我的负载均衡服务中的Keycloak重定向次数太多

Question

我正在尝试在Nginx的负载均衡服务中使用keycloak。

但是当我调用服务API时，我在浏览器中收到了错误"Too Many“。

我想这个过程应该是：

1. Request load-balanced to service A 
2. Keycloak in service A redirect to login page
3. Login with password & username
----------------The above is correct----------------------------------
4. Keycloak redirect to the original page but **load-balance to service B**
5. Keycloak in service B redirect to login page
6. Auto login without password
7. Keycloak redirect to the original page but load-balance to service A
8. Keycloak in service A redirect to login page
9. Auto login without password
10. Then loop forever...

bug

我应该如何改变我的keycloak配置并修复这个bug？

nginx.conf：

    http {
      upstream backend{
          server 127.0.0.1:8001 weight=1;
          server 127.0.0.1:8002 weight=1;
      }
      
      ...
      ...
      
      server {
          listen       80;
          server_name  localhost;

          location / {
              proxy_pass http://backend;
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          }
          
          ...
          ...

      }
     }

和application.properties中的Springboot密钥罩配置：

server.port=8002 # modify by command line

keycloak.auth-server-url=http://172.20.51.25:8080/auth
keycloak.realm=autocv
keycloak.public-client=true
keycloak.resource=oauthtest

keycloak.securityConstraints[0].authRoles[0]=aps
keycloak.securityConstraints[0].securityCollections[0].name= common
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/*

keycloak client config

Answer 1

你应该遵循官方的Keycloak指南Setting Up a Load Balancer or Proxy。另外，也不要忘记添加官方文档中提到的以下配置。

• proxy-address-forwarding
• Also为configurations.

启用反向代理配置

配置反向代理或负载均衡器以正确设置X-Forwarded-For和X-Forwarded-Proto HTTP头。配置反向代理或负载均衡器以保留原始Host HTTP头。将身份验证服务器配置为从X-Forwarded-For报头读取客户端的IP地址。-来自Keycloak Documentation - Identifying Client IP Addresses