英文:
How to solve FastApi Keycloak token url resolved from DNS to Docker Container Name?
问题
我正在尝试在我的FastApi服务中设置身份验证流程。我已经为Keycloak、FastApi和Nginx创建了一个工作的Docker容器。在Nginx中,我将连接重定向到服务器的IP,同时重定向到Keycloak和FastApi(我有两个域名,让我们称它们为keycloakdomain.com和fastapidomain.com)。
我正在使用FastApiKeycloak库来在Keycloak中进行身份验证。我想通过Swagger文档中的"Authorize"按钮进行授权,以便在我的fastapi服务中获取访问令牌,从我的Keycloak实例中获取。
以下是我的FastApi配置代码:
keycloak = FastAPIKeycloak(
server_url="https://keycloakdomain.com/auth",
client_id="mykeycloakclient",
client_secret="secret",
admin_client_secret="secret",
realm="realmname",
callback_uri="https://fastapidomain.com/docs",
)
keycloak.add_swagger_config(app)
然后,我保护一个端点以显示"Authorize"按钮。当我点击它时,我看到的是:
在TOKEN URL中,我有容器名称和端口,而不是在配置对象中写的URL域名(协议是HTTP,而不是HTTPS)。
我期望看到"https://keycloakdomain.com/auth/realms ..."。我在这里做错了什么吗?我可以在哪里设置baseUrl?
附注:
如果我使用Postman向我期望的端点(带有域名的端点)发出POST请求,我会得到访问令牌和实际需要的数据。
英文:
i'm trying to set up an auth flow in my FastApi service. I have a working docker container for Keycloak, FastApi and Nginx. In nginx i redirect the connection to server's ip, to both keycloak and fastapi (i have 2 domains, lets call them keycloakdomain.com and fastapidomain.com).
I'm using the FastApiKeycloak library to authenticate in Keycloak. I want to authorize via the "Authorize" button, in the swagger docs of my fastapi service so i can get the access token for subsequent requests, from my keycloak instance.
Here's my configuration code in FastApi:
keycloak = FastAPIKeycloak(
server_url="https://keycloakdomain.com/auth",
client_id="mykeycloakclient",
client_secret="secret",
admin_client_secret="secret",
realm="realmname",
callback_uri="https://fastapidomain.com/docs",
)
keycloak.add_swagger_config(app)
Then i protect an endpoint so the Authorize button is shown. When i click on it, here's what i see:
In the TOKEN URL i have the container name and port, not the url domain that i wrote in the configuration object (the protocol is HTTP, not HTTPS).
I'm expecting to see "https://keycloakdomain.com/auth/realms ...".
Am I doing something wrong here? Can i set the baseUrl somewhere?
P.S:
If I make a POST request with postman to the endpoint im expecting (the one with domain name), i get the access token and the data i actually need.
答案1
得分: 1
我找到了解决这个问题的方法。问题出在Keycloak的nginx配置上。我没有设置头部,所以反向代理没有正确地转发主机头。
请参考Jan的这个答案:https://stackoverflow.com/questions/66176321/keycloak-behind-reverse-proxy-mixes-internal-and-external-addresses
希望这能帮助其他人。
英文:
I found a solution to the problem. The issue was with the nginx configuration of Keycloak. I didn't set the headers and so the reverse proxy wasn't forwarding host headers properly.
See this answer from Jan: https://stackoverflow.com/questions/66176321/keycloak-behind-reverse-proxy-mixes-internal-and-external-addresses
Hope this could help someone else.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论