使用API登录到Keycloak [英] Login to Keycloak using API
问题描述
我有2个不同的应用程序:说 Application1 和 Application2 .
I have 2 different applications: say Application1 and Application2.
-
我已经将 Application2 与keycloak集成在一起,并且能够使用Keycloak的登录页面登录到该应用程序.
I have integrated Application2 with keycloak and I am able to login to this application using Keycloak's login page.
现在我想要的是,如果我登录到我的 Application1 (没有密钥斗篷),我应该能够调用密钥斗篷的一些API来登录到application2(没有呈现密钥斗篷的登录页面) ).
Now what I want is, if I login to my Application1 (without keycloak), I should be able to call some API of keycloak to login to application2 (without rendering keycloak's login page).
可行吗?如果是,怎么办?
It is feasible? If yes, how?
任何帮助将不胜感激.
谢谢
推荐答案
您实际上是在要求用户信任 Application1 将安全地管理其密钥库凭据.不建议这样做,因为
You are effectively asking your users to trust that Application1 will manage their keycloak credentials securely. This is not recommended because
-
如果将用户重定向到密钥斗篷以输入其凭据,则可以实现更高的安全性.在理想情况下,任何客户端应用程序都不应处理或不能访问用户凭据.
- 这违背了单点登录的目的,即用户只需为需要访问的第一个应用程序输入凭据(前提是会话没有过期)
- better security is achieved if the user is redirected to keycloak to enter their credentials. In an ideal world no client application should be handling or have access to user credentials.
- It defeats the purpose of single sign in where a user should only need to enter their credentials for the first application they need to access (provided their session has not expired)
但是,如果您控制并信任 Application1 ,并且由于遗留或其他原因需要这样做,则可以在Keycloak客户端定义上启用称为直接访问"的资源所有者凭证流,并且然后将用户凭据作为form-urlencoded
数据类型发布到
But if you control and can trust Application1 and need to do this due to legacy or other reasons then you can enable the Resource Owner Credentials Flow called "Direct Access" on the Keycloak Client Definition, and then POST the user's credentials as a form-urlencoded
data type to
https://<keycloak-url>/auth/realms/<realm>/protocol/openid-connect/token
参数将为
grant_type=password
client_id=<Application1's client id>
client_secret=<the client secret>
username=<the username>
password=<the password>
scope=<space delimited list of scope requests>
如果凭据无效,则响应将是有效的JWT对象或4xx错误.
The response will be a valid JWT object or a 4xx error if the credentials are invalid.
这篇关于使用API登录到Keycloak的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!