openshift
Links in Keycloak emails that are sent using its admin API can have some funky URLs if the actor who triggers the sending is a neighboring service and our play takes place inside OpenShift or behind a reverse proxy. Here’s how to give our story a happy ending.
如果触发发送发送的演员是邻居服务,并且我们的活动发生在OpenShift内部或反向代理之后,则使用其admin API发送的Keycloak电子邮件中的链接可以具有一些时髦的URL。 这是给我们的故事一个圆满结局的方法。
Consider the following ecosystem, in which we have Keycloak and a Node.js worker service deployed and running on OpenShift:
考虑以下生态系统,在该生态系统中,我们部署了Keycloak和Node.js辅助服务并在OpenShift上运行该服务:
Let’s assume that, for whatever reason, the Node.js service runs a poor man’s cron job that triggers the sending of one of the required actions emails to a certain subset of users; it could be any of the available required actions, but for this example we will use the “update password” one. This Node.js service will be making a call to Keycloak’s admin REST API — with or without the help of the keycloak-admin module — . The endpoint we are hitting will trigger the sending of an email with a link that the user has to click in order to perform one or more required actions (e.g. update your password because it’s getting old).
让我们假设,无论出于何种原因,Node.js服务都运行可怜的cron作业,该作业触发向某些用户子集发送所需操作电子邮件之一; 它可以是任何可用的必需操作,但是在本示例中,我们将使用“更新密码”。 无论有无Keycloak-admin模块的帮助,此Node.js服务都将调用Keycloak的admin REST API。 我们要命中的端点将触发一封电子邮件,其中包含用户必须单击链接才能执行一项或多项必需的操作(例如,由于密码变旧而更新密码)。
Because both the Node.js service and Keycloak are running on OpenShift, a Keycloak with an out-of-the-box configuration will send an email that contains a link to update the user’s password and will be pointing to a faulty URL (e.g. http://keycloak:8080), which is obviously not accessible for the user.
由于Node.js服务和Keycloak都在OpenShift上运行,因此具有开箱即用配置的Keycloak将发送一封电子邮件,其中包含用于更新用户密码的链接,并且将指向错误的URL(例如, http://keycloak:8080 ),用户显然无法访问。
Before we dive into the solution of our problem, let’s try to have a better understanding of what’s happening behind the scenes.
在深入研究问题的解决方案之前,让我们尝试更好地了解幕后发生的事情。
了解Keycloak如何建立电子邮件链接 (Understanding how Keycloak builds email links)
If we take a look at some of Keycloak’s source code, we can come across something like this:
如果我们看一下Keycloak的一些源代码,我们会遇到这样的事情:
The builder in line 2 is created based on the context of the current session, originating in the incoming request from our Node.js service to Keycloak’s admin API. This request fired by our Node.js service is pointing to the internal Keycloak address in OpenShift — for example, http://keycloak:8080. The link rendered in the resulting email will be generated with this base URL, which will lead to nowhere once the user clicks it.
第2行中的builder是基于当前会话的上下文创建的,该上下文源自从 Node.js服务到 Keycloak的admin API的传入请求。 由我们的Node.js服务触发的请求指向OpenShift中的内部 Keycloak地址-例如, http://keycloak:8080 。 结果电子邮件中呈现的链接将使用此基本URL生成,一旦用户单击该链接将无处可去。
We need to tell Keycloak what the right base URL should be. If you’ve dug deep in Keycloak’s FreeMarker templates…
我们需要告诉Keycloak正确的基本URL应该是什么。 如果您深入研究了Keycloak的FreeMarker模板...
<html>
<body>
${kcSanitize(msg("emailVerificationBodyHtml",link, linkExpiration, realmName, linkExpirationFormatter(linkExpiration)))?no_esc}
</body>
</html>…you’ve probably found out that there’s no elegant way of change the base URL of the link.
…您可能已经发现,没有优雅的方法可以更改链接的基本URL。
Luckily, there’s a proper way to tell Keycloak what base URL to use.
幸运的是,有一种正确的方法可以告诉Keycloak使用哪个基本URL。
在Keycloak中设置前端URL (Setting up the frontend URL in Keycloak)
The concept of a “frontend URL” was explicitly enabled in Keycloak version 8.0.0. This configuration property is used to set a fixed base URL for frontend requests; by default, its value will be derived from the (incoming) request. For such an ecosystem as the one described at the beginning of this article, that won’t be a good idea. It’s also good to consider that the official Keycloak documentation encourages setting a frontend URL in production environments.
Keycloak版本8.0.0中明确启用了“前端URL”的概念。 此配置属性用于为前端请求设置固定的基本URL。 默认情况下,其值将来自(传入)请求。 对于本文开头所描述的生态系统,这不是一个好主意。 还可以考虑考虑,官方的Keycloak文档鼓励在生产环境中设置前端URL。
There are several ways to set a frontend URL:
有几种设置前端URL的方法:
If you are using a Keycloak as a Docker image, you can globally set the frontend URL using the environment variable
KEYCLOAK_FRONTEND_URL.如果您将Keycloak用作Docker映像,则可以使用环境变量
KEYCLOAK_FRONTEND_URL全局设置前端URL。Otherwise, you can add the following to the startup:
-Dkeycloak.frontendUrl=https://my.keycloak.instance.com/auth.否则,您可以将以下内容添加到启动中:
-Dkeycloak.frontendUrl=https://my.keycloak.instance.com/auth。It can also be added to Keycloak’s
standalone.xmlconfiguration.也可以将其添加到Keycloak的
standalone.xml配置中。If you are using the
jboss-clitool, the instruction you need to issue is/subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.frontendUrl,value=”https://my.keycloak.instance.com/auth").如果您使用的是
jboss-cli工具,则需要发出的指令是/subsystem=keycloak-server/spi=hostname/provider=default:write-attribute(name=properties.frontendUrl,value=” https://my.keycloak.instance.com/auth ")。- Finally, you can override it for individual realms by setting it in the admin console: 最后,您可以在管理控制台中对其进行设置,以覆盖各个领域:
If you want to add it in the standalone.xml, the end result could look something like this:
如果要将其添加到standalone.xml ,则最终结果可能如下所示:
客户端配置 (Client side configuration)
If by any chance your ecosystem includes any Node.js service that interacts with Keycloak on a more client side way, and it uses the module keycloak-connect, then you have one more thing to configure!
如果您的生态系统有机会以任何客户端方式与Keycloak进行交互的任何Node.js服务,并且使用模块keycloak-connect ,那么您还需要配置一件事!
Make sure the property auth-server-url in the keycloak.json you are feeding to keycloak-connect is also aligned with the frontend URL that is configured in Keycloak:
确保您要馈送到keycloak-connect的keycloak.json中的auth-server-url属性也与Keycloak中配置的前端URL对齐:
For the full documentation on how to install and configure Keycloak, especially when it comes to the frontend URL, check the official Keycloak documentation on this topic.
有关如何安装和配置Keycloak的完整文档,尤其是有关前端URL的文档 ,请查看有关此主题的官方Keycloak文档 。
openshift
1367
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
