仅keycloak承载者客户端:为什么它们存在? [英] keycloak bearer-only clients: why do they exist?

问题描述

我正在努力解决Keycloak中bearer-only客户端的概念.

我了解公开与保密的概念以及服务帐户和grant_type=client_credentials内容的概念.但是，由于bearer-only，我被卡住了.

Google搜索只显示了以下讨论的片段:

您无法使用bearer-only客户端从密钥斗篷获取令牌.

文档也不清楚.他们只说:

仅承载者访问类型意味着该应用程序仅允许承载令牌请求.

好吧，如果我的应用仅允许承载令牌请求，如果无法使用客户端ID/客户端密码从Keycloak获取令牌，该如何获取令牌?

如果您无法获得令牌，那您还能做什么?为什么这些客户存在?有人可以提供使用此类客户端的示例吗?

解决方案

仅承载者访问类型的含义

仅承载者访问类型意味着应用程序仅允许承载 令牌请求.如果启用此功能，则此应用程序无法 参与浏览器登录.

因此，如果您将客户端选择为bearer-only，则在这种情况下，keycloak适配器将不会尝试对用户进行身份验证，而只会验证承载令牌.这就是为什么keycloak文档还提到了bearer-only应用程序的原因，将不允许浏览器登录.

如果您无法获得令牌，那您还能做什么?为什么这些客户存在?

您的客户端不能在Keycloak服务器上设置为仅承载.你可以 尽管在适配器配置上仍然使用仅承载.钥匙斗篷 不允许仅承载者"客户(在 服务器)以从服务器获取令牌.尝试改变你的 客户机密"在服务器上并在您的服务器上设置仅承载 适配器配置(keycloak.json).

因此，如果您理解上面的陈述，那么在这种情况下，如果您有两个相互通信的微服务，则呼叫者将为confidential，被呼叫者将为bearer-only

还有Keycloak也提到了

仅承载者的客户端是永远不会启动登录的Web服务.通常用于保护后端.

因此，如果要使用任何适配器，可以根据需要使用bearer-only

编辑-

让我们更详细..让我们来看一个示例，我有一个web-app和一个rest-app，用于Web应用程序，我正在使用React/Angular/JSF任何前端技术，而对于后端，我正在使用基于Java的rest-api 或 Nodejs .

现在，出于上述要求，我必须同时保护两个产品(web-app，rest-api)，所以我的工作是什么?我将如何通过Keycloak保护这两个应用程序?

所以这是详细说明

1. 我必须在keycloak的领域内创建两个客户端
2. 客户端A 将由网络应用使用
3. 客户端B 将由rest-api使用
4. 所以现在的问题是为什么要有两个客户?
5. 对于Web应用程序，我们希望用户必须通过GUI登录，然后仅生成令牌
6. 对于rest-api，我们不想使用基于GUI的api，因为这些api被web-app占用，但仍然需要rest-api，我们必须安全地进行访问.
7. 现在转到客户端A并设置其访问类型 public客户端，以便网络应用会要求通过keycloak GUI或您的登录页面登录，然后生成令牌
8. 因此，将提取rest-api使用的，根据用户角色和其他信息数据在上述步骤中生成的相同令牌.因此，客户端B 的访问类型将为bearer-only，因此网络应用生成的令牌将传递给rest-api，并用于验证用户身份.

希望它会有所帮助.有人想添加更多他/她可以自由添加的东西.

I am trying to wrap my head around the concept of bearer-only clients in Keycloak.

I understand the concept of public vs confidential and the concept of service accounts and the grant_type=client_credentials stuff. But with bearer-only, I'm stuck.

Googling only reveals fragments of discussions saying:

You cannot obtain a token from keycloak with a bearer-only client.

The docs are unclear as well. All they say is:

Bearer-only access type means that the application only allows bearer token requests.

Ok, if my app only allows bearer token requests, how do I obtain this token if I cannot get it from Keycloak using client id / client secret?

And if you can't obtain a token, what can you at all? Why do these clients exist? Can somebody please provide an example of using this type of client?

解决方案

Bearer-only access type meaning

Bearer-only access type means that the application only allows bearer token requests. If this is turned on, this application cannot participate in browser logins.

So if you select your client as bearer-only then in that case keycloak adapter will not attempt to authenticate users, but only verify bearer tokens. That why keycloak documentation also mentioned bearer-only application will not allow the login from browser.

And if you can't obtain a token, what can you at all? Why do these clients exist?

Your client can't be set as bearer-only on Keycloak Server. You can still use bearer-only on the adapter configuration though. Keycloak doesn't allow "bearer only" clients (when setting up your client on the server) to obtain tokens from the server. Try to change your client to "confidential" on the server and set bearer-only on your adapter configuration (keycloak.json).

So if you understand above statement then if you have two microservice which are talking to each other in the case, caller will be confidential and callee will be bearer-only

And Keycloak also mentioned

Bearer only client are web service that never initiate a login .It’s typically used for securing the back-end.

So if you want to use any adapter you can use bearer-only depend on the need

EDIT-

Lets go in more details ..Let see one example i have a web-app and one rest-app for web-app i am using React/Angular/JSF any front end technology and for back-end i am using Java based rest-api OR Nodejs.

Now for above requirement i have to secure both the product(web-app,rest-api) so what will be my work of action? How i will secure both the app through Keycloak?

So here is details explanation

1. I have to create two client inside a realm in keycloak
2. Client A will be use by web-app
3. Client B will be used by rest-api
4. So now question will be why two client?
5. For web-app we want user should must login via GUI then only generate the token
6. For rest-api we dont want to GUI based api as these api consume by web-app but still rest-api we have to access securely.
7. Now Go to Client A and make its Access Type public client so web-app will ask to login via keycloak GUI or your login page then generate the token
8. So same token which generated in above step used by rest-api and according to user role and other information data will fetch. So Access Type of Client B will be bearer-only so web-app genrated token pass to rest-api and its used against authenticate user .

Hope it will help. Someone want to add more he/she free to add.

这篇关于仅keycloak承载者客户端:为什么它们存在?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！