无法重现直接伪造的密钥斗篷 [英] Unable to reproduce keycloak direct naked impersonation

问题描述

经过一些努力，我仍然无法重现使用OIDC进行直接裸身模拟的功能.

After some efforts, I still unable to reproduce the feature of direct naked impersonation with OIDC.

引用: https://www.keycloak.org/docs/latest/securing_apps/#direct-naked-impersonation

我有同样的错误.

curl -X POST http://localhost:8080/auth/realms/iot/protocol/openid-connect/token \
  -d "client_id=backend-service" \
  -d "client_secret=f0ead74d-c3eb-47c5-82fd-d8fccc5e5096" \
  --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
  -d "requested_subject=1c04c634-a64a-4905-b87f-e654ca01b889"
{"error":"access_denied","error_description":"Client not allowed to exchange"}

下面是我的开发配置.

$ cat docker-compose.yaml

$ cat docker-compose.yaml

version: '2.4'

volumes:
  postgres_data:
      driver: local

services:
  postgres:
      image: postgres:12-alpine
      volumes:
        - postgres_data:/var/lib/postgresql/data
      environment:
        POSTGRES_DB: keycloak
        POSTGRES_USER: postgres
        POSTGRES_PASSWORD: postgres
      ports:
        - 5432:5432
  keycloak:
      image: jboss/keycloak:10.0.1
      environment:
        DB_VENDOR: POSTGRES
        DB_ADDR: postgres
        DB_DATABASE: keycloak
        DB_USER: postgres
        DB_SCHEMA: public
        DB_PASSWORD: postgres
        KEYCLOAK_USER: admin
        KEYCLOAK_PASSWORD: admin
        #JDBC_PARAMS: "ssl=true"
      ports:
        - 8080:8080
      volumes:
        - /etc/localtime:/etc/localtime:ro
      command: -Dkeycloak.profile=preview
      depends_on:
        - postgres

realm-export.json https://gist.github.com/whisper-bye/20c86de26459efe641008ba5f448f3f1

realm-export.json https://gist.github.com/whisper-bye/20c86de26459efe641008ba5f448f3f1

推荐答案

在您的专家中，没有任何政策允许特定的客户端使用模拟功能.

In your expert there is no Policy that permits a specific Client to use the Impersonation feature.

我的领域中的示例:

{
        "id": "7588d6d2-82b6-42ef-9bd0-e9c01a2dc92b",
        "name": "admin-impersonating.permission.users",
        "description": "Client foo may impersonate any user",
        "type": "scope",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "config": {
          "resources": "[\"Users\"]",
          "scopes": "[\"impersonate\"]",
          "applyPolicies": "[\"foo client-policy\"]"
        }
      }

您可以在左侧配置此帽子管理/用户，然后在权限"窗口中配置权限".在右边.仅当使用-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled！

You can configure this hat Manage/User on the left and then "Permissions" on the right. This menu item only appears when starting Keycloak with -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled!

然后点击模拟"并确保应用政策"设置了一些东西.

Then click on "impersonate" and make sure "Apply Policy" has something set.

这篇关于无法重现直接伪造的密钥斗篷的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！