1. 首页
  2. 问题列表
  3. KeyCloak,阿帕奇,mod_auth_openidc,elasticsearch开放发行版
提问者:小点点

KeyCloak,阿帕奇,mod_auth_openidc,elasticsearch开放发行版


我试图设置单点登录(SSO)访问apache 2.4上的私有目录,并在elasticsearch中为keyCloak登录的用户分配角色。没有真正的问题在keyCloak中为用户分配角色(并成功连接到openldap服务器)。如果我将承载令牌发送给ES,它会将角色链接到后端角色。一切都好。

问题是elasticsearch是无状态的,它似乎无法读取从keyCloak和mod_auth_openidc获得的cookie(无法正确安装config. xml)。所以,我无法让ES使用opendid连接会话。

因此,我决定为ES选择承载身份验证,我需要在每个超文本传输协议请求中添加承载超文本传输协议标头以ES。

我通过添加以下内容从mod_auth_openidc获得不记名代币:

头集授权"承载者%{OIDC_access_token}e"env=OIDC_access_token

到我在apache conf(启用的标头模块)中受保护的位置。但是当我尝试将该令牌与curl一起使用时(用于测试),它不起作用

 curl -i -k --noproxy '*' -H "Authorization: thebearerfromapache" https://es.*****.com:9200/protectedresources

我得到401未经授权。ElasticSearch日志:

[2020-11-22T14:58:58,404][DEBUG][c.a.o.s.a.BackendRegistry] [node-1] Check authdomain for rest noop/0 or 2 in total
[2020-11-22T14:58:58,405][DEBUG][c.a.o.s.a.BackendRegistry] [node-1] 'java.lang.IllegalArgumentException: No enum constant org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm.R{"alg":"RS256","typ" : "JWT","kid" : "BHQ5Qu3GJKSAUYKPy3itq5oZLmmrAD_eFdZQa88oX8c' extracting credentials from jwt-key-by-oidc http authenticator
java.lang.IllegalArgumentException: No enum constant org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm.R{"alg":"RS256","typ" : "JWT","kid" : "BHQ5Qu3GJKSAUYKPy3itq5oZLmmrAD_eFdZQa88oX8c
        at java.lang.Enum.valueOf(Enum.java:273) ~[?:?]

编辑:我更改了密钥斗篷中访问令牌的算法为HS256,现在我得到了

[2020-11-22T15:27:31,195][INFO ][c.a.d.a.h.j.k.JwtVerifier] [node-1] Escaped Key ID from JWT Token
[2020-11-22T15:27:31,196][DEBUG][c.a.d.a.h.j.k.SelfRefreshingKeySet] [node-1] performRefresh(c3145a71-0a3c-4b99-86e0-a8bf30c33f23)
[2020-11-22T15:27:31,197][INFO ][c.a.d.a.h.j.k.SelfRefreshingKeySet] [node-1] Performing refresh 1
[2020-11-22T15:27:31,450][INFO ][c.a.d.a.h.j.k.SelfRefreshingKeySet] [node-1] KeySetProvider finished
[2020-11-22T15:27:31,452][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [node-1] Extracting JWT token from eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjMzE0NWE3MS0wYTNjLTRiOTktODZlMC1hOGJmMzBjMzNmMjMifQ.eyJleHAiOjE2MDYwNTkwMzEsImlhdCI6MTYwNjA1ODczMSwiYXV0aF90aW1lIjoxNjA2MDU4NzMxLCJqdGkiOiI2MzFjYmIyZS1hODhjLTQwZmItYjU1My1lYzM0YmI2NTQ5YzEiLCJpc3MiOiJodHRwczovL2F1dGguc2VhcmNoZXZvbHV0aW9uLmNvbTo4NDQzL2F1dGgvcmVhbG1zL3dlYiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJkNDgxNTE5OS0zZTExLTQyOTktYmY3My1jZGUzYmI3MDMwM2UiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcGFjaGUtbm9kZTEiLCJub25jZSI6IjFwd3lQUUpOZlhFOTlTaTVNbjF2NGd2MXBtdkZQdWtqZEpYS3pnd3RiM0EiLCJzZXNzaW9uX3N0YXRlIjoiOGZjMTk0ZDQtMjY2Yy00ZTc0LWE0MGQtNmFjOGY0ZDU2NDEyIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIiLCJodHRwczovL25vZGUxLnNlYXJjaGV2b2x1dGlvbi5jb20vIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImhyIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImhyIiwidW1hX2F1dGhvcml6YXRpb24iXSwibmFtZSI6IkpvaG4gRG9lIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamRvZSIsImdpdmVuX25hbWUiOiJKb2huIiwiZmFtaWx5X25hbWUiOiJEb2UifQ.dpX_F5r-KqSYr7atK7K9B3FzJ9VbDiIdqmhYBMsHyV0 failed
com.amazon.dlic.auth.http.jwt.keybyoidc.BadCredentialsException: Unknown kid c3145a71-0a3c-4b99-86e0-a8bf30c33f23

此外壳脚本工作:

RESULT=`curl -k --noproxy '*' -d 'client_id=apache-node1' -d 'username=jdoe' -d 'password=*****' -d 'grant_type=password' -d 'client_secret=6a7a0299-e420-4206-ae02-9e68bf7044ff' -d 'scope=openid' 
'https://auth.****.com:8443/auth/realms/web/protocol/openid-connect/token'`

TOKEN=`echo $RESULT | sed 's/.*access_token":"\([^"]*\).*/\1/'`

curl -i -k --noproxy '*' -H "Authorization: Bearer $TOKEN" https://es.****.com:9200/humanresources/_search

openmiso安全插件配置:

 jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            jwt_header: Authorization
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://auth.****.com:8443/auth/realms/web/.well-known/openid-configuration

            jwks_uri: https://auth.****.com:8443/auth/realms/web/protocol/openid-connect/certs
        authentication_backend:
          type: noop

任何想法如何设置elasticsearch来识别该令牌?


共1个答案

匿名用户

最后,正确的apache配置是包含ID令牌(而不是访问令牌)

所以,

 Header set Authorization "Bearer %{OIDC_id_token}e" env=OIDC_id_token

并且在虚拟主机的全局配置中(否则未在超文本传输协议标头中添加id令牌)

OIDCPassIDTokenAs serialized

我在密钥斗篷管理中使用了“ES256”:细粒度OpenID连接配置ID令牌签名算法

相关问题



热门标签
Java JavaScript Python PHP C# Android Html jQuery C++ Css IOS MySQL NodeJS