gai*_*jin 2 spring-security oauth-2.0 spring-boot bearer-token keycloak
有一个 Spring-boot REST API,需要由 Keycloak 保护,该应用程序使用 Keycloak-Spring-Security 适配器(6.0.1)。
对 API 端点的调用会携带从 Keycloak(当前通过邮递员)获取的不记名令牌。
我能够成功执行 REST 端点调用,但其他事情困扰着我 - 我是否应该根据公钥显式验证令牌?
1 - 适配器是否根据公钥执行令牌验证,还是我应该实施它?
2 - 如果适配器正在执行此操作 - 您能否指出这是在哪些类中完成的?
3 - 如果 - 不 - 应如何实施此验证?是否有任何 Keycloak 库可用于验证令牌?
好吧,经过几天的网络搜索答案——我明白了。我查看了Keycloak-spring-security-adapter的代码并找到了它。
首先,我得到了用于调试 keycloak 的日志记录杆:
logging.level.org.keycloak=DEBUG
然后我尝试使用错误的令牌访问我的端点(我预计这会产生异常,即更明显的跟踪;而且确实如此):
2019-10-17 10:18:57,905 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.PreAuthActionsHandler | adminRequest http://localhost:8081/error
2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Request is to process authentication
2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Attempting Keycloak authentication
2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.BearerTokenRequestAuthenticator | Found [1] values in authorization header, selecting the first value for Bearer.
2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.BearerTokenRequestAuthenticator | Verifying access_token
2019-10-17 10:18:57,908 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.BearerTokenRequestAuthenticator | Failed to verify token
2019-10-17 10:18:57,908 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.RequestAuthenticator | Bearer FAILED
2019-10-17 10:18:57,908 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Auth outcome: FAILED
2019-10-17 10:18:57,925 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Authentication request failed: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:158)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
.....
从那时起,很明显令牌正在被验证,如果您查看参与的类,您会发现在某些情况下它正在根据公钥进行验证。
在我的例子中,参与此身份验证和验证的类是 ( bearer-only):
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
org.keycloak.adapters.BearerTokenRequestAuthenticator
希望这可以帮助像我一样的其他人在 Keycloak 中找到自己的路。
| 归档时间: |
|
| 查看次数: |
4200 次 |
| 最近记录: |