bar*_*ber 2 java spring-boot keycloak
我有与这里完全相同的问题:Spring Boot - KeyCloakdirected to 403禁止\n但是,该问题的答案表明角色可能没有在keycloak服务器中配置或分配,这就是我的情况。
\n\n一个有角度的前端应用程序,使用 keycloak 服务器对用户进行身份验证。
\n\n然后,使用 keycloak-spring-boot-2-starter 将收到的令牌传递给使用 spring-boot 开发的 Rest 服务。
\n\n这就是问题所在:我的服务获取令牌,使用 keycloak 对其进行身份验证,没有问题,但向客户端应用程序返回 403。
\n\n我确实调试了 keycloak 适配器,发现在请求中找到的主体 (GenericPrincipal) 中没有角色信息(和空列表)。
\n\n在keycloak服务器上,我在领域设置中添加了角色,并将该角色分配给用户(只有一个用户)。也尝试过客户端角色(使用 use-resource-role-mappings: true )但同样的问题。
\n\n这是我在 application.yaml 中的 keycloak 配置:
\n\nkeycloak:\n auth-server-url: http://localhost:8084/auth\n ssl-required: external\n realm: soccer-system\n resource: league-service\n bearer-only: true\n cors: true\n use-resource-role-mappings: false\n enabled: true\n credentials:\n secret: myClientKey\n security-constraints:\n 0:\n auth-roles:\n - user\n security-collections:\n 0:\n patterns:\n - /*\nKeycloak服务器版本是3.4.3.Final
\n\n我已经为此苦苦挣扎了两天。希望有人能带我上路:)
\n\nMaven 依赖项:
\n\n<dependencies>\n <dependency>\n <groupId>org.springframework.boot</groupId>\n <artifactId>spring-boot-starter-web</artifactId>\n </dependency>\n <dependency>\n <groupId>org.keycloak</groupId>\n <artifactId>keycloak-spring-boot-2-starter</artifactId>\n <version>4.0.0.Beta2</version>\n </dependency>\n <dependency>\n <groupId>org.springframework.boot</groupId>\n <artifactId>spring-boot-starter-test</artifactId>\n <scope>test</scope>\n </dependency>\n</dependencies>\n来自适配器的调试日志:
\n\n2018-05-27 12:32:09.266 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/league\n2018-05-27 12:32:09.273 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Using provider \'secret\' for authentication of client \'league-service\'\n2018-05-27 12:32:09.275 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret\n2018-05-27 12:32:09.277 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider jwt\n2018-05-27 12:32:09.278 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret-jwt\n2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret\n2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider jwt\n2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret-jwt\n2018-05-27 12:32:09.484 DEBUG 2607 --- [nio-8081-exec-1] o.keycloak.adapters.KeycloakDeployment : resolveUrls\n2018-05-27 12:32:09.486 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.KeycloakDeploymentBuilder : Use authServerUrl: http://localhost:8084/auth, tokenUrl: http://localhost:8084/auth/realms/soccer-system/protocol/openid-connect/token, relativeUrls: NEVER\n2018-05-27 12:32:09.486 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler : checkCorsPreflight http://localhost:8081/league\n2018-05-27 12:32:09.487 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler : Preflight request returning\n2018-05-27 12:32:09.495 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/league\n2018-05-27 12:32:09.496 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.PreAuthActionsHandler : checkCorsPreflight http://localhost:8081/league\n2018-05-27 12:32:09.593 TRACE 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator : --> authenticate()\n2018-05-27 12:32:09.593 TRACE 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator : try bearer\n2018-05-27 12:32:09.594 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator : Verifying access_token\n2018-05-27 12:32:09.637 TRACE 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator : access_token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5LV92RjRCM21PS0JjQVdhSFlGc3VlVGthRzNEVHBqUThHS2NqTGpqY0pnIn0.eyJqdGkiOiI1ZWMyYmU0YS04YmRlLTQ0OTEtYjRjMC04YzY5ZDIxMmVkZmIiLCJleHAiOjE1Mjc0MzkwMzYsIm5iZiI6MCwiaWF0IjoxNTI3NDM4NzM2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODQvYXV0aC9yZWFsbXMvc29jY2VyLXN5c3RlbSIsImF1ZCI6ImxlYWd1ZS1vcmdhbml6ZXItYXBwIiwic3ViIjoiNTRiNzBlYjYtNzMxZC00Y2RiLTk1MzAtMTRjYTQxMWI3OGY4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibGVhZ3VlLW9yZ2FuaXplci1hcHAiLCJub25jZSI6IjRiYjgzZDVhLTg5ZDktNDNkNy1hMWExLWJjZDdlYTQ0Y2Q3YiIsImF1dGhfdGltZSI6MTUyNzQzODczNSwic2Vzc2lvbl9zdGF0ZSI6ImQwNmI0NGQ2LTljYTgtNGYzYy1iYTBlLTY5NDhmYzAzYWY0YyIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiKiJdLCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJ2aWV3LXByb2ZpbGUiXX19LCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJyLmJhcmFiZUBnbWFpbC5jb20ifQ.signature\n2018-05-27 12:32:09.697 TRACE 2607 --- [nio-8081-exec-2] o.k.a.rotation.JWKPublicKeyLocator : Going to send request to retrieve new set of realm public keys for client league-service\n2018-05-27 12:32:09.822 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.rotation.JWKPublicKeyLocator : Realm public keys successfully retrieved for client league-service. New kids: [9-_vF4B3mOKBcAWaHYFsueTkaG3DTpjQ8GKcjLjjcJg]\n2018-05-27 12:32:09.823 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator : successful authorized\n2018-05-27 12:32:09.826 TRACE 2607 --- [nio-8081-exec-2] o.k.a.RefreshableKeycloakSecurityContext : checking whether to refresh.\n2018-05-27 12:32:09.827 TRACE 2607 --- [nio-8081-exec-2] org.keycloak.adapters.AdapterUtils : use realm role mappings\n2018-05-27 12:32:09.827 TRACE 2607 --- [nio-8081-exec-2] org.keycloak.adapters.AdapterUtils : Setting roles: \n2018-05-27 12:32:09.830 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator : User \'54b70eb6-731d-4cdb-9530-14ca411b78f8\' invoking \'http://localhost:8081/league\' on client \'league-service\'\n2018-05-27 12:32:09.830 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator : Bearer AUTHENTICATED\n2018-05-27 12:32:09.839 INFO 2607 --- [nio-8081-exec-2] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet \'dispatcherServlet\'\n2018-05-27 12:32:09.839 INFO 2607 --- [nio-8081-exec-2] o.s.web.servlet.DispatcherServlet : FrameworkServlet \'dispatcherServlet\': initialization started\n2018-05-27 12:32:09.866 INFO 2607 --- [nio-8081-exec-2] o.s.web.servlet.DispatcherServlet : FrameworkServlet \'dispatcherServlet\': initialization completed in 27 ms\n在调试模式下,我设法获取从 keycloak 收到的令牌(已解码),如下所示:
\n\n{\n "jti": "c9d8ebd4-1ea6-4191-ac03-32b047d6f80c",\n "exp": 1527441347,\n "nbf": 0,\n "iat": 1527441047,\n "iss": "http://localhost:8084/auth/realms/soccer-system",\n "aud": "league-organizer-app",\n "sub": "54b70eb6-731d-4cdb-9530-14ca411b78f8",\n "typ": "Bearer",\n "azp": "league-organizer-app",\n "nonce": "ac3e1024-9ce0-4a45-806b-8ec245905a3c",\n "auth_time": 1527440521,\n "session_state": "4df9e22b-141a-4970-98cc-cff57894814a",\n "acr": "0",\n "allowed-origins": [\n "*"\n ],\n "resource_access": {\n "account": {\n "roles": [\n "view-profile"\n ]\n }\n },\n "preferred_username": "thaUser"\n}\n更新1:
\n\n我尝试使用 keycloak 服务器版本 4.0.0.Beta2,以匹配适配器之一。不幸的是,这没有帮助。
\n\n更新2:
\n\n我尝试按照评论中的建议将 ** 作为配置中的角色限制,但这没有帮助:
\n\nsecurity-constraints:\n 0:\n auth-roles:\n - \'**\'\n security-collections:\n 0:\n patterns:\n - /*\n编辑1:
\n\n添加了控制台输出。好像没有设定角色。但我确实在我的领域中拥有那些分配给我的用户的 r\xc3\xb4les。
\n\n编辑2:
\n\n添加了适配器在调试中看到的访问令牌。
\n我终于成功了。问题是我没有将任何角色映射到我的前端应用程序客户端配置中的范围。我这样做的时候就成功了。在客户端配置(用户进行身份验证的配置)中,选择“范围”选项卡。八激活选项“允许的完整范围”,或选择您想要 keycloak 映射的领域角色。所选角色将映射到用户角色并包含在令牌中。
我只是不知道我必须这样做。不过还是谢谢你的评论,很有用。
| 归档时间: |
|
| 查看次数: |
4803 次 |
| 最近记录: |