发出"API密钥".使用Keycloak [英] Issuing "API keys" using Keycloak

问题描述

我的设置包含三个部分:

My setup has three components:

• 后端应用程序(Python/Flask)
• 前端应用程序(VueJS)
• 钥匙斗篷

前端将使用Keycloak允许用户登录并使用访问令牌来验证对后端的请求.到目前为止，一切都很好.

The frontend will use Keycloak to let users sign in and use the access tokens to authenticate requests to the backend. So far so good.

现在，我希望第三方应用程序能够针对后端发出经过身份验证的请求，我想知道如何使用Keycloak实现该请求?我的想法是为每个客户发布一组新的凭据.然后，他们的应用程序与Keycloak对话以获取访问令牌.然后，我可以使用Keycloak来管理API所有用户的访问控制.

Now I want third party applications to be able to make authenticated requests against the backend and I am wondering how that can be realized using Keycloak? My idea is to issue a new set of credentials for each customer. Their application then talks to Keycloak to get access tokens. I can then use Keycloak to manage access control for all users of the API.

• 在Keycloak-客户端中如何表示第三方应用程序?用户? ...?
• 这种用例是否有最佳实践?

推荐答案

我终于找到了一个很好的解决方案，该解决方案似乎是向外部应用程序颁发凭据的"Keycloak方法".要创建一组新的凭据，请添加新的Keycloak客户端并更改以下设置:

I finally found a solution that works well and seems to be "the Keycloak way" to issue credentials to external applications. To create a new set of credentials, add a new Keycloak client and change the following settings:

• 已启用标准流:关闭
• 已启用直接访问授予:关闭
• 访问类型:机密
• 已启用服务帐户:开启

• Standard Flow Enabled: OFF
• Direct Access Grants Enabled: OFF
• Access Type: Confidential
• Service Accounts Enabled: ON

外部应用程序将使用我们新创建的客户端名称作为client_id. client_secret是自动生成的，可以在 Credentials 标签下找到.

The external application will use our newly created client's name as the client_id. The client_secret was generated automatically and can be found under the Credentials tab.

如果将受Keycloak保护的服务配置为检查传入Bearer令牌的aud声明，则需要执行第二步.默认情况下，Keycloak向您的客户端发出的JWT令牌的受众将设置为您的客户端名称，因此它们将被您的服务拒绝.您可以使用客户范围来修改该行为:

If your Keycloak-protected services are configured to check the aud claim of incoming Bearer tokens, a second step is necessary. By default, the audience of the JWT tokens that Keycloak issues to your client will be set to your client's name, so they will be rejected by your services. You can use Client Scopes to modify that behavior:

1. 创建新的客户范围
2. 选择受众群体模板"
3. 选择您要授予外部应用程序访问权限的服务，然后单击下一步"
4. 将范围添加到刚刚创建的客户端(客户端范围"标签)

1. Create a new client scope
2. Select "Audience Template"
3. Select the service you'd like to grant your external applications access to and click "next"
4. Add the scope to the client you just created (Client Scopes tab)

Keycloak现在会将您的服务名称添加到它发布给您的新客户端的所有JWT令牌的aud声明中.有关详细信息，请参阅服务帐户上的Keycloak文档.

Keycloak will now add your service's name to the aud claim of all JWT tokens it issues to your new client. Check out the Keycloak documentation on Service Accounts for more details.

外部应用程序现在可以使用其凭据从Keycloak的令牌端点获取访问令牌:

An external application can now use its credentials to obtain an access token from Keycloak's token endpoint:

POST {keycloak-url}/auth/realms/atlas/protocol/openid-connect/token

• 将Content-Type标头设置为application/x-www-form-urlencoded
• 使用您的客户端ID 作为用户，并使用客户端密码作为密码，使用基本身份验证对请求进行身份验证
• 在请求正文中设置grant_type=client_credentials

• Set the Content-Type header to application/x-www-form-urlencoded
• Authenticate the request with Basic Authentication, using your client id as the user and your client secret as the password
• Set grant_type=client_credentials in the request body

这篇关于发出"API密钥".使用Keycloak的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！