admin管理员组文章数量:1391925
I'm creating a Spring Boot application that must operate on Keycloak users in a dockerized context. I am using Keycloak Admin Client Java API, and everything works fine if I run Keycloak through Docker and Spring Boot separately, in IntelliJ. I am also able to authenticate my Angular frontend through Keycloak.
Instead, when I run Spring Boot inside a container too, I have problems concerning the use of the token, since I am able either to use the Keycloak admin frontend, if I set in the docker-compose the hostname to localhost, or to let Keycloak Admin Client connect to Keycloak without complaining about the difference between the issuer present in the Jwt token and the host he is contacting.
Is there a way to have both working?
I am using Spring Boot 3.4.0 and Keycloak Admin Client 26.0.4.
Here is one of the many configurations I've tried. In this one I am able to use the Admin frontend and to authenticate to backend through keycloak, but the when I try to use the Java admin API integration the backend says java.lang.IllegalStateException: The Issuer "http://localhost:8080/realms/myrealm" provided in the configuration did not match the requested issuer "http://app-keycloak:8080/realms/myrealm
docker-compose:
services:
app-be:
build:
context: .
container_name: app-be
depends_on:
- app-keycloak
ports:
- "8080:8080"
networks:
- app-network
app-keycloak:
image: quay.io/keycloak/keycloak:26.1.3
container_name: app-keycloak
command: start
environment:
KC_HOSTNAME: localhost
KC_HOSTNAME_STRICT: false
KC_HOSTNAME_STRICT_HTTPS: false
KC_HOSTNAME_STRICT_BACKCHANNEL: false
KC_HTTP_ENABLED: true
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: password
KC_HEALTH_ENABLED: true
ports:
- "8089:8080"
networks:
- app-network
networks:
app-network:
application.properties:
spring.security.oauth2.resourceserver.jwt.issuer-uri=http://app-keycloak:8080/realms/myrealm
security.oauth2.resource.filter-order = 3
Admin Client API configuration:
private final Keycloak keycloak;
public KeycloakUserService() {
this.keycloak = KeycloakBuilder.builder()
.serverUrl("http://app-keycloak:8080")
.realm("myrealm")
.grantType(OAuth2Constants.CLIENT_CREDENTIALS)
.clientId("myclient")
.clientSecret("###secret###")
.build();
}
I'm creating a Spring Boot application that must operate on Keycloak users in a dockerized context. I am using Keycloak Admin Client Java API, and everything works fine if I run Keycloak through Docker and Spring Boot separately, in IntelliJ. I am also able to authenticate my Angular frontend through Keycloak.
Instead, when I run Spring Boot inside a container too, I have problems concerning the use of the token, since I am able either to use the Keycloak admin frontend, if I set in the docker-compose the hostname to localhost, or to let Keycloak Admin Client connect to Keycloak without complaining about the difference between the issuer present in the Jwt token and the host he is contacting.
Is there a way to have both working?
I am using Spring Boot 3.4.0 and Keycloak Admin Client 26.0.4.
Here is one of the many configurations I've tried. In this one I am able to use the Admin frontend and to authenticate to backend through keycloak, but the when I try to use the Java admin API integration the backend says java.lang.IllegalStateException: The Issuer "http://localhost:8080/realms/myrealm" provided in the configuration did not match the requested issuer "http://app-keycloak:8080/realms/myrealm
docker-compose:
services:
app-be:
build:
context: .
container_name: app-be
depends_on:
- app-keycloak
ports:
- "8080:8080"
networks:
- app-network
app-keycloak:
image: quay.io/keycloak/keycloak:26.1.3
container_name: app-keycloak
command: start
environment:
KC_HOSTNAME: localhost
KC_HOSTNAME_STRICT: false
KC_HOSTNAME_STRICT_HTTPS: false
KC_HOSTNAME_STRICT_BACKCHANNEL: false
KC_HTTP_ENABLED: true
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: password
KC_HEALTH_ENABLED: true
ports:
- "8089:8080"
networks:
- app-network
networks:
app-network:
application.properties:
spring.security.oauth2.resourceserver.jwt.issuer-uri=http://app-keycloak:8080/realms/myrealm
security.oauth2.resource.filter-order = 3
Admin Client API configuration:
private final Keycloak keycloak;
public KeycloakUserService() {
this.keycloak = KeycloakBuilder.builder()
.serverUrl("http://app-keycloak:8080")
.realm("myrealm")
.grantType(OAuth2Constants.CLIENT_CREDENTIALS)
.clientId("myclient")
.clientSecret("###secret###")
.build();
}
1 Answer
Reset to default 0For mastersofjava they had a similar setup.
Their code is open source: https://github/mastersofjava/mastersofjava
To solve this particular issue, I see they start up keycloak using "--hostname=host.docker.internal":
auth:
image: quay.io/keycloak/keycloak:21.1
cpus: 1
mem_reservation: 512m
mem_limit: 1g
restart: unless-stopped
ports:
- "8888:8080"
command:
- "start-dev"
- "--import-realm"
- "--hostname=host.docker.internal"
- "--hostname-strict-https=false"
- "--http-enabled=true"
And in their client application, they use:
OIDC_ISSUER_URI: "http://host.docker.internal:8888/realms/moj"
Which they use in their application.yaml as:
spring:
security:
oauth2:
client:
provider:
keycloak:
issuer-uri: ${OIDC_ISSUER_URI}
resourceserver:
jwt:
issuer-uri: ${OIDC_ISSUER_URI}
Not sure if this is strictly necessary or even a good idea, but if it works for them, it might be good enough for you.
本文标签:
版权声明:本文标题:How to configure properly docker-compose of a Spring Boot app that uses Keycloak Admin Client Java API? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744651103a2617688.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论