Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
429 views
in Technique[技术] by (71.8m points)

node.js - 403 Forbidden, communication among docker containers

I have an application composed of react-client (frontend), express server (backend), and keycloak. For development purpose, I run keycloak inside a docker-container and expose its corresponding port (8080); frontend and backend run locally on my machine. They connect to keycloak on the aforementioned port. Backend serves some REST end-points and these end-points are protected by keycloak. Everything works fine.

However, when I tried to containerize my application for production purpose by putting backend in a container and run everything with docker-compose (frontend still run on my local machine), backend rejected all requests from frontend, although these requests are attached with a valid token. I guess the problem is that backend cannot connect with keycloak to verify the token but I don't know why and how to fix the problem.

This is my docker-compose.yml:

version: "3.8"
services:
  
  backend:
    image: "backend"
    build:
      context: .
      dockerfile: ./backend/Dockerfile
    ports:
      - "5001:5001"

  keycloak:
    image: "jboss/keycloak"
    ports:
      - "8080:8080"
    environment:
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=admin
      - KEYCLOAK_IMPORT=/tmp/realm-export.json
    volumes:
      - ./realm-export.json:/tmp/realm-export.json

  mongo_db:
    image: "mongo:4.2-bionic"
    ports:
      - "27017:27017"

  mongo_db_web_interface:
    image: "mongo-express"
    ports:
      - "4000:8081"
    environment:
      - ME_CONFIG_MONGODB_SERVER=mongo_db

This is keycloak configuration in backend code:

{
  "realm": "License-game",
  "bearer-only": true,
  "auth-server-url": "http://keycloak:8080/auth/",
  "ssl-required": "external",
  "resource": "backend",
  "confidential-port": 0
}

This is keycloak configuration in frontend code:

{
    URL: "http://localhost:8080/auth/",
    realm: 'License-game',
    clientId: 'react'
}

This is the configuration of keycloak for backend

question from:https://stackoverflow.com/questions/65948288/403-forbidden-communication-among-docker-containers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Backend and frontend are using different Keycloak URLs in your case - http://keycloak:8080/auth/ vs http://localhost:8080/auth/, so they are expecting different issuer in the token.

So yes, token from the frontend is valid, but not for the backend. Because that one is expecting different issuer value in the token. Use the same keycloak domain everywhere and you want have this kind of problem.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...