使用外部数据扩展 Keycloak 中的用户访问令牌 [英] Extend user access token in Keycloak with external data
问题描述
我们使用 Keycloak 服务作为 SSO 解决方案,并将生成的 JWT 提供给不同的微服务,效果非常好.
We use the Keycloak service as SSO solution and provide the resulting JWT to different microservices and that works very well.
但现在我们遇到的问题是,当用户尝试登录时,JWT 必须使用来自外部资源的数据进行扩展.
But now we have the problem that the JWT must be extended with data from an external resource when the user tries to login.
更具体的是,用户可以使用唯一 ID 作为标识符访问不同的市场,但我们没有在 Keycloak 服务中看到管理哪个用户可以访问哪个市场.
More tangible, a user has access to different markets with an unique ID as identifier, but we didn't see the management which user have access to which market inside the Keycloak service.
这个问题的最佳解决方案是什么?阅读文档后,自定义用户存储 SPI 是一个答案,但我认为这有点过分..
What could be the best solution for this problem? After reading the docs an custom User Storage SPI is an answer, but I think that is a little bit to much..
作为信息,我们使用 Keycloak 3.1.0 作为带有 postgres 数据库的独立服务
As information we use Keycloak 3.1.0 as a standalone service with an postgres DB
推荐答案
向 keycloak JWT 令牌有效负载添加额外数据/信息的方式是通过添加配置了正确 协议的客户端范围"来实现映射器,允许您将任意数量的自定义额外信息添加到您的 Id-token 和 access-token.
The way you add extra data/information to your keycloak JWT token payloads, comes by means of adding "client-scopes" configured with the proper protocol mappers within them, that allows you to add any amount of custom extra information to your Id-token and access-token.
这方面的一个例子是,在您的用户中有额外的变量,然后在(新创建的)客户端范围"内的协议映射器中,您可以添加类型为用户属性"的协议映射器,以便您的特定用户变量将以您在协议映射器"上配置的方式出现在您的令牌中.有许多类型的协议映射器"允许您将不同的类型信息映射到您的令牌(不仅仅是用于映射用户变量).
One example of this, would be having extra variables in your users, and then in the protocol mappers within the (newly-created) "client-scope", you can add a protocol-mappers of type "User-Attribute", so that your specific user variable will appear in your token the way you configured on your "protocol-mapper". There are many types of "protocol mappers" that'll allow you to map diverse type information to your tokens (is not just for mapping user variables).
这个问题之前已经解决过:
This was addressed on this question before:
我在这里复制与您相关的部分:
I'm copying here the part which is relevant to you:
原来的问题是:
[How to]"从外部数据源中获取一些属性,映射到keycloak的id和access token.需要获取用户的唯一id,并将其作为主题id添加到jwt中.就是id,剩下的当此令牌传递给其他服务时,服务可以使用它来检索 id."
[答案:]
为此,您能做的最好的事情是:将这些用户的唯一数据添加为用户属性(在管理控制台上查看)在 Keycloak 上创建一个客户端范围",并使用相应的用户属性"类型的映射器将您想要添加的每个值(从您的用户数据)映射到您的 Id-token 和 access-token.您还需要将您的客户与您刚刚创建的客户范围"联系起来.这可能听起来有点令人困惑,但这个视频是很好的材料,我相信它会对你有很大帮助:https://www.youtube.com/watch?v=ZxpY_zZ52kU(大约在 6:30 左右,您将看到如何将额外的用户信息添加到您的令牌中)
For this, the best you can do is: Add those user's unique data as users attributes (see them on the Admin console) Create a "Client scope" on Keycloak, with a corresponding mapper of type "user property" to map each of those values you'd like to add (from your user data) to your Id-token and access-token. You also need to tie your client with your just created "client scope". This may sound a little bit confusing, but this video is great material and I bilieve it'll help you alot: https://www.youtube.com/watch?v=ZxpY_zZ52kU (arround min 6:30 you'll see how to add extra user info to your tokens)
这篇关于使用外部数据扩展 Keycloak 中的用户访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
