Keycloak Spring Security客户凭证授予 [英] Keycloak spring security client credential grant
问题描述
我可以使用KecloakRestTemplate,其中一个keycloak客户端正在与另一个keycloak客户端进行通信.但是,只有在我已登录第一个Keycloak客户端时它才有效,即它将客户端ID,客户端密钥,用户名,密码发送到Keycloak服务器.如果未在第一个客户端上使用用户名和密码进行身份验证,则会收到由于没有经过身份验证的原则而无法设置授权标头".但是我已配置密钥斗篷将服务帐户用于第一个客户端(客户端凭据授予),因此,我不应该使用用户名/密码,而应该仅依赖客户端ID/秘密.这是OAuth 2规范的错误/偏差吗?
I can use KecloakRestTemplate where one keycloak client is communicating with another keycloak client. However it only works if I have logged into the first keycloak client, i.e. it sends client ID, client secret, username, password, to keycloak server. If I haven't authenticated with a user and password on the first client I get "Cannot set authorization header because there is no authenticated principle". But I have configured keycloak to use a service account for the first client (Client Credential Grant) therefore I should not be using a user/password and should be relying on client id/secret only. Is this is a bug/deviation from OAuth 2 spec?
推荐答案
KeycloakRestTemplate将客户端ID,客户端密码,用户名和密码发送到Keycloak服务器.我只想发送客户ID和机密.我创建了OAuth2RestTemplate的KeycloakClientCredentialsRestTemplate子类来执行此操作.它在Spring Boot中使用OAuth2支持来进行客户端凭据授予.它还从application.properties获取Keycloak属性.
KeycloakRestTemplate sends client ID, client secret, username and password to the Keycloak server. I wanted to only send client ID and secret. I created a KeycloakClientCredentialsRestTemplate subclass of OAuth2RestTemplate to do this. It uses OAuth2 support in Spring Boot to do a client credentials grant. It also takes Keycloak properties from application.properties.
import org.springframework.security.oauth2.client.OAuth2ClientContext;
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
public class KeycloakClientCredentialsRestTemplate extends OAuth2RestTemplate {
public KeycloakClientCredentialsRestTemplate(OAuth2ProtectedResourceDetails resource,
OAuth2ClientContext context) {
super(resource, context);
}
}
也:
import java.util.ArrayList;
import java.util.List;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.security.oauth2.client.DefaultOAuth2ClientContext;
import org.springframework.security.oauth2.client.token.grant.client.ClientCredentialsResourceDetails;
import org.springframework.security.oauth2.common.AuthenticationScheme;
import org.springframework.stereotype.Service;
@Service
public class KeycloakClientCredentialsConfig {
@Value("${keycloak.realm}")
private String realm;
@Value("${keycloak.auth-server-url}")
private String authServerUrl;
@Value("${keycloak.resource}")
private String clientId;
@Value("${keycloak.credentials.secret}")
private String clientSecret;
@Bean
public KeycloakClientCredentialsRestTemplate createRestTemplate() {
return new KeycloakClientCredentialsRestTemplate(getClientCredentialsResourceDetails(),
new DefaultOAuth2ClientContext());
}
private ClientCredentialsResourceDetails getClientCredentialsResourceDetails() {
String accessTokenUri = String.format("%s/realms/%s/protocol/openid-connect/token",
authServerUrl, realm);
List<String> scopes = new ArrayList<String>(0); // TODO introduce scopes
ClientCredentialsResourceDetails clientCredentialsResourceDetails =
new ClientCredentialsResourceDetails();
clientCredentialsResourceDetails.setAccessTokenUri(accessTokenUri);
clientCredentialsResourceDetails.setAuthenticationScheme(AuthenticationScheme.header);
clientCredentialsResourceDetails.setClientId(clientId);
clientCredentialsResourceDetails.setClientSecret(clientSecret);
clientCredentialsResourceDetails.setScope(scopes);
return clientCredentialsResourceDetails;
}
}
这篇关于Keycloak Spring Security客户凭证授予的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
