keycloak-nodejs-反向代理后面连接express.js应用

Question

我已经用Keycloak中间件为Express创建了一个node.js应用程序，众所周知，它“在我的电脑上工作”。

const Keycloak = require('keycloak-connect')
const express = require('express')
const session = require('express-session')
const app = express()

const LOGIN_PATH = '/login'
const LOGOUT_PATH = '/logout'
const SESSION_STORE_PASS = '123456789012345678901234567890!!!'

const server = app.listen(3000, function () {
    const host = server.address().address
    const port = server.address().port
    console.log('Example app listening at http://%s:%s', host, port)
})

app.get('/', function (req, res) {
    res.redirect(LOGIN_PATH)
})

// Create a session-store to be used by both the express-session
// middleware and the keycloak middleware.
const memoryStore = new session.MemoryStore()
app.use(session({
    secret: SESSION_STORE_PASS,
    resave: false,
    saveUninitialized: true,
    store: memoryStore
}))

const kcOptions = {
    "realm": "nodejs-example",
    "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB",
    "auth-server-url": "http://localhost:8080/auth",
    "ssl-required": "external",
    "resource": "nodejs-connect",
    "public-client": true
}
console.log("Starting Keycloak connector with options: ", kcOptions)
const keycloak = new Keycloak({store: memoryStore}, kcOptions)

app.use(keycloak.middleware({
    logout: LOGOUT_PATH, // <-- this is supposed to delete the session and log you out from KC as well
    admin: '/'
}))

app.get('/login', keycloak.protect(), async function (req, res) {
    let token
    try {
        const grant = await keycloak.getGrant(req, res)
        token = grant.access_token
        console.log(`Found token ${token}`)
    } catch (e) {
        console.log("Unable to find the token in KC response ", req.session)
        throw new Error(e)
    }
    const userProfile = await keycloak.grantManager.userInfo(token)
    console.log("Found user profile:", userProfile)

    res.header("Content-Type", 'application/json')
    return res.send(JSON.stringify(userProfile, null, 4))
})

此应用程序侦听端口3000，但问题是浏览器将通过反向代理(端口80)到达该端口。而且我也没有办法让中间件向Keycloak发送正确的"redirect_uri“查询参数。它总是将具有相同端口3000的URL放在本地服务器正在侦听的位置。

我发现redirection-url设置了in the documentation，但我在Github存储库中找不到该字符串的证据。

Answer 1

根据keycloak-nodejs-connect存储库中的一些代码分析，假设应用程序可以直接访问，则redirect_uri查询参数为merely assembled from the incoming request。

这个问题会影响到登录和注销阶段。因此--不假思索地--在实际情况下(涉及反向代理或负载均衡器)无法使用该库。

更不用说文档中描述的功能和实际实现的功能之间奇怪的脱节了。