我正在尝试为 Teams Tab App 设置令牌交换,并想要设置 KeyCloak,以便我可以将 Entra 令牌兑换为 KeyCloak 令牌。
我启用了
- KC_FEATURE=预览,令牌交换,管理细粒度身份验证
并且看起来它处于活动状态:
./opt/keycloak/bin/kc.sh show-config
:
kc.feature = preview,token-exchange,admin-fine-grained-authz (ENV)
:
我正在使用 quay.io/keycloak/keycloak:26.1.3
我错过了什么?
文件:services:
idp2-database:
image: postgres:17.0
volumes:
- ./docker-volumes/userDatabase2:/var/lib/postgresql/data
restart: always
ports:
- "45001:5432"
environment:
POSTGRES_DB: userDb
POSTGRES_USER: keycloakUser
POSTGRES_PASSWORD: keycloakUser
container_name: idp2-database
networks:
- keycloak2-and-postgres-network
healthcheck:
test: ["CMD", "psql", "-U", "keycloakUser", "-d", "userDb", "-c", "SELECT 1"]
interval: 10s
timeout: 5s
retries: 5
idp2-keycloak:
image: quay.io/keycloak/keycloak:26.1.3
container_name: idp2-keycloak
restart: always
command: ["start", "--https-certificate-file=/opt/keycloak/certs/tls.crt", "--https-certificate-key-file=/opt/keycloak/certs/tls.key", "--spi-theme-static-max-age=-1", "--spi-theme-cache-themes=false", "--spi-theme-cache-templates=false"]
environment:
# features (token-exchange, admin-fine-grained-authz)
- KC_FEATURE=preview,token-exchange,admin-fine-grained-authz
# admin user
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=admin
# database
- KC_DB=postgres
- KC_DB_URL=jdbc:postgresql://idp2-database:5432/userDb
- KC_DB_USERNAME=keycloakUser
- KC_DB_PASSWORD=keycloakUser
# health
- KC_HEALTH_ENABLED=true
# logging
- KEYCLOAK_LOGLEVEL=DEBUG
# hosting
- KC_HOSTNAME=localhost
- KEYCLOAK_FRONTEND_URL=https://localhost:45000/auth
- KC_HOSTNAME_STRICT=false
- KC_HOSTNAME_STRICT_HTTPS=true
- KC_HTTP_ENABLED=false
- KC_HTTPS_PORT=8443
# - KC_HTTP_MAX_HEADER_SIZE=32768
- QUARKUS_HTTP_HTTP2=false
ports:
- "45000:8443"
volumes:
- ./docker-volumes/keycloak2/standalone/data:/opt/keycloak/standalone/data
- ./docker-volumes/keycloak2/certs:/opt/keycloak/certs
- ../src/themes:/opt/keycloak/themes
- ./docker-volumes/keycloak2/providers:/opt/keycloak/providers
- ./docker-volumes/keycloak2/standalone/configuration:/opt/keycloak/standalone/configuration
depends_on:
idp2-database:
condition: service_healthy
networks:
- keycloak2-and-postgres-network
networks:
keycloak2-and-postgres-network:
证书片段:
openssl req -newkey rsa:2048 -nodes \
-keyout ./docker-volumes/keycloak/certs/tls.key \
-x509 -days 365 \
-out ./docker-volumes/keycloak/certs/tls.crt \
-subj "/CN=localhost" \
-addext "subjectAltName=DNS:localhost,DNS:127.0.0.1"