如何解决从DNS解析到Docker容器名称的FastApi Keycloak令牌URL?

huangapple go评论65阅读模式
英文:

How to solve FastApi Keycloak token url resolved from DNS to Docker Container Name?

问题

我正在尝试在我的FastApi服务中设置身份验证流程。我已经为Keycloak、FastApi和Nginx创建了一个工作的Docker容器。在Nginx中,我将连接重定向到服务器的IP,同时重定向到Keycloak和FastApi(我有两个域名,让我们称它们为keycloakdomain.com和fastapidomain.com)。

我正在使用FastApiKeycloak库来在Keycloak中进行身份验证。我想通过Swagger文档中的"Authorize"按钮进行授权,以便在我的fastapi服务中获取访问令牌,从我的Keycloak实例中获取。

以下是我的FastApi配置代码:

keycloak = FastAPIKeycloak(
   server_url="https://keycloakdomain.com/auth",
   client_id="mykeycloakclient",
   client_secret="secret",
   admin_client_secret="secret",
   realm="realmname",
   callback_uri="https://fastapidomain.com/docs",
)
keycloak.add_swagger_config(app)

然后,我保护一个端点以显示"Authorize"按钮。当我点击它时,我看到的是:

如何解决从DNS解析到Docker容器名称的FastApi Keycloak令牌URL?

在TOKEN URL中,我有容器名称和端口,而不是在配置对象中写的URL域名(协议是HTTP,而不是HTTPS)。

我期望看到"https://keycloakdomain.com/auth/realms ..."。我在这里做错了什么吗?我可以在哪里设置baseUrl?

附注:
如果我使用Postman向我期望的端点(带有域名的端点)发出POST请求,我会得到访问令牌和实际需要的数据。

英文:

i'm trying to set up an auth flow in my FastApi service. I have a working docker container for Keycloak, FastApi and Nginx. In nginx i redirect the connection to server's ip, to both keycloak and fastapi (i have 2 domains, lets call them keycloakdomain.com and fastapidomain.com).

I'm using the FastApiKeycloak library to authenticate in Keycloak. I want to authorize via the "Authorize" button, in the swagger docs of my fastapi service so i can get the access token for subsequent requests, from my keycloak instance.

Here's my configuration code in FastApi:

keycloak = FastAPIKeycloak(
   server_url="https://keycloakdomain.com/auth",
   client_id="mykeycloakclient",
   client_secret="secret",
   admin_client_secret="secret",
   realm="realmname",
   callback_uri="https://fastapidomain.com/docs",
 )
 keycloak.add_swagger_config(app)

Then i protect an endpoint so the Authorize button is shown. When i click on it, here's what i see:

如何解决从DNS解析到Docker容器名称的FastApi Keycloak令牌URL?

In the TOKEN URL i have the container name and port, not the url domain that i wrote in the configuration object (the protocol is HTTP, not HTTPS).

I'm expecting to see "https://keycloakdomain.com/auth/realms ...".

Am I doing something wrong here? Can i set the baseUrl somewhere?

P.S:
If I make a POST request with postman to the endpoint im expecting (the one with domain name), i get the access token and the data i actually need.

答案1

得分: 1

我找到了解决这个问题的方法。问题出在Keycloak的nginx配置上。我没有设置头部,所以反向代理没有正确地转发主机头。

请参考Jan的这个答案:https://stackoverflow.com/questions/66176321/keycloak-behind-reverse-proxy-mixes-internal-and-external-addresses

希望这能帮助其他人。

英文:

I found a solution to the problem. The issue was with the nginx configuration of Keycloak. I didn't set the headers and so the reverse proxy wasn't forwarding host headers properly.

See this answer from Jan: https://stackoverflow.com/questions/66176321/keycloak-behind-reverse-proxy-mixes-internal-and-external-addresses

Hope this could help someone else.

huangapple
  • 本文由 发表于 2023年6月27日 21:59:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/76565637.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定