如何获得访问令牌中的角色:keycloak [英] how to get the roles in access token: keycloak
问题描述
我要做什么:
-
我有一个使用登录凭据的应用程序:用户的用户名和密码.我有一个REST API,内部调用keycloak REST API:/auth/realms/realmname/protocol/openid-connect/token并获取该用户的访问令牌.
I have an app that takes in login credentials: username and password for a user. I have a rest api that internally calls the keycloak REST API: /auth/realms/realmname/protocol/openid-connect/token and gets the access token for this user.
现在,我正在构建另一个REST API,以访问要执行以下操作的资源:doSomething(访问令牌,数据)
Now I am building another REST API to access a resource where I want to do the following: doSomething(accesstoken, data)
{
a)调用keycloak API以验证访问令牌并获取角色.
b)如果角色==经理,则处理(数据)
b) if role == manager, process(data)
c)其他:返回错误消息.
c) else: return error msg.
}
现在,我该怎么做(a):验证访问令牌并获取与之关联的角色.我知道我们可以做:auth/realms/realmname/protocol/openid-connect/userinfo但这仅提供有关用户的详细信息,例如姓名,电子邮件等,但不显示任何角色.这是我得到的一个例子:
Now, how do I do (a): validating the access token and getting the roles associated with it. I know we can do: auth/realms/realmname/protocol/openid-connect/userinfo but that only gives the details about the user like name, email, etc. but does not display any roles. Here's an example I got:
{
"name": "test user",
"sub": "e2bad34d-a1a9-4d70-ac84-bd3a3246023e",
"email_verified": false,
"preferred_username": "user",
"given_name": "test",
"family_name": "user"
}
如所见,它根本没有赋予角色.然后,我如何知道该访问令牌具有哪些角色?有趣的是,当我搜索此内容时,很多资源都在建议上面的userinfo端点.但这只是告诉我我提供的访问令牌有效.不为此提供角色.换句话说,它是认证但不授权.
As seen, it doesnt give the roles at all. How do I then tell what roles this access token has? Interestingly, when I search for this, many resources are suggesting the above userinfo endpoint. But this merely tells me taht the access token I provided is valid. Does not give roles for that. In other words - it authenticates but does not authorize.
请提出建议.
谢谢,阿南德
推荐答案
在Keycloak管理控制台中,您可以在客户端下配置Mappers.添加类型为用户领域角色"的内置映射器,然后打开其配置,例如如果需要,可以更改令牌声明名称.
In Keycloak admin Console, you can configure Mappers under your client. Add a builtin Mapper of type "User Realm Role", then open its configuration e.g. change Token Claim Name if you want.
可以类似地配置客户端角色,但是默认情况下,它们会在令牌中以名称resource_access.$ {client_id} .roles
Client roles can be configured similarly, but they are returned by default in the token under the name resource_access.${client_id}.roles
您可以在客户端解析令牌以找到角色.例如.在有角度的应用程序中,并使用keycloak-angular适配器,可以通过调用keycloak.getKeycloakInstance().tokenParsed将令牌作为json对象.
The the client side you can parse the token to find the roles. E.g. In an angular application and using the keycloak-angular adapter, you can have a the token as a json object by calling keycloak.getKeycloakInstance().tokenParsed.
在Spring Boot应用程序中并使用Keycloak Java API,您可以在以下类的"otherClaim"字段下找到角色 https://www.keycloak.org/docs-api/10.0/javadocs/org/keycloak/representations/AccessTokenResponse.html
In a spring boot application and using the Keycloak java api, you can find the roles under the field "otherClaim" in the following class https://www.keycloak.org/docs-api/10.0/javadocs/org/keycloak/representations/AccessTokenResponse.html
在两种表示形式中,您都可以在客户端映射器配置中定义的令牌声明名称"下找到角色
In both representations you will find the roles under the "Token Claim Name" defined in the client mapper configuration
这篇关于如何获得访问令牌中的角色:keycloak的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
