问题描述
我正在使用Keycloak(最新)进行 Auth 2.0 ,以验证身份验证,提供令牌(JWT),并使用提供的令牌,允许基于权限访问应用程序URL .Keycloak当前在Kubernates中运行,以Istio作为Gateway.对于Keycloak,这是所使用的策略:
I'm using Keycloak (latest) for Auth 2.0, to validate authentication, provide a token (JWT) and with the token provided, allows the access to the application URLs, based in the permissions.Keycloak is currently running in Kubernates, with Istio as Gateway. For Keycloak, this is the policy being used:
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: application-auth-policy
spec:
targets:
- name: notification
origins:
- jwt:
issuer: http://<service_name>http.<namespace>.svc.cluster.local:8080/auth/realms/istio
jwksUri: http://<service_name>http.<namespace>.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/certs
principalBinding: USE_ORIGIN
客户端已在此Keycloak中注册,并为此创建了RSA.发行者可以正常生成令牌,并且该策略已成功应用.
An client was registered in this Keycloak and a RSA created for it.The issuer can generates a token normally and the policy was applied successfully.
问题:
-
即使已设置好所有内容,根据 JWT验证程序的要求,Keycloak提供的令牌的签名也无效.
Even with everything set, the token provided by Keycloak has the signature invalid according to JWT Validator.
此令牌不允许使用 401代码对URL进行任何访问.
This token doesn't allow any access for the URLs, as it should be, with 401 code.
还有其他人有类似的问题吗?
Anyone else had a similar issue?
推荐答案
已通过以下两种方法解决了该问题: 1.将服务名称和端口替换为外部服务器ip和外部端口(对于Issuer和jwksUri) 2.禁用mTLS及其策略的使用(已知问题: https://github.com/istio/istio/issues/10062 ).
The problem was resolved with two options: 1. Replace Service Name and port by external server ip and external port (for issuer and jwksUri) 2. Disable the usage of mTLS and its policy (Known issue: https://github.com/istio/istio/issues/10062).
这篇关于Keycloak使用Istio和JWT提供无效签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!