keycloak realmresourceprovider科西 [英] keycloak realmresourceprovider corse

问题描述

我正在评估一些IAM产品，并且Keycloak的RealmResourceProvider遇到了CORS问题. 目标是编写一个能够使用Keycloak的REST接口创建用户和管理组的angular4客户端.

I'm evaluating some IAM Products and encountered a Problem with CORS with the RealmResourceProvider from Keycloak. The goal is to write an angular4 client able to create user and manage groups with a REST interface from Keycloak.

服务器端:

我试图用RealmResourceProvider接口实现Rest接口，以便尽可能容易地访问Realm和User Data. 我遵循了Beercloak示例(github.com/dteleguin/beercloak)并使其正常运行，但是没有自定义主题(仅REST资源).我自己的应用程序打包为Jar. 我设法通过REST客户端调用了这个Facade，并且它起作用了(先调用localhost:8080/auth/realms/master/protocol/openid-connect/token，然后将令牌填充到Authorization-Header中).

I tried to implement the Rest interface with the RealmResourceProvider Interface in order to access Realm and User Data as easy as possible. I followed the Beercloak example (github.com/dteleguin/beercloak) and got it working, but without a custom theme (only the REST-Resources). My own application is packaged as Jar. I managed to call this Facade via REST Client and it worked (By calling localhost:8080/auth/realms/master/protocol/openid-connect/token first and then stuffing the Token in the Authorization-Header).

密钥斗篷配置 但是，如果我通过浏览器对其进行测试，则需要启用跨源资源共享.为此，我在服务器应用程序的"keycloak.json"中添加了"enable-cors"属性:

keycloak-configuration But if i test it via Browser, I will need to enable Cross-Origin-Ressource-Sharing. In order to do that I added the 'enable-cors' attribute to the 'keycloak.json' in the server application:

{
"realm": "master",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "pharmacyRessource",
"public-client": true,
"enable-cors": true
}

此外，我在Keycloak Admin中创建了一个客户端. 客户端配置

Additionally I Created a Client in the Keycloak Admin. Client Config

客户端和问题:

Angular客户端使用github.com/mohuk/ng2-keycloak/blob/master/src/keycloak.service.ts中的Mohuks ng2-keycloak服务获取访问令牌. - 工作正常. 但是，如果我对我的资源进行GET请求，则预检会由于缺少Access-Control-Allow-Origin标头而失败: 错误401 用于初始化javascript中的keycloak-client的keycloak.json看起来像这样:

The angular client uses Mohuks ng2-keycloak service from github.com/mohuk/ng2-keycloak/blob/master/src/keycloak.service.ts to obtain the accesstoken. - Works fine. But in case i make a GET-request to my Resource, the preflight fails because of missing Access-Control-Allow-Origin Header: Error 401 The keycloak.json used for initializing the keycloak-client in javascript looks like this:

{
  "realm": "master",
  "auth-server-url": "http://localhost:8080/auth",
  "ssl-required": "external",
  "resource": "pharmacyRessource",
  "public-client": true
}

我失败的解决方案:

• 我尝试实现CORS过滤器，但未成功，因为我 无法通过keycloak将其注册.
• 我还实现了@OPTIONS方法，并通过以下方式附加了CORSE标头 我.也不起作用，因为从未调用过该方法.
• 我尝试将其打包为.war以便启用自定义 筛选器/提供程序，但无法将资源注册到密钥斗篷.

• I tried to implement a CORS Filter, but i didn't succeed because i couldn't get it registered by keycloak.
• I also implemented the @OPTIONS Method and appended CORSE Headers by myself. Didn't work either, because the Method never got invoked.
• I tried to package it as .war in order to enabling a custom Filter/Provider, but failed at registering the Resources to keycloak.

我的测试环境是来自hub.docker.com/r/jboss/keycloak/

My testing environment is the offical docker container from hub.docker.com/r/jboss/keycloak/

推荐答案

是否需要在keycloak服务器(以wildlfy运行)中启用CORS.您可以将以下代码从wildfly放入您的standalone.xml中:

Do you need enable CORS in your keycloak server (that runs in wildlfy) . You can do it, putting the code bellow into your standalone.xml from wildfly:

        <subsystem xmlns="urn:jboss:domain:undertow:4.0">
        <buffer-cache name="default"/>
        <server name="default-server">
            <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
            <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
            <host name="default-host" alias="localhost">
                <location name="/" handler="welcome-content"/>
                 <filter-ref name="server-header"/>
        <filter-ref name="x-powered-by-header"/>
        <filter-ref name="Access-Control-Allow-Origin"/>
        <filter-ref name="Access-Control-Allow-Methods"/>
        <filter-ref name="Access-Control-Allow-Headers"/>
        <filter-ref name="Access-Control-Allow-Credentials"/>
        <filter-ref name="Access-Control-Max-Age"/>
                <http-invoker security-realm="ApplicationRealm"/>
            </host>
        </server>
        <servlet-container name="default">
            <jsp-config/>
            <websockets/>
        </servlet-container>
        <handlers>
            <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
        </handlers>
            <filters>
        <response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
        <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
        <response-header name="Access-Control-Allow-Origin" header-name="Access-Control-Allow-Origin" header-value="http://localhost"/>
        <response-header name="Access-Control-Allow-Methods" header-name="Access-Control-Allow-Methods" header-value="GET, POST, OPTIONS, PUT"/>
        <response-header name="Access-Control-Allow-Headers" header-name="Access-Control-Allow-Headers" header-value="accept, authorization, content-type, x-requested-with"/>
        <response-header name="Access-Control-Allow-Credentials" header-name="Access-Control-Allow-Credentials" header-value="true"/>
        <response-header name="Access-Control-Max-Age" header-name="Access-Control-Max-Age" header-value="1"/>
      </filters>
    </subsystem>

这篇关于keycloak realmresourceprovider科西的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！