Keycloak客户端凭据流程澄清 [英] Keycloak Client Credentials Flow Clarification

问题描述

我正在使用 Keycloak 服务器来实现SSO.我可以使用 client_credentials 流为特定客户端获取访问令牌.

I am using Keycloak server to implement SSO. I am able to get access token for a specific client using client_credentials flow.

但是，我发现访问令牌是授予客户的内部服务帐户的.我想通过向令牌端点提供一些其他参数来获取领域中存在的其他用户的访问令牌

However, my observation is that the access token is granted for internal service account of the client. I would like to get access token for other users present in realm by providing some additional parameter to the token endpoint.

以下是我使用 Postman Chrome扩展程序向令牌端点发出的当前请求:

Below is the current request I make to token endpoint using Postman Chrome extension:

POST http://localhost:8080/auth/realms/<realm>/protocol/<protocol>/token

x-www-form-urlencoded

grant_type        client_credentials
client_id         <client_id>
client_secret     <client_secret>

如果可以的话，请告诉我.另外，我想传达的是 Keycloak 和 openid-connect 协议的全新内容.

Please let me know if this possible. Also, I would like to convey that am totally new to Keycloak and openid-connect protocol.

推荐答案

我认为您在这里误解了一些Oauth概念. client_credentials 授予应仅用于服务本身以授予对特定资源的访问权限.想象一下这种情况:

I think you're misunderstanding some Oauth concepts right here. The client_credentials grant should only be used for a service itself to grant access to an specific resource. Imagine this scenario:

最终用户->文档服务->文档存储库

End User -> Docs Service -> Docs Repo

最终用户可以通过docs服务访问存储在存储库中的某些文档.在这种情况下，由于回购只是一个内容服务器，因此服务决定是否授予用户对特定文档的访问权限.显然，它们都是通过两个不同的keycloak客户端来保护的.

The end user has access to some docs stored in the repo through the docs service. In this case, the service makes the decision to grant the user access to a specific document or not, since the repo is a mere content server. Obviously, both of them are secured through two different keycloak clients.

但是，docs服务需要具有对存储库的完全访问权限.他可以访问他所请求的任何文档.解决方案是为docs服务提供服务帐户角色，比如说 DOC_MANAGER ，并在请求资源时对此仓库进行回购检查.该服务通过 client_credentials 进行身份验证，并获得对资源作为服务的访问权限.

However, the docs service needs to have full access to the repo. He can access any document he requests. The solution is to give the docs service a service account role, let's say DOC_MANAGER and make the repo check for this role when a resource is requested. The service authenticates with client_credentials and gets access to the resource as a service.

但是最终用户将使用授权代码执行标准登录.流程，并通过该服务访问文档.该服务将检查另一个角色，例如 DOC_USER ，并在转到存储库之前检查用户是否有权访问此具体资源.

But the end user will perform a standard login, using the Authorization code flow, for example, and get access to the doc through the service. The service will check for another role, let's say DOC_USER and check whether the user has access to this concrete resource or not, before going to the repo.

您可以在此处了解更多有关keycloak服务帐户的信息.

You can read more about keycloak service accounts here.

这篇关于Keycloak客户端凭据流程澄清的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！