我应该明确验证Keycloak令牌还是由Keycloak适配器完成? [英] Should I explicitly verify Keycloak token or this is done by Keycloak adapter?

问题描述

有一个Spring-boot REST API，需要由Keycloak保护，该应用程序正在使用Keycloak-Spring-Security适配器(6.0.1).

There is a Spring-boot REST API, that needs to be secured by Keycloak, the application is using Keycloak-Spring-Security adapter (6.0.1).

对API端点的调用带有从Keycloak(当前通过邮递员)获得的承载令牌.

A call to an API endpoint, carries along the bearer token, obtained from Keycloak (currently through postman).

我能够执行成功的REST端点调用，但其他事情困扰着我-我是否应该针对公钥明确验证令牌?

I'm able to perform a successful REST endpoint call, but other thing is troubling me - should I explicitly verify the token against the public key?

1-适配器是根据公钥执行令牌的验证，还是应该实现它?

1 - Is the adapter performing verification of the token against the public key, or should I implement it?

2-如果适配器正在执行此操作-您能指出在哪个类中完成该操作吗?

2 - If the adapter is doing this - can you point out in which classes is this getting done?

3-如果-不-如何执行此验证?我可以使用任何Keycloak库来验证令牌吗?

3 - If - not - how should this verification be implemented? Are there any Keycloak libraries that I can use to verify the token?

推荐答案

好吧，在网络上搜寻答案几天后-我明白了. 我查看了Keycloak-spring-security-adapter的代码并找到了.

Well, after a few days of searching the web for answer - I got it. I looked into the code of Keycloak-spring-security-adapter and found it.

首先，我获得了用于DEBUG的密钥隐藏的日志记录控制杆:

First of all I got the logging lever for keycloak to DEBUG:

logging.level.org.keycloak=DEBUG

然后，我尝试使用错误的令牌访问我的端点(我希望这会产生异常，即更可见的跟踪；并且确实如此):

Then I tried to access my endpoint with bad token (I expected that this is going to produce an exception, i.e. more visible trace; and it did):

    2019-10-17 10:18:57,905 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.PreAuthActionsHandler | adminRequest http://localhost:8081/error 
    2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Request is to process authentication 
    2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Attempting Keycloak authentication 
    2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.BearerTokenRequestAuthenticator | Found [1] values in authorization header, selecting the first value for Bearer. 
    2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.BearerTokenRequestAuthenticator | Verifying access_token 
    2019-10-17 10:18:57,908 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.BearerTokenRequestAuthenticator | Failed to verify token 
    2019-10-17 10:18:57,908 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.RequestAuthenticator | Bearer FAILED 
    2019-10-17 10:18:57,908 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Auth outcome: FAILED 
    2019-10-17 10:18:57,925 | 30860 | http-nio-8081-exec-2 |  |  |  |  | DEBUG |  | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Authentication request failed: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
        at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:158)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    .....

从那时起，很明显令牌已被验证，如果您查看参与的类，您会发现在某些情况下令牌已针对公钥进行了验证.

From then on it is clear that the token is being verified, if you look into the classes that take part, you'll see that it is getting verified against the public key in certain situations.

参与此身份验证的类在我的情况下，验证为(bearer-only)是:

Classes that take part in this authentication & verification are, in my case (bearer-only) are:

org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
org.keycloak.adapters.BearerTokenRequestAuthenticator

希望这可以帮助像我这样的其他人在Keycloak中找到自己的出路.

Hopefully this can help other people like me to find their way in Keycloak.

这篇关于我应该明确验证Keycloak令牌还是由Keycloak适配器完成?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！