WSO2 APIM-在JWT有效负载中添加用户角色 [英] WSO2 APIM - Add user roles in JWT payload

问题描述

我正在开发一些SpringBoot微服务，通过WSO2 APIM公开REST.

I'm developing some SpringBoot microservices that exposes REST through WSO2 APIM.

微服务本身不实现任何形式的身份验证或授权机制，而是委派给APIM.

Microservice itself does not implement any kind of authentication or authorization mecanism, it is delegated to APIM.

如果我按照在此，前端应用程序可以进行身份​​验证并生成JWT令牌.

If I set API to use Password Grant as described here, front end application can authenticate and generate JWT token.

现在的问题是，我无法从JWT有效负载中获取用户角色，因为APIM没有添加它.此信息很重要，因为前端渲染菜单和按钮基于用户角色.

The problem now is that I can't fetch user roles from JWT payload because it is not being added by APIM. This information is important because front-end render menus and buttons based on user roles.

我在生成令牌时传递的用户确实具有某些作用，如下所示:

The user I'm passing when generate token does have some roles as you can see bellow:

但是生成的JWT令牌不包含有关角色的任何信息.这是一个示例令牌:

But generated JWT token does not include any information about roles. Here is a sample token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5UZG1aak00WkRrM05qWTBZemM1TW1abU9EZ3dNVEUzTVdZd05ERTVNV1JsWkRnNE56YzRaQT09In0.eyJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9hcHBsaWNhdGlvbnRpZXIiOiJVbmxpbWl0ZWQiLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC92ZXJzaW9uIjoidjEiLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9rZXl0eXBlIjoiUFJPRFVDVElPTiIsImlzcyI6IndzbzIub3JnXC9wcm9kdWN0c1wvYW0iLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9hcHBsaWNhdGlvbm5hbWUiOiJDYWRhc3RybyBkZSBDbGllbnRlcyIsImtleXR5cGUiOiJTQU5EQk9YIiwiaHR0cDpcL1wvd3NvMi5vcmdcL2NsYWltc1wvZW5kdXNlciI6ImVtaWxpb0BjYXJib24uc3VwZXIiLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9lbmR1c2VyVGVuYW50SWQiOiItMTIzNCIsImh0dHA6XC9cL3dzbzIub3JnXC9jbGFpbXNcL3N1YnNjcmliZXIiOiJhZG1pbiIsImh0dHA6XC9cL3dzbzIub3JnXC9jbGFpbXNcL3RpZXIiOiJVbmxpbWl0ZWQiLCJzY29wZSI6ImRlZmF1bHQiLCJleHAiOiIxNTk5NTYyOTQ4MDI4IiwiaHR0cDpcL1wvd3NvMi5vcmdcL2NsYWltc1wvYXBwbGljYXRpb25pZCI6IjIiLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC91c2VydHlwZSI6IkFwcGxpY2F0aW9uX1VzZXIiLCJjb25zdW1lcktleSI6IktJaTdnUk1RYmg1OWZGbmpVOFhNbnhGcm9pNGEiLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9hcGljb250ZXh0IjoiXC9ia25nXC92MSJ9.km4w2V7dGmoGl8f4_ZqKHvdofAPLOOw__GPjWKrpjYelbi7IjDIpRODEZNn8hE1krRdDTSjKRviJ-NBvXtTXIiLdfPh1p-zNtX26vrS77ZcSZ2WsQA7Ku21YMqcm6cyZvEhZ99qfTxOtbJfkwt6Yt8itkyr-aqk83pNp85LTnwtNboib9VOOvh37zNEJUImzKw4WvENp4SGLuHO978FriHyHPN9vibzPjpItW5DOXTFNdN4rP6RK_vcOH6hpuZHwivJpTHxf9qMB3Gd2yTig-Hkr-sZGbx89pQf8kqtCLWbhRG5jOtcEJNf2CSNLB0Glg_e4F6LfhVD5JUCz15jdlg

当我在 https://jwt.io/中提取它时，我得到了以下负载:

When I extract it in https://jwt.io/ I get following payload:

{
  "http://wso2.org/claims/applicationtier": "Unlimited",
  "http://wso2.org/claims/version": "v1",
  "http://wso2.org/claims/keytype": "PRODUCTION",
  "iss": "wso2.org/products/am",
  "http://wso2.org/claims/applicationname": "Cadastro de Clientes",
  "keytype": "SANDBOX",
  "http://wso2.org/claims/enduser": "emilio@carbon.super",
  "http://wso2.org/claims/enduserTenantId": "-1234",
  "http://wso2.org/claims/subscriber": "admin",
  "http://wso2.org/claims/tier": "Unlimited",
  "scope": "default",
  "exp": "1599562948028",
  "http://wso2.org/claims/applicationid": "2",
  "http://wso2.org/claims/usertype": "Application_User",
  "consumerKey": "KIi7gRMQbh59fFnjU8XMnxFroi4a",
  "http://wso2.org/claims/apicontext": "/bkng/v1"
}

如何为JWT有效负载添加用户角色?我是否需要按照这里?

How do I add user roles to JWT payload? Do I need to implement a custom generator as described here?

提前谢谢！

推荐答案

获得包含在auth JWT中的角色声明的最简单方法是在服务提供商级别添加声明映射，并请求具有OpenID范围的令牌.为此，请尝试以下步骤.

Easiest way to get role claim included in the auth JWT is to add a claim mapping in service provider level and request the token with openid scopes. To do this try below steps.

1. 登录到管理控制台https://<host>:<port>/carbon

在左侧菜单中列出服务提供商

List service providers in the left menu

转到所需的服务提供商上进行编辑(开发人员门户中的每个应用程序都有一个地图服务提供商)

Go to edit on the required service provider (Each application in the developer portal has a mapping service provider)

将声明映射添加到role声明，如下所示

Add a claim mapping to role claim as below

使用scope=openid参数发送令牌请求

curl -k -X POST https://localhost:8243/token -d "grant_type=password&username=<Username>&password=<Password>&scope=openid" -H "Authorization: Basic <Credentials>"

响应访问令牌将包含此格式的角色

Response access token will contain roles in this format

{
    "sub": "admin@carbon.super",
    "iss": "https://localhost:9443/oauth2/token",
    "groups": [
        "Internal/subscriber",
        "Internal/creator",
        "Application/apim_devportal",
        "Application/admin_NewApp_PRODUCTION",
        "Internal/publisher",
        "Internal/everyone",
        "Internal/analytics",
    ],
    ...
}

这篇关于WSO2 APIM-在JWT有效负载中添加用户角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！