search

mariovalney / laravel-keycloak-web-guard

Simple Keycloak Guard to Laravel Web Routes - https://packagist.org/packages/vizir/laravel-keycloak-web-guard
146 stars 80 forks source link

Problem with package in a Docker Stack #51

Closed homeoftheunits closed 3 years ago

homeoftheunits commented 3 years ago

Hey Guys,

i have an Problem with the Guard :(

I use a docker stack with keycloak and traefik. My Laravel App call's the getOpenIdConfiguration() and throws the error, that the Keycloak Server with the Connection is refused over Port 443 is. When i set the KEYCLOAK_BASE_URL to the Container Name with the Port 8443 then it works, but not for the redirect URL, beycause in the URL is the Port 8443 included.

This is my Docker Keycloak Part:

  keycloak:
    container_name: ${KEYCLOAK}
    depends_on:
      - ${DATABASE_SERVICES}
    environment:
      - DB_VENDOR=mysql
      - DB_ADDR=${DATABASE_SERVICES}
      - DB_DATABASE=${KEYCLOAK_DB}
      - DB_USER=${MYSQL_USER}
      - DB_PASSWORD=${MYSQL_PASSWORD}
      - PROXY_ADDRESS_FORWARDING=true
      - KEYCLOAK_USER=${KEYCLOAK_USER}
      - KEYCLOAK_PASSWORD=${KEYCLOAK_PASSWORD}
      - JDBC_PARAMS=connectTimeout=3000&useSSL=false&serverTimezone=Europe/Berlin
      - KEYCLOAK_HOSTNAME=${KEYCLOAK_URL}
      - HOSTNAME=${KEYCLOAK}
    image: jboss/keycloak:latest
    labels:
      - traefik.enable=true
      - traefik.http.routers.keycloak.rule=Host(`${KEYCLOAK_URL}`)
      - traefik.http.routers.keycloak.tls=true
      - traefik.http.routers.keycloak.tls.certresolver=${CERT_RESOLVER}
    networks:
      unitfactory:
        aliases:
          - ${KEYCLOAK_URL}
      internal:
        aliases:
          - ${KEYCLOAK_URL}    
    restart: always

What do i wrong?

Cheers Ralf

mariovalney commented 3 years ago

Hi!

Docker is very tricky (at least for me hahaha). Here I have a working example with docker-compose and network to allow both communicate.

https://github.com/mariovalney/laravel-keycloak-web-guard-example

homeoftheunits commented 3 years ago

Hm, as i see, your keycloak Part and mine are simular

homeoftheunits commented 3 years ago

I refactor this for my case, that i use the "intern" host to get the OpenId Config, and parse it like this:

protected function parseOpenidConfiguration(array &$configuration): void
    {
        $blackList = ['token_endpoint', 'userinfo_endpoint'];

        foreach ($configuration as $key => $item) {
            if (filter_var($item, FILTER_VALIDATE_URL) && !in_array($key, $blackList)) {
                $parsedUrl = parse_url($item);
                $configuration[$key] = sprintf(
                    '%s://%s%s',
                    $parsedUrl['scheme'],
                    $parsedUrl['host'],
                    $parsedUrl['path']
                );
            }
        }
    }

This works, but in the getUserProfile() Method, the Token is not valid. I check this with an curl command and got the same error. Is there an different in the token because of the URL?

mariovalney commented 3 years ago

In getUserProfile we request userdata to the Keycloak endpoint. Maybe this request is failing?

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.