文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >密钥披风、OAuth2-代理和nginx.ingress.kubernetes

密钥披风、OAuth2-代理和nginx.ingress.kubernetes
EN

Stack Overflow用户
提问于 2021-03-16 11:37:11
回答 2查看 4.4K关注 0票数 5

我有一个通过oauth2-proxy/keycloak认证kubernetes with应用程序的问题。你不知道怎么回事

(test-app.domain.com)

  • oauth2-proxy (oauth2-proxy.domain.com)

  • keycloak (keycloak-test.domain.com)

  • Webapp

这三个应用程序分别运行。

对身份验证过程的描述:

打开后,test.domain.com被重定向到https://keycloak-test.domain.com/auth/realms/local/protocol/openid-connect/auth?approval_prompt=force&client_id=k8s2&redirect_uri=https%3A%2F%2Foauth2-proxy.domain.com%2Foauth2%2Fcallback&response_type=code&scope=openid+profile+email+users&state=7a6504626c89d85dad9337f57072d7e4%3Ahttps%3A%2F%2Ftest-app%2F

密钥披风登录页面显示正确,但在用户登录后,我得到:500个内部服务器与URL https://oauth2-proxy.domain.com/oauth2/callback?state=753caa3a281921a02b97d3efeabe7adf%3Ahttps%3A%2F%2Ftest-app.domain.com%2F&session_state=f5d45a13-5383-4a79-aa7a-56bbaa16056f&code=5344ae72-a9ee-448f-95ef-45e413f69f4b.f5d45a13-5383-4a79-aa7a-56bbaa16056f.78732ee5-af17-43fc-9f52-856e06bfce04的错误

来自OAuth2的日志-代理

代码语言:javascript
复制
[2021/03/16 11:25:35] [stored_session.go:76] Error loading cookied session: cookie "_oauth2_proxy" not present, removing session
10.30.21.14:35382 - - [2021/03/16 11:25:35] oauth2-proxy.domain.com GET - "/oauth2/auth" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15" 401 13 0.000
10.96.5.198:35502 - - [2021/03/16 11:25:35] oauth2-proxy.domain.com GET - "/oauth2/start?rd=https://test-app.domain.com/" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15" 302 400 0.000
[2021/03/16 11:25:39] [oauthproxy.go:753] Error redeeming code during OAuth2 callback: email in id_token (user1@user.com) isn't verified
10.96.5.198:35502 - - [2021/03/16 11:25:39] oauth2-proxy.domain.com GET - "/oauth2/callback?state=1fe22deb33ce4dc7e316f23927b8d821%3Ahttps%3A%2F%2Ftest-app.domain.com%2F&session_state=c69d7a8f-32f2-4a84-a6af-41b7d2391561&code=4759cce8-1c1c-4da3-ba94-9987c2ce3e02.c69d7a8f-32f2-4a84-a6af-41b7d2391561.78732ee5-af17-43fc-9f52-856e06bfce04" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15" 500 345 0.030

测试-应用程序入口

代码语言:javascript
复制
    apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "oauth2-proxy.domain.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "oauth2-proxy.domain.com/oauth2/start?rd=$scheme://$best_http_host$request_uri"
    nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user, x-auth-request-email, x-auth-request-access-token"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
  name: test-app
  namespace: its
spec:
  rules:
    - host: test-app.domain.com
      http:
        paths:
          - path: /
            backend:
              serviceName: test-app
              servicePort: http

  tls:
    - hosts:
      - test-app.domain.com
      secretName: cert-wild.test-proxy.domain.com

OAuth2-代理配置和入口

代码语言:javascript
复制
 containers:
      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:latest
        ports:
        - containerPort: 8091
        args:
        - --provider=oidc
        - --client-id=k8s2
        - --client-secret=Sd28cf1-1e14-4db1-8ed1-5ba64e1cd421
        - --cookie-secret=x-1vrrMhC-886ITuz8ySNw==
        - --oidc-issuer-url=https://keycloak-test.domain.com/auth/realms/local
        - --email-domain=*
        - --scope=openid profile email users
        - --cookie-domain=.domain.com
        - --whitelist-domain=.domain.com
        - --pass-authorization-header=true
        - --pass-access-token=true
        - --pass-user-headers=true
        - --set-authorization-header=true
        - --set-xauthrequest=true
        - --cookie-refresh=1m
        - --cookie-expire=30m
        - --http-address=0.0.0.0:8091
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy
  labels:
    name: oauth2-proxy
spec:
  ports:
  - name: http
    port: 8091
    targetPort: 8091
  selector:
    name: oauth2-proxy
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
  name: oauth2-proxy
  namespace: its
spec:
  rules:
    - host: oauth2-proxy.domain.com
      http:
        paths:
          - path: /oauth2
            backend:
              serviceName: oauth2-proxy
              servicePort: 8091
  tls:
    - hosts:
      - oauth2-proxy.domain.com
      secretName: cert-wild.oauth2-proxy.domain.com
nginx
kubernetes
proxy
keycloak
oauth2-proxy
EN

回答 2

Stack Overflow用户

发布于 2021-07-18 03:10:44

您可以尝试在OAuth2代理配置中设置--不安全--oidc--允许--未经验证的电子邮件。或者,在键盘斗篷中,标记用户电子邮件,在用户设置中验证。

票数 2
EN

Stack Overflow用户

发布于 2022-09-19 10:49:35

答案是简单的,删除密钥披风中的用户并重新记录相同的用户,这次检查电子邮件被验证为true。

票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/66654485

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档