Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
4.9k views
in Technique[技术] by (71.8m points)

docker - Keycloak admin-cli via kubernetes service URL always 401 - certificate with invalid signature

I deployed a Keycloak 11.x in a local test kubernetes cluster via Helm chart.

The keycloak pods/containers are available behind a service

dev-keycloak-http.dev-idp.svc.clusterdev.local

I can access the Admin UI using a kubectl port-forward to the service to a local port, e.g. 8088 http://localhost:8088/me-idp-01/auth

I can also retrieve a token.

ACCESS_TOKEN_ADMIN=`curl -d "client_id=admin-cli" -d "username=myuser" -d "password=mypassword" -d "grant_type=password" "http://localhost:8088/me-idp-01/auth/realms/master/protocol/openid-connect/token" | jq -r ".access_token"`

And create a user for a realm, e.g. tenant-01 I created before.

curl -H "Authorization: bearer $ACCESS_TOKEN_ADMIN" -H "Content-Type: application/json" -d '{"firstName":"Testy","lastName":"Testuser_01", "email":"[email protected]", "enabled":"true", "emailVerified":"true", "username":"testuser_01", "groups": ["tenant-admins"], "credentials":[{"type":"password","value":"testuser_01","temporary":false}]}'  -X POST "http://localhost:8088/me-idp-01/auth/admin/realms/tenant-01/users"

BUT if I try this, using the kubernetes service url, I can retrieve a token

ACCESS_TOKEN_ADMIN=`curl -d "client_id=admin-cli" -d "username=myuser" -d "password=mypassword" -d "grant_type=password" "http://dev-keycloak-http.dev-idp.svc.clusterdev.local/me-idp-01/auth/realms/master/protocol/openid-connect/token" | jq -r ".access_token"`

(jwt.io reports that the signature is invalid)

and receive HTTP 401 if I try adding the user.

curl -H "Authorization: bearer $ACCESS_TOKEN_ADMIN" -H "Content-Type: application/json" -d '{"firstName":"Testy","lastName":"Testuser_01", "email":"[email protected]", "enabled":"true", "emailVerified":"true", "username":"testuser_01", "groups": ["tenant-admins"], "credentials":[{"type":"password","value":"testuser_01","temporary":false}]}'  -X POST "http://dev-keycloak-http.dev-idp.svc.clusterdev.local/me-idp-01/auth/admin/realms/tenant-01/users"

Probably I have to configure the kubernetes service URL somewhere inside keycloak, because I expect that by default the token of client admin-cli is valid for localhost only, not for anything else like my kuebernetes service URL. But how and where? Would be ok if the admin-cli is usable from within the kubernetes cluster via the service URL only.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)
等待大神解答

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...