403 spring-boot-2-keycloak-适配器
403 spring-boot-2-keycloak-adapter
我遇到了与此处完全相同的问题:
但是,该问题的答案说角色可能未在 keycloak 服务器中配置或分配,就我而言。
一个 angular 前端应用程序,使用 keycloak 服务器对用户进行身份验证。
然后将接收到的令牌传递给使用spring-boot开发的rest服务,使用keycloak-spring-boot-2-starter.
这就是问题所在:我的服务获取令牌,使用 keycloak 对其进行身份验证没有问题,但是 return 403 到客户端应用程序。
我确实调试了keycloak适配器,发现在请求中找到的主体(GenericPrincipal)中,没有角色信息(和空列表)。
在keycloak服务器上,我在realm设置中添加了角色,并将角色分配给用户(只有一个用户)。也尝试了客户端角色(使用资源角色映射:true)但同样的问题。
这是我在 application.yaml 中的 keycloak 配置:
keycloak:
auth-server-url: http://localhost:8084/auth
ssl-required: external
realm: soccer-system
resource: league-service
bearer-only: true
cors: true
use-resource-role-mappings: false
enabled: true
credentials:
secret: myClientKey
security-constraints:
0:
auth-roles:
- user
security-collections:
0:
patterns:
- /*
Keycloak 服务器版本为 3.4。3.Final
我为此苦苦挣扎了两天。希望外面有人会带我上路:)
Maven 依赖项:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-2-starter</artifactId>
<version>4.0.0.Beta2</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
来自适配器的调试日志:
2018-05-27 12:32:09.266 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/league
2018-05-27 12:32:09.273 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Using provider 'secret' for authentication of client 'league-service'
2018-05-27 12:32:09.275 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret
2018-05-27 12:32:09.277 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider jwt
2018-05-27 12:32:09.278 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret-jwt
2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret
2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider jwt
2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret-jwt
2018-05-27 12:32:09.484 DEBUG 2607 --- [nio-8081-exec-1] o.keycloak.adapters.KeycloakDeployment : resolveUrls
2018-05-27 12:32:09.486 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.KeycloakDeploymentBuilder : Use authServerUrl: http://localhost:8084/auth, tokenUrl: http://localhost:8084/auth/realms/soccer-system/protocol/openid-connect/token, relativeUrls: NEVER
2018-05-27 12:32:09.486 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler : checkCorsPreflight http://localhost:8081/league
2018-05-27 12:32:09.487 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler : Preflight request returning
2018-05-27 12:32:09.495 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/league
2018-05-27 12:32:09.496 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.PreAuthActionsHandler : checkCorsPreflight http://localhost:8081/league
2018-05-27 12:32:09.593 TRACE 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator : --> authenticate()
2018-05-27 12:32:09.593 TRACE 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator : try bearer
2018-05-27 12:32:09.594 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator : Verifying access_token
2018-05-27 12:32:09.637 TRACE 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator : access_token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5LV92RjRCM21PS0JjQVdhSFlGc3VlVGthRzNEVHBqUThHS2NqTGpqY0pnIn0.eyJqdGkiOiI1ZWMyYmU0YS04YmRlLTQ0OTEtYjRjMC04YzY5ZDIxMmVkZmIiLCJleHAiOjE1Mjc0MzkwMzYsIm5iZiI6MCwiaWF0IjoxNTI3NDM4NzM2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODQvYXV0aC9yZWFsbXMvc29jY2VyLXN5c3RlbSIsImF1ZCI6ImxlYWd1ZS1vcmdhbml6ZXItYXBwIiwic3ViIjoiNTRiNzBlYjYtNzMxZC00Y2RiLTk1MzAtMTRjYTQxMWI3OGY4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibGVhZ3VlLW9yZ2FuaXplci1hcHAiLCJub25jZSI6IjRiYjgzZDVhLTg5ZDktNDNkNy1hMWExLWJjZDdlYTQ0Y2Q3YiIsImF1dGhfdGltZSI6MTUyNzQzODczNSwic2Vzc2lvbl9zdGF0ZSI6ImQwNmI0NGQ2LTljYTgtNGYzYy1iYTBlLTY5NDhmYzAzYWY0YyIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiKiJdLCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJ2aWV3LXByb2ZpbGUiXX19LCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJyLmJhcmFiZUBnbWFpbC5jb20ifQ.signature
2018-05-27 12:32:09.697 TRACE 2607 --- [nio-8081-exec-2] o.k.a.rotation.JWKPublicKeyLocator : Going to send request to retrieve new set of realm public keys for client league-service
2018-05-27 12:32:09.822 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.rotation.JWKPublicKeyLocator : Realm public keys successfully retrieved for client league-service. New kids: [9-_vF4B3mOKBcAWaHYFsueTkaG3DTpjQ8GKcjLjjcJg]
2018-05-27 12:32:09.823 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator : successful authorized
2018-05-27 12:32:09.826 TRACE 2607 --- [nio-8081-exec-2] o.k.a.RefreshableKeycloakSecurityContext : checking whether to refresh.
2018-05-27 12:32:09.827 TRACE 2607 --- [nio-8081-exec-2] org.keycloak.adapters.AdapterUtils : use realm role mappings
2018-05-27 12:32:09.827 TRACE 2607 --- [nio-8081-exec-2] org.keycloak.adapters.AdapterUtils : Setting roles:
2018-05-27 12:32:09.830 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator : User '54b70eb6-731d-4cdb-9530-14ca411b78f8' invoking 'http://localhost:8081/league' on client 'league-service'
2018-05-27 12:32:09.830 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator : Bearer AUTHENTICATED
2018-05-27 12:32:09.839 INFO 2607 --- [nio-8081-exec-2] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet'
2018-05-27 12:32:09.839 INFO 2607 --- [nio-8081-exec-2] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started
2018-05-27 12:32:09.866 INFO 2607 --- [nio-8081-exec-2] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 27 ms
在调试模式下,我设法获得了从 keycloak 收到的令牌(已解码),这里是:
{
"jti": "c9d8ebd4-1ea6-4191-ac03-32b047d6f80c",
"exp": 1527441347,
"nbf": 0,
"iat": 1527441047,
"iss": "http://localhost:8084/auth/realms/soccer-system",
"aud": "league-organizer-app",
"sub": "54b70eb6-731d-4cdb-9530-14ca411b78f8",
"typ": "Bearer",
"azp": "league-organizer-app",
"nonce": "ac3e1024-9ce0-4a45-806b-8ec245905a3c",
"auth_time": 1527440521,
"session_state": "4df9e22b-141a-4970-98cc-cff57894814a",
"acr": "0",
"allowed-origins": [
"*"
],
"resource_access": {
"account": {
"roles": [
"view-profile"
]
}
},
"preferred_username": "thaUser"
}
更新 1:
我尝试使用 keycloak 服务器版本 4.0.0.Beta2 来匹配其中一个适配器。不幸的是,这没有帮助。
更新 2:
我试图按照评论中的建议将 ** 作为角色限制放在配置中,但这没有帮助:
security-constraints:
0:
auth-roles:
- '**'
security-collections:
0:
patterns:
- /*
编辑 1:
添加了控制台输出。好像说没有设定角色。但我确实在我的领域中拥有那些分配给我的用户的角色。
编辑 2:
添加了适配器在调试中看到的访问令牌。
我终于做到了。
问题是我没有将任何角色映射到我的前端应用程序客户端配置中的范围。
当我这样做时它起作用了。在客户端配置(用户通过身份验证的配置)中,选项卡 'Scope'。 Eighter 激活选项 'Full Scope Allowed',或选择您希望 keycloak 映射的领域角色。所选角色将映射到用户角色并包含在令牌中。
我只是不知道我必须这样做。尽管如此,还是感谢您的评论,它很有用。
我遇到了与此处完全相同的问题:
一个 angular 前端应用程序,使用 keycloak 服务器对用户进行身份验证。
然后将接收到的令牌传递给使用spring-boot开发的rest服务,使用keycloak-spring-boot-2-starter.
这就是问题所在:我的服务获取令牌,使用 keycloak 对其进行身份验证没有问题,但是 return 403 到客户端应用程序。
我确实调试了keycloak适配器,发现在请求中找到的主体(GenericPrincipal)中,没有角色信息(和空列表)。
在keycloak服务器上,我在realm设置中添加了角色,并将角色分配给用户(只有一个用户)。也尝试了客户端角色(使用资源角色映射:true)但同样的问题。
这是我在 application.yaml 中的 keycloak 配置:
keycloak:
auth-server-url: http://localhost:8084/auth
ssl-required: external
realm: soccer-system
resource: league-service
bearer-only: true
cors: true
use-resource-role-mappings: false
enabled: true
credentials:
secret: myClientKey
security-constraints:
0:
auth-roles:
- user
security-collections:
0:
patterns:
- /*
Keycloak 服务器版本为 3.4。3.Final
我为此苦苦挣扎了两天。希望外面有人会带我上路:)
Maven 依赖项:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-2-starter</artifactId>
<version>4.0.0.Beta2</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
来自适配器的调试日志:
2018-05-27 12:32:09.266 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/league
2018-05-27 12:32:09.273 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Using provider 'secret' for authentication of client 'league-service'
2018-05-27 12:32:09.275 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret
2018-05-27 12:32:09.277 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider jwt
2018-05-27 12:32:09.278 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret-jwt
2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret
2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider jwt
2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret-jwt
2018-05-27 12:32:09.484 DEBUG 2607 --- [nio-8081-exec-1] o.keycloak.adapters.KeycloakDeployment : resolveUrls
2018-05-27 12:32:09.486 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.KeycloakDeploymentBuilder : Use authServerUrl: http://localhost:8084/auth, tokenUrl: http://localhost:8084/auth/realms/soccer-system/protocol/openid-connect/token, relativeUrls: NEVER
2018-05-27 12:32:09.486 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler : checkCorsPreflight http://localhost:8081/league
2018-05-27 12:32:09.487 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler : Preflight request returning
2018-05-27 12:32:09.495 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/league
2018-05-27 12:32:09.496 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.PreAuthActionsHandler : checkCorsPreflight http://localhost:8081/league
2018-05-27 12:32:09.593 TRACE 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator : --> authenticate()
2018-05-27 12:32:09.593 TRACE 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator : try bearer
2018-05-27 12:32:09.594 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator : Verifying access_token
2018-05-27 12:32:09.637 TRACE 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator : access_token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5LV92RjRCM21PS0JjQVdhSFlGc3VlVGthRzNEVHBqUThHS2NqTGpqY0pnIn0.eyJqdGkiOiI1ZWMyYmU0YS04YmRlLTQ0OTEtYjRjMC04YzY5ZDIxMmVkZmIiLCJleHAiOjE1Mjc0MzkwMzYsIm5iZiI6MCwiaWF0IjoxNTI3NDM4NzM2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODQvYXV0aC9yZWFsbXMvc29jY2VyLXN5c3RlbSIsImF1ZCI6ImxlYWd1ZS1vcmdhbml6ZXItYXBwIiwic3ViIjoiNTRiNzBlYjYtNzMxZC00Y2RiLTk1MzAtMTRjYTQxMWI3OGY4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibGVhZ3VlLW9yZ2FuaXplci1hcHAiLCJub25jZSI6IjRiYjgzZDVhLTg5ZDktNDNkNy1hMWExLWJjZDdlYTQ0Y2Q3YiIsImF1dGhfdGltZSI6MTUyNzQzODczNSwic2Vzc2lvbl9zdGF0ZSI6ImQwNmI0NGQ2LTljYTgtNGYzYy1iYTBlLTY5NDhmYzAzYWY0YyIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiKiJdLCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJ2aWV3LXByb2ZpbGUiXX19LCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJyLmJhcmFiZUBnbWFpbC5jb20ifQ.signature
2018-05-27 12:32:09.697 TRACE 2607 --- [nio-8081-exec-2] o.k.a.rotation.JWKPublicKeyLocator : Going to send request to retrieve new set of realm public keys for client league-service
2018-05-27 12:32:09.822 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.rotation.JWKPublicKeyLocator : Realm public keys successfully retrieved for client league-service. New kids: [9-_vF4B3mOKBcAWaHYFsueTkaG3DTpjQ8GKcjLjjcJg]
2018-05-27 12:32:09.823 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator : successful authorized
2018-05-27 12:32:09.826 TRACE 2607 --- [nio-8081-exec-2] o.k.a.RefreshableKeycloakSecurityContext : checking whether to refresh.
2018-05-27 12:32:09.827 TRACE 2607 --- [nio-8081-exec-2] org.keycloak.adapters.AdapterUtils : use realm role mappings
2018-05-27 12:32:09.827 TRACE 2607 --- [nio-8081-exec-2] org.keycloak.adapters.AdapterUtils : Setting roles:
2018-05-27 12:32:09.830 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator : User '54b70eb6-731d-4cdb-9530-14ca411b78f8' invoking 'http://localhost:8081/league' on client 'league-service'
2018-05-27 12:32:09.830 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator : Bearer AUTHENTICATED
2018-05-27 12:32:09.839 INFO 2607 --- [nio-8081-exec-2] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring FrameworkServlet 'dispatcherServlet'
2018-05-27 12:32:09.839 INFO 2607 --- [nio-8081-exec-2] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization started
2018-05-27 12:32:09.866 INFO 2607 --- [nio-8081-exec-2] o.s.web.servlet.DispatcherServlet : FrameworkServlet 'dispatcherServlet': initialization completed in 27 ms
在调试模式下,我设法获得了从 keycloak 收到的令牌(已解码),这里是:
{
"jti": "c9d8ebd4-1ea6-4191-ac03-32b047d6f80c",
"exp": 1527441347,
"nbf": 0,
"iat": 1527441047,
"iss": "http://localhost:8084/auth/realms/soccer-system",
"aud": "league-organizer-app",
"sub": "54b70eb6-731d-4cdb-9530-14ca411b78f8",
"typ": "Bearer",
"azp": "league-organizer-app",
"nonce": "ac3e1024-9ce0-4a45-806b-8ec245905a3c",
"auth_time": 1527440521,
"session_state": "4df9e22b-141a-4970-98cc-cff57894814a",
"acr": "0",
"allowed-origins": [
"*"
],
"resource_access": {
"account": {
"roles": [
"view-profile"
]
}
},
"preferred_username": "thaUser"
}
更新 1:
我尝试使用 keycloak 服务器版本 4.0.0.Beta2 来匹配其中一个适配器。不幸的是,这没有帮助。
更新 2:
我试图按照评论中的建议将 ** 作为角色限制放在配置中,但这没有帮助:
security-constraints:
0:
auth-roles:
- '**'
security-collections:
0:
patterns:
- /*
编辑 1:
添加了控制台输出。好像说没有设定角色。但我确实在我的领域中拥有那些分配给我的用户的角色。
编辑 2:
添加了适配器在调试中看到的访问令牌。
我终于做到了。 问题是我没有将任何角色映射到我的前端应用程序客户端配置中的范围。 当我这样做时它起作用了。在客户端配置(用户通过身份验证的配置)中,选项卡 'Scope'。 Eighter 激活选项 'Full Scope Allowed',或选择您希望 keycloak 映射的领域角色。所选角色将映射到用户角色并包含在令牌中。
我只是不知道我必须这样做。尽管如此,还是感谢您的评论,它很有用。