Eclipse :无法为Management集成OpenId
Eclipse :无法为Management集成OpenId
提问于 2021-01-15 12:06:18
组件:
- 密钥披风:11
- Hawkbit-mysql
运行时:
- 码头工(码头工)
嗨,我使用Keycloak 11集成了OpenId到Hawkbit。这适用于Management,但不适用于Management。
我跟踪了文档中的安装并添加了application.properties。所使用的流是authorization_code,这是Hawkbit所期望的。
DOCKER-COMPOSE
这是我的env。我的撰写文件的vars:
- spring.security.oauth2.client.registration.oidc.client-id=hawkbit-client
- spring.security.oauth2.client.registration.oidc.client-secret= XXX
- spring.security.oauth2.client.registration.oidc.scope=openid,profile
- spring.security.oauth2.client.provider.oidc.issuer-uri=http://keycloak:8080/auth/realms/master
- spring.security.oauth2.client.provider.oidc.authorization-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/auth
- spring.security.oauth2.client.provider.oidc.token-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/token
- spring.security.oauth2.client.provider.oidc.user-info-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/userinfo
- spring.security.oauth2.client.provider.oidc.jwk-set-uri=http://keycloak:8080/auth/realms/master/protocol/openid-connect/certs
- spring.security.oauth2.client.registration.oidc.authorization-grant-type=authorization_code此外,我还在我的作文中更改了hawkbit的端口
港口:
- 8081:8080
KEYCLOAK:
我的客户端使用direct access grant和standard flow。我的用户有客户端角色READ_TARGET和SYSTEM_ADMIN
日志:
我启用了更细粒度的日志,并在Keycloak和Hawkbit之间进行了通信。但是当我使用Management执行登录时,它会失败。
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@ff9b1cf2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 10.0.2.2; SessionId: node01o0pnlb0ekeez180l4o6axsvmt0; Granted Authorities: ROLE_ANONYMOUS'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 13 of 16 in additional filter chain; firing Filter: 'OAuth2AuthorizationCodeGrantFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 14 of 16 in additional filter chain; firing Filter: 'SessionManagementFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 15 of 16 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 at position 16 of 16 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/UI/UIDL/'; against '/UI/login/**'
2021-01-15 09:18:09.607 DEBUG 1 --- [tp1234905692-18] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/UI/UIDL/'; against '/UI/UIDL/**'
2021-01-15 09:18:09.608 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : Secure object: FilterInvocation: URL: /UI/UIDL/?v-uiId=0; Attributes: [permitAll]
2021-01-15 09:18:09.608 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@ff9b1cf2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 10.0.2.2; SessionId: node01o0pnlb0ekeez180l4o6axsvmt0; Granted Authorities: ROLE_ANONYMOUS
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@6de64288, returned: 1
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : Authorization successful
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.i.FilterSecurityInterceptor : RunAsManager did not change Authentication object
2021-01-15 09:18:09.611 DEBUG 1 --- [tp1234905692-18] o.s.security.web.FilterChainProxy : /UI/UIDL/?v-uiId=0 reached end of additional filter chain; proceeding with original chain
2021-01-15 09:18:09.719 DEBUG 1 --- [tp1234905692-18] o.s.s.authentication.ProviderManager : Authentication attempt using org.eclipse.hawkbit.autoconfigure.security.InMemoryUserManagementAutoConfiguration$TenantDaoAuthenticationProvider
2021-01-15 09:18:10.076 DEBUG 1 --- [tp1234905692-18] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@694b6660
2021-01-15 09:18:10.078 DEBUG 1 --- [tp1234905692-18] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2021-01-15 09:18:10.081 DEBUG 1 --- [tp1234905692-18] o.s.s.w.a.ExceptionTranslationFilter : Chain processed normally
2021-01-15 09:18:10.082 DEBUG 1 --- [tp1234905692-18] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : Secure object: ReflectiveMethodInvocation: public void org.eclipse.hawkbit.repository.jpa.JpaSystemManagement.forEachTenant(java.util.function.Consumer); target is of class [org.eclipse.hawkbit.repository.jpa.JpaSystemManagement]; Attributes: [[authorize: 'hasAuthority('ROLE_SYSTEM_CODE')', filter: 'null', filterTarget: 'null']]
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : Previously Authenticated: org.eclipse.hawkbit.security.SystemSecurityContext$SystemCodeAuthentication@2233a89d
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@3e6c0950, returned: 1
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : Authorization successful
2021-01-15 09:18:10.886 DEBUG 1 --- [executor-pool-1] s.a.i.a.AspectJMethodSecurityInterceptor : RunAsManager did not change Authentication object
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : Secure object: ReflectiveMethodInvocation: public void org.eclipse.hawkbit.repository.jpa.JpaSystemManagement.forEachTenant(java.util.function.Consumer); target is of class [org.eclipse.hawkbit.repository.jpa.JpaSystemManagement]; Attributes: [[authorize: 'hasAuthority('ROLE_SYSTEM_CODE')', filter: 'null', filterTarget: 'null']]
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : Previously Authenticated: org.eclipse.hawkbit.security.SystemSecurityContext$SystemCodeAuthentication@73f49ea6
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] o.s.s.access.vote.AffirmativeBased : Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@3e6c0950, returned: 1
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : Authorization successful
2021-01-15 09:18:10.890 DEBUG 1 --- [executor-pool-0] s.a.i.a.AspectJMethodSecurityInterceptor : RunAsManager did not change Authentication object我的想法:
我对正在发生的事情感到非常困惑,因为没有例外抛出,无论是在鹰派,也不是在钥匙斗篷。同样在启用细粒度日志的情况下,Keycloak也会这样做,甚至不会记录auth请求。同样令人困惑的是,即使启用了oauth,我仍然可以使用标准用户admin admin登录。我不认为这是一个问题的密钥披风,因为根据日志,连接是创建和配置通过众所周知的端点被使用。
问题:
- 在Keycloak中还有什么需要配置的吗?
- 是否还有其他环境变量可供使用?
- 我已经看到hawkbit项目使用
Spring boot 2.1.4.RELEASE作为父级。(尽管今天有人提出了拉的请求,但更新到了2.4。版本中有已知的问题吗?
回答 1
Stack Overflow用户
发布于 2021-01-29 16:33:17
这适用于Management,但不适用于Management
听起来,登录到hawkBit UI在技术上是有效的,但在导航栏中看不到任何菜单项。如果是这样,请尝试将"READ_REPOSITORY“添加到用户的客户端角色中。
在Keycloak中还有什么需要配置的吗?
不,正如您所解释的,一切都应该就位:客户端(带有访问类型=“机密”,因此获得机密)、客户端的角色,最后但并非最不重要的是将客户角色分配给用户完成。
编辑:确保您为客户端设置了正确的重定向URL (例如,*)。
是否还有其他环境变量可供使用?
不,我的工作安排看起来和你的相似。我将以下道具设置为hawkBit:
spring.security.oauth2.client.registration.oidc.client-id=hawkbit
spring.security.oauth2.client.registration.oidc.client-secret=cd161bd1-1e4f-448a-a257-2394615f4e98
spring.security.oauth2.client.provider.oidc.issuer-uri=http://localhost:8080/auth/realms/master
spring.security.oauth2.client.provider.oidc.authorization-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/auth
spring.security.oauth2.client.provider.oidc.token-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/token
spring.security.oauth2.client.provider.oidc.user-info-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo
spring.security.oauth2.client.provider.oidc.jwk-set-uri=http://localhost:8080/auth/realms/master/protocol/openid-connect/certs我看到hawkbit项目使用Spring 2.1.4作为父级
两个Spring版本都可以在OAuth2中正常工作。上述Boot升级是必需的,因为Boot2.1.x将很快停用。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/65735815
复制相关文章
相似问题
腾讯云开发者
