
  - to:
    - operation:       
        paths: ["/app"]
        notPaths: ["/oauth2/*"]
  selector:
    matchLabels:
      app: istio-ingressgateway
  • 添加了istio-system命名空间,而不是工作负载命名空间(在我的示例中是默认的)
  • 忘记添加matchLabels
票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/73403065

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2025 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 深公网安备号 44030502008569

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号 | 京公网安备号11010802020287

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档