search

kumuluz / kumuluzee-samples

KumuluzEE samples demonstrate how to get started using KumuluzEE microservice framework. They provide small, specific, working samples that can be used as a reference for your own projects.
https://ee.kumuluz.com
Other
55 stars 50 forks source link

[security-cdi-keycloak] Always unauthorized when running in Docker containers #24

Closed CPIJ closed 4 years ago

CPIJ commented 5 years ago

Hi,

I'm following this guide to test KumuluzEE and Keycloak. When I run the CustomerApplication on my own machine everything is fine. But when I try to move it to a Docker container I keep getting 401 Unauthorized when trying to access /v1/customers or any other endpoint.

Here's my docker-compose file

version: '3'

services:
  keycloak:
    image: jboss/keycloak
    environment:
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: admin
    ports:
      - 8082:8080

  app:
    image: maven:3.6.0-alpine
    command: java -jar /usr/src/app/target/kumuluzee-security-cdi-keycloak-3.5.0-SNAPSHOT.jar
    volumes:
      - ./target:/usr/src/app/target
    ports:
      - 8080:8080

And here's my kumuluz config.

kumuluzee:
  name: customer-service
  env:
    name: dev
  version: 1.0.0
  server:
    base-url: http://localhost:8080
    http:
      port: 8080
  security:
    keycloak:
      json: '{
               "realm": "customers-realm",
               "bearer-only": true,
               "auth-server-url": "http://keycloak:8080/auth",
               "ssl-required": "external",
               "resource": "customers-api",
               "confidential-port": 0
             }'

As you see, I tried using keycloak as the hostname, sadly this did not work.

When I ran this configuration I got the following exception: org.keycloak.adapters.rotation.AdapterTokenVerifier -- Didn't find publicKey for kid: <kid>. So, I added "realm-public-key": "<pubk>" to the config.

The error message is gone, but sadly I still get 401 Unauthorized. I'm fairly new to Keycloak, so maybe I'm making a simple mistake.. either way, I hope you can provide some help :)

Thanks!

osbeorn commented 5 years ago

I'm fairly confident that the token issuer URL doesn't match the realm URL. Try using the following docker-compose.yml:

version: '3'

services:
  keycloak:
    image: jboss/keycloak:5.0.0
    container_name: keycloak
    environment:
      KEYCLOAK_USER: admin
      KEYCLOAK_PASSWORD: admin
      KEYCLOAK_HOSTNAME: keycloak
    ports:
      - 8080:8080

  app:
    image: maven:3.6.0-alpine
    container_name: app
    command: java -agentlib:jdwp=transport=dt_socket,server=y,address=8888 -jar /usr/src/app/target/kumuluzee-security-cdi-keycloak-3.5.0-SNAPSHOT.jar
    volumes:
      - ./target:/usr/src/app/target
    links:
      - keycloak
    ports:
      - 8081:8080
      - 8888:8888
    depends_on:
      - keycloak

You will have to add keycloak mapping to your hosts file in order for you to access keycloak outside docker.

adebola commented 3 years ago

Thanks but how do we handle this /etc/hosts file in production, we cannot get all users editing their host file to access an applixtion

cen1 commented 3 years ago

@adebola in production, the usual setup is to deploy keycloak behind nginx reverse proxy and expose publicly with a domain name and SSL. The approach described above is just a quick fix for local development.

adebola commented 2 years ago

Thanks once more but my 401 issues are for keycloak installed behind a reverse proxy in a docker container, with SSL installed, I initially used http://keycloak:8080 for the other containers to reach keycloak, I can log-in but I cannot access any protected resource in any microservice, I later changed this to the fully qualified name of the server but on both occasions I always get a 401 when I try to access a protected resource, eventually I had to install keycloak standalone on a separate EC2 instance to proceed