那些遇到过的问题

公司代理在授权代码交换时阻止了 Keycloak 身份代理(到 Azure AD)

git*_*flo 7 proxy oauth-2.0 azure-active-directory openid-connect keycloak

AzureAD作为外部 OIDC 提供商在Keycloak. Keycloak将客户端授权请求重定向到AzureAD提供授权。Keycloak在公司代理后面的工作站上运行,相应的 Azure AD 托管在公共 Internet 中。我可以Postman从本地工作站连接到 Azure AD 。

在此处输入图片说明

授权通过AzureAD按预期工作(提示用户输入她/他的凭据并接受同意)。授权成功后,以authorization_codeAzureAD响应定义的Keycloakreturn-url:

http://localhost:5000/auth/realms/lsp-api/broker/ms-azure-ad/endpoint?code=AQABAAIAAADX8GCi6Js6SK82TsD2Pb7rL__pDRDcKAqDqyTeTdzmbC9n3kcz5flc0q7zDRbK-WVLUpcUU65tWSh9C-opFiwtMZOACwGLQDgh4y4ScLW-dUGN7g3Ad3_aBqK-uHPgS3uKM1OlAIeSw3NSl1DMTKhH7SGQRGITP6ARIrCL9snqNRDUbHvhfKVlLMxmJTUk0bKDIT3PzM4nBSd1NwdXc9VZ9cCFnRMjlKfpRUx3guo-58tgSL5Vsaf8TvKg8B5TSYbiDzS49epFsU0Eg_PBs1JU4Q-8vOrN_wlV1zs1IUDYbUv8EdlMdqJkaT-nBTv-4Ab2Jf3X39u4m666kvcWmezGJ-NkjPqaOSK6eglWJfjW_z9-vHFQl6F9JxdCIlGbolyZyUpo0-a0LlnVVg2gyl1wJEOSnv5RvhmTZOqa1qWxZNsyG15JeQBkcK-J0XzWmn8CaeqzsJwFlNwkpzK_XaZW-KIsWayZ0Rz2HdDYh3Mre2I4uRmDyoQLiP60lYDaYowZZ11jSBy_87vFL2alK-5sGyUajs6kODfsoSlEGHhWJeHMiC2-jYm0gMNTQIvUMYpLJRpgKX6v3n-E3Q7ZlYD_VAWOnDZBCR5iaTsUOxuXN6CiC4p01N47c4QG4Y8A9lTbVXDvVcxSBz8H7uM5DfawFGUKpSCobI9V1XKnyw1R8UXTObqmEq8gA4jBzaRZb89qAnlZ6X-w39LbLWE7MUlL0Ok8LP-7omQlVei6AdEMfrIaHNIBUFimHLgKjiqcG2ogAA&state=FevrPXHHXkICQjFEYJ_3ZyvfZ2Y9E6iM5foCcOvk5C8.jXAAgdz4mnA.lsp-api&session_state=8cb0539a-b775-4de6-b334-5cb24caeb685
Run Code Online (Sandbox Code Playgroud)

在此处输入图片说明

此响应与状态代码一起发送502, Bad Gateway。此外,还会显示错误消息“使用身份提供程序进行身份验证时出现意外错误”。

我已经尝试将返回的authorization_code手动发送到AzureAD /token端点,并且收到了access_tokenid_token返回。所以问题似乎出在Keycloak-side的响应处理上。

预期行为是:

  1. AzureAD响应Keycloakauthorization_code
  2. Keycloak能够交换authorization_code一个access_token(mb。另外一个id_token

什么不起作用:

Keycloak无法将 authorization_code 交换为access_token,但会引发“与身份提供者进行身份验证时出现意外错误”错误消息。

钥匙斗篷设置:

Keycloak 版本:4.1.0.Final

在此处输入图片说明

AzureAD Reply-URL设置为HTTP://本地主机:5000 /认证/领域/ LSP-API /经纪人/ MS-Azure的广告/端点

编辑

我做了更多研究,发现这可能是公司代理问题。代理位于Keycloak(在我的机器本地主机上运行)和AzureAD. 那么如何设置Keycloaks身份代理的代理呢?相关Keycloak日志:

org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-122) Failed to make identity provider oauth callback: org.apache.http.conn.HttpHostConnectException: Connect to login.microsoftonline.com:443 [login.microsoftonline.com/40.112.64.25, login.microsoftonline.com/104.41.216.18, login.microsoftonline.com/104.41.216.16] failed: Connection refused: connect
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:158)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
    at org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:185)
    at org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:154)
    at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:146)
    at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:405)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
    at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
    at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
    at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
    at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
    at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
    at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
    at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
    at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
    at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.net.ConnectException: Connection refused: connect
    at java.net.TwoStacksPlainSocketImpl.socketConnect(Native Method)
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
    at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
    at java.net.Socket.connect(Socket.java:589)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:337)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
    ... 74 more
Run Code Online (Sandbox Code Playgroud)

Moh*_*arg 0

此异常意味着您尝试连接的 IP/端口上没有侦听服务:

  1. 您正在尝试连接到错误的 IP/端口。
  2. 您还没有启动您的服务器。
  3. 您的服务器未侦听连接。
  4. 在 Windows 服务器上,侦听积压队列已满。

您可以尝试将 localhost 替换为您的 IP 地址。还要确保没有防火墙阻止连接。

归档时间:

查看次数:

7167 次

最近记录:

4 年,11 月 前
相关归档
使用代理时,ClassLoader无法看到界面? 14
欢迎回来,您已通过Google+登录与此应用相关联* 13
什么context.DeserializeTicket(令牌)呢? 12
使用Onedrive SDK/API(或任何API)进行身份验证 8
带 keycloak 的 Flask-OIDC - oidc_callback 默认回调不起作用 6
OpenId Connect身份提供程序启动的反向通道注销不起作用 6
不需要时需要 Azure AD 管理员同意 5
你能解释一下openid connect流程中的RP->OP部分吗? 4
Iss 声明无效 Keycloak 4
OAuth:发送访问令牌和获取用户数据 0
难疑归档
让现有的Git分支跟踪一个远程分支? 3437
什么是C ??!??!操作员呢? 1911
使用jQuery将表单数据转换为JavaScript对象 1580
在Chrome中停用相同的来源政策 1443
为什么我需要一直做`--set-upstream`? 1364
在JavaScript中停止setInterval调用 1332
为什么不从List <T>继承? 1299
performSelector可能导致泄漏,因为其选择器未知 1251
"this"关键字如何运作? 1243
什么是在Vim中评论/取消注释行的快速方法? 1081