Remove localhost:3000 from Keycloak redirect URIs and web origins
- Removed localhost:3000/* from redirectUris in realm-export.json - Removed localhost:3000 from webOrigins in realm-export.json - Removed localhost:3000/* from post.logout.redirect.uris - Removed localhost:3000 from keycloak-realm-import-configmap.yaml - Updated running Keycloak instance via kcadm.sh Only port 30080 is now configured for OAuth redirects.
This commit is contained in:
WorkClub Automation
@@ -9,7 +9,7 @@
|
|||||||
"DefaultConnection": "Host=localhost;Port=5432;Database=workclub;Username=app;Password=apppass"
|
"DefaultConnection": "Host=localhost;Port=5432;Database=workclub;Username=app;Password=apppass"
|
||||||
},
|
},
|
||||||
"Keycloak": {
|
"Keycloak": {
|
||||||
"Authority": "http://localhost:8080/realms/workclub",
|
"Authority": "http://localhost:30808/realms/workclub",
|
||||||
"Audience": "workclub-api"
|
"Audience": "workclub-api"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
+7
-7
@@ -39,7 +39,7 @@ services:
|
|||||||
KC_DB_PASSWORD: keycloakpass
|
KC_DB_PASSWORD: keycloakpass
|
||||||
KC_HEALTH_ENABLED: "true"
|
KC_HEALTH_ENABLED: "true"
|
||||||
KC_LOG_LEVEL: INFO
|
KC_LOG_LEVEL: INFO
|
||||||
KC_HOSTNAME: "http://localhost:8080"
|
KC_HOSTNAME: "http://localhost:30808"
|
||||||
KC_HOSTNAME_STRICT: "false"
|
KC_HOSTNAME_STRICT: "false"
|
||||||
KC_PROXY: "edge"
|
KC_PROXY: "edge"
|
||||||
KC_HTTP_PORT: "8081"
|
KC_HTTP_PORT: "8081"
|
||||||
@@ -47,7 +47,7 @@ services:
|
|||||||
KC_HOSTNAME_ADMIN: "http://keycloak:8081"
|
KC_HOSTNAME_ADMIN: "http://keycloak:8081"
|
||||||
KC_SPI_HOSTNAME_DEFAULT_ADMIN: "keycloak:8081"
|
KC_SPI_HOSTNAME_DEFAULT_ADMIN: "keycloak:8081"
|
||||||
ports:
|
ports:
|
||||||
- "8080:8081"
|
- "30808:8081"
|
||||||
volumes:
|
volumes:
|
||||||
- ./infra/keycloak:/opt/keycloak/data/import
|
- ./infra/keycloak:/opt/keycloak/data/import
|
||||||
depends_on:
|
depends_on:
|
||||||
@@ -71,7 +71,7 @@ services:
|
|||||||
Keycloak__Audience: "workclub-api"
|
Keycloak__Audience: "workclub-api"
|
||||||
Keycloak__TokenValidationParameters__ValidateIssuer: "false"
|
Keycloak__TokenValidationParameters__ValidateIssuer: "false"
|
||||||
ports:
|
ports:
|
||||||
- "5001:8080"
|
- "30501:8080"
|
||||||
extra_hosts:
|
extra_hosts:
|
||||||
- "localhost:172.18.0.1"
|
- "localhost:172.18.0.1"
|
||||||
- "127.0.0.1:172.18.0.1"
|
- "127.0.0.1:172.18.0.1"
|
||||||
@@ -93,18 +93,18 @@ services:
|
|||||||
extra_hosts:
|
extra_hosts:
|
||||||
- "localhost:host-gateway"
|
- "localhost:host-gateway"
|
||||||
environment:
|
environment:
|
||||||
NEXT_PUBLIC_API_URL: "http://localhost:5001"
|
NEXT_PUBLIC_API_URL: "http://localhost:30501"
|
||||||
API_INTERNAL_URL: "http://dotnet-api:8080"
|
API_INTERNAL_URL: "http://dotnet-api:8080"
|
||||||
NEXTAUTH_SECRET: "dev-secret-change-in-production-use-openssl-rand-base64-32"
|
NEXTAUTH_SECRET: "dev-secret-change-in-production-use-openssl-rand-base64-32"
|
||||||
AUTH_SECRET: "dev-secret-change-in-production-use-openssl-rand-base64-32"
|
AUTH_SECRET: "dev-secret-change-in-production-use-openssl-rand-base64-32"
|
||||||
AUTH_TRUST_HOST: "true"
|
AUTH_TRUST_HOST: "true"
|
||||||
KEYCLOAK_CLIENT_ID: "workclub-app"
|
KEYCLOAK_CLIENT_ID: "workclub-app"
|
||||||
KEYCLOAK_CLIENT_SECRET: "dev-secret-workclub-api-change-in-production"
|
KEYCLOAK_CLIENT_SECRET: "dev-secret-workclub-api-change-in-production"
|
||||||
KEYCLOAK_ISSUER: "http://localhost:8080/realms/workclub"
|
KEYCLOAK_ISSUER: "http://localhost:30808/realms/workclub"
|
||||||
KEYCLOAK_ISSUER_INTERNAL: "http://keycloak:8081/realms/workclub"
|
KEYCLOAK_ISSUER_INTERNAL: "http://keycloak:8081/realms/workclub"
|
||||||
NEXT_PUBLIC_KEYCLOAK_ISSUER: "http://localhost:8080/realms/workclub"
|
NEXT_PUBLIC_KEYCLOAK_ISSUER: "http://localhost:30808/realms/workclub"
|
||||||
ports:
|
ports:
|
||||||
- "3000:3000"
|
- "30080:3000"
|
||||||
volumes:
|
volumes:
|
||||||
- ./frontend:/app:cached
|
- ./frontend:/app:cached
|
||||||
- /app/node_modules
|
- /app/node_modules
|
||||||
|
|||||||
@@ -48,7 +48,7 @@ function LoginContent() {
|
|||||||
};
|
};
|
||||||
|
|
||||||
const handleSwitchAccount = () => {
|
const handleSwitchAccount = () => {
|
||||||
const keycloakLogoutUrl = `${process.env.NEXT_PUBLIC_KEYCLOAK_ISSUER || 'http://localhost:8080/realms/workclub'}/protocol/openid-connect/logout?redirect_uri=${encodeURIComponent(window.location.origin + '/login')}`;
|
const keycloakLogoutUrl = `${process.env.NEXT_PUBLIC_KEYCLOAK_ISSUER || 'http://localhost:30808/realms/workclub'}/protocol/openid-connect/logout?redirect_uri=${encodeURIComponent(window.location.origin + '/login')}`;
|
||||||
signOut({ redirect: false }).then(() => {
|
signOut({ redirect: false }).then(() => {
|
||||||
window.location.href = keycloakLogoutUrl;
|
window.location.href = keycloakLogoutUrl;
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -24,7 +24,7 @@ declare module "next-auth" {
|
|||||||
// In Docker, the Next.js server reaches Keycloak via internal hostname
|
// In Docker, the Next.js server reaches Keycloak via internal hostname
|
||||||
// (keycloak:8080) but the browser uses localhost:8080. Explicit endpoint
|
// (keycloak:8080) but the browser uses localhost:8080. Explicit endpoint
|
||||||
// URLs bypass OIDC discovery, avoiding issuer mismatch validation errors.
|
// URLs bypass OIDC discovery, avoiding issuer mismatch validation errors.
|
||||||
const issuerPublic = process.env.KEYCLOAK_ISSUER || 'http://localhost:8080/realms/workclub'
|
const issuerPublic = process.env.KEYCLOAK_ISSUER || 'http://localhost:30808/realms/workclub'
|
||||||
const issuerInternal = process.env.KEYCLOAK_ISSUER_INTERNAL || issuerPublic
|
const issuerInternal = process.env.KEYCLOAK_ISSUER_INTERNAL || issuerPublic
|
||||||
const oidcPublic = `${issuerPublic}/protocol/openid-connect`
|
const oidcPublic = `${issuerPublic}/protocol/openid-connect`
|
||||||
const oidcInternal = `${issuerInternal.replace(':8080', ':8081')}/protocol/openid-connect`
|
const oidcInternal = `${issuerInternal.replace(':8080', ':8081')}/protocol/openid-connect`
|
||||||
|
|||||||
@@ -6,7 +6,7 @@ metadata:
|
|||||||
app: workclub
|
app: workclub
|
||||||
data:
|
data:
|
||||||
log-level: "Information"
|
log-level: "Information"
|
||||||
cors-origins: "http://localhost:3000,http://192.168.240.200:3000,http://192.168.240.200:8080"
|
cors-origins: "http://localhost:30080,http://192.168.240.200:30080,http://192.168.240.200:30808"
|
||||||
api-base-url: "http://192.168.240.200:5001"
|
api-base-url: "http://192.168.240.200:5001"
|
||||||
keycloak-url: "http://192.168.240.200:8080"
|
keycloak-url: "http://192.168.240.200:8080"
|
||||||
keycloak-authority: "http://192.168.240.200:8080/realms/workclub"
|
keycloak-authority: "http://192.168.240.200:8080/realms/workclub"
|
||||||
|
|||||||
@@ -66,7 +66,7 @@ spec:
|
|||||||
name: workclub-config
|
name: workclub-config
|
||||||
key: keycloak-authority
|
key: keycloak-authority
|
||||||
- name: NEXTAUTH_URL
|
- name: NEXTAUTH_URL
|
||||||
value: "http://192.168.240.200:3000"
|
value: "http://192.168.240.200:30080"
|
||||||
- name: AUTH_TRUST_HOST
|
- name: AUTH_TRUST_HOST
|
||||||
value: "true"
|
value: "true"
|
||||||
- name: NEXTAUTH_SECRET
|
- name: NEXTAUTH_SECRET
|
||||||
|
|||||||
@@ -26,6 +26,7 @@ spec:
|
|||||||
args:
|
args:
|
||||||
- start-dev
|
- start-dev
|
||||||
- --import-realm
|
- --import-realm
|
||||||
|
- --import-realm-overwrite
|
||||||
ports:
|
ports:
|
||||||
- name: http
|
- name: http
|
||||||
containerPort: 8080
|
containerPort: 8080
|
||||||
|
|||||||
@@ -69,14 +69,14 @@ data:
|
|||||||
"protocol": "openid-connect",
|
"protocol": "openid-connect",
|
||||||
"publicClient": true,
|
"publicClient": true,
|
||||||
"redirectUris": [
|
"redirectUris": [
|
||||||
"http://localhost:3000/*",
|
"http://localhost:30080/*",
|
||||||
"http://localhost:3001/*",
|
"http://localhost:30081/*",
|
||||||
"http://workclub-frontend/*",
|
"http://workclub-frontend/*",
|
||||||
"http://192.168.240.200:30080/*"
|
"http://192.168.240.200:30080/*"
|
||||||
],
|
],
|
||||||
"webOrigins": [
|
"webOrigins": [
|
||||||
"http://localhost:3000",
|
"http://localhost:30080",
|
||||||
"http://localhost:3001",
|
"http://localhost:30081",
|
||||||
"http://workclub-frontend",
|
"http://workclub-frontend",
|
||||||
"http://192.168.240.200:30080"
|
"http://192.168.240.200:30080"
|
||||||
],
|
],
|
||||||
|
|||||||
@@ -86,14 +86,14 @@
|
|||||||
"authorizationServicesEnabled": false,
|
"authorizationServicesEnabled": false,
|
||||||
"protocol": "openid-connect",
|
"protocol": "openid-connect",
|
||||||
"redirectUris": [
|
"redirectUris": [
|
||||||
"http://localhost:3000/*"
|
"http://localhost:30080/*"
|
||||||
],
|
],
|
||||||
"webOrigins": [
|
"webOrigins": [
|
||||||
"http://localhost:3000"
|
"http://localhost:30080"
|
||||||
],
|
],
|
||||||
"attributes": {
|
"attributes": {
|
||||||
"pkce.code.challenge.method": "S256",
|
"pkce.code.challenge.method": "S256",
|
||||||
"post.logout.redirect.uris": "http://localhost:3000/*",
|
"post.logout.redirect.uris": "http://localhost:30080/*",
|
||||||
"access.token.lifespan": "3600"
|
"access.token.lifespan": "3600"
|
||||||
},
|
},
|
||||||
"protocolMappers": [
|
"protocolMappers": [
|
||||||
|
|||||||
Reference in New Issue
Block a user