Keycloak Identity Broker API [英] Keycloak Identity Broker API
问题描述
所以我有一个使用api的客户端.该API使用密钥斗篷进行保护. 用户可以正常登录,但是我想允许用户登录而不必使用他们的社交媒体帐户(例如facebook或google)进入keycloak的登录页面. 我需要一个REST API,其中包含实现如何生成URL的实现,因此,当用户在按钮中单击此URL时,它将带用户到相应的社交登录页面进行登录,而keycloak仍充当中介.
So i have a client which consumes an api. The API is secured with keycloak. Users signs in normally, but i want to allow users to sign in user without having to go keycloak's login page with their social media accounts like facebook or google. I need a rest API with an implementation of how to get a url generated so when user click on this url in a button, it will take the user to the respective social login page to login while keycloak still serves as the broker.
下面是我的实现,它可以生成一个url,但不会将用户带到google页面进行登录
Below is my implementation, it generates a url alright but does not take the user to google page to login
这是一个休息的控制器
@Secured("permitAll")
@GetMapping(path = "/generator")
public String brokerGenerator(HttpServletRequest httpServletRequest) throws ServletException {
String provider = "google";
String authServerRootUrl = "http://localhost:8080/";
String realm = "realmName";
String clientId = "clientName";
String nonce = UUID.randomUUID().toString();
MessageDigest md = null;
try {
md = MessageDigest.getInstance("SHA-256");
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
String input = nonce + clientId + provider;
byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8));
String hash = Base64Url.encode(check);
httpServletRequest.getSession().setAttribute("hash", hash);
String redirectUri = "http://localhost:4200/dashboard";
return KeycloakUriBuilder.fromUri(authServerRootUrl)
.path("auth/realms/realmName/google/link")
.queryParam("nonce", nonce)
.queryParam("hash", hash)
.queryParam("client_id", clientId)
.queryParam("redirect_uri", redirectUri).build(realm, provider).toString();
}
推荐答案
Keycloak对此提供了开箱即用的支持.参见 https://www.keycloak.org/docs/6.0/server_admin/#_client_suggested_idp
Keycloak supports this out of the box. See https://www.keycloak.org/docs/6.0/server_admin/#_client_suggested_idp
OIDC应用程序可以通过指定要使用哪个身份提供者的提示来绕过Keycloak登录页面.
OIDC applications can bypass the Keycloak login page by specifying a hint on which identity provider they want to use.
这是通过在授权代码流"授权端点中设置kc_idp_hint查询参数来完成的.
This is done by setting the kc_idp_hint query parameter in the Authorization Code Flow authorization endpoint.
更新
在您的情况下,您应该使用常规的Keycloak Auth Code Flow端点,并且除了基本查询参数外,还提供kc_idp_hint参数.这样,首先将用户重定向到Keycloak登录页面,然后Keycloak将其重定向到所选的身份提供者登录页面(在您的情况下为Google).
In your case you should use normal Keycloak Auth Code Flow endpoint and in addition to the basic query params provide kc_idp_hint param. This way the user is redirected to Keycloak login page first then Keycloak redirects him to the chosen identity provider login page (google in your case).
这是重定向URL的示例:
Here is an example redirect URL:
https://keycloak-domain/realms/REALM_NAME/protocol/openid-connect/auth?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&state=STATE&response_type=code&scope=openid&nonce=NONCE&kc_idp_hint=google
根据此示例编辑代码:
return KeycloakUriBuilder.fromUri(authServerRootUrl)
.path("realms/realmName/protocol/openid-connect/auth") // Url changed
.queryParam("response_type", "code") // Autherization Code Flow
.queryParam("scope", "openid") // Add additional scopes if needed
.queryParam("kc_idp_hint", "google") // This should match IDP name registered in Keycloak
.queryParam("nonce", nonce)
.queryParam("hash", hash)
.queryParam("client_id", clientId)
.queryParam("redirect_uri", redirectUri).build(realm, provider).toString();
您可以手动启动Keycloak重定向以进行测试.开始正常的登录流程,当您重定向到Keycloak登录页面时,不要输入凭据,而是将kc_idp_hint=google添加到URL并按Enter.然后,您将被直接重定向到Google登录页面.
You can manually initiate Keycloak redirection for test. Start normal login flow and when you redirected to Keycloak login page do not enter credentials, instead add kc_idp_hint=google to the URL and hit ENTER. Then you will be redirected right to Google login page.
这篇关于Keycloak Identity Broker API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
