java KeyCloak 用户验证和获取令牌
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/49572291/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
KeyCloak User validation and getting token
提问by Rohitesh
First of all I am very new to Keycloak and excuse me if something I am asking might be wrong.
首先,我对 Keycloak 很陌生,如果我问的东西可能是错的,请原谅。
I have installed the Keycloak server and I can access the Web UI for the same using:
我已经安装了 Keycloak 服务器,并且可以使用以下方法访问 Web UI:
My requirement is to validate a realm user by passing it to k Keycloak API and to get the token from there in response, and then pass this token for my other Web API calls.
我的要求是通过将一个领域用户传递给 k Keycloak API 并从那里获取令牌作为响应来验证领域用户,然后将此令牌传递给我的其他 Web API 调用。
But I was not able to find a simple guide on how I can do this...
但是我找不到有关如何执行此操作的简单指南...
UPDATE:
更新:
USING UI from KEYCLOAK:
使用用户界面KEYCLOAK:
So far now:
到目前为止:
I am able to create a
realm: e.g:DemoRealmUnder the
RealmI have created the client: e.g:DemoClientUnder the client I have created the user: e.g:
DemoUser
我能够创建一个
realm:例如:DemoRealm在
Realm我创建的客户端下:例如:DemoClient在客户端下我创建了用户:例如:
DemoUser
USING POSTMAN:
使用POSTMAN:
I am also able to successfully get the token using
我也可以使用成功获取令牌
http://localhost:8080/auth/realms/DemoRelam/protocol/openid-connect/token
POST:
{
"grant_type": "client_credentials",
"username": "",
"password": "",
"client_secret":"",
"client_id":"DemoClient"
}
In response I am getting the token.
作为回应,我得到了令牌。
{
"access_token": "eyJhbGciOiJSUzI1NiIsINVSHGhepnDu13SwRBL-v-y-04_6e6IJbMzreZwPI-epwdVPQe-ENhpvms2WdGM_DmgMLZ8YQFS4LDl9R7ZHT8AgXe-WCFV6OFkA7zvdeFwQ4kVVZE0HlNgHgoi4DrgMfwwz_ku1yJNJP3ztTY1nEqmA",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJRRnB5YlloMGVEektIdlhOb3JvaFUxdlRvWVdjdP3vbfvk7O0zvppK9N4-oaUqZSr0smHv5LkuLDQYdPuxA",
"token_type": "bearer",
"not-before-policy": 0,
"session_state": "bb1c586a-e880-4b96-ac16-30e42c0f46dc"
}
Furthermore I was diving into more details and found this API guide:
此外,我正在深入研究更多细节,并找到了这个 API 指南:
http://www.keycloak.org/docs-api/3.0/rest-api/index.html#_users_resource
http://www.keycloak.org/docs-api/3.0/rest-api/index.html#_users_resource
In this guide it's mentioned that I can get the users for the realm using Get users Returns a list of users, filtered according to query parameters
在本指南中提到我可以使用获取用户获取领域的用户返回用户列表,根据查询参数过滤
GET /admin/realms/{realm}/users
But when I am using POSTMANto get the users I am getting 403error code. I am passing the same token as on authentication which I got in the earlier step.
但是当我POSTMAN用来获取用户时,我收到了403错误代码。我传递的令牌与我在前面步骤中获得的身份验证相同。
http://localhost:8080/auth/admin/realms/DemoRelam/users
Can anyone please guide me?
任何人都可以请指导我吗?
回答by maslick
You have 2 choices: you can act on behalf of some user (as Adnan Khanpointed out), or create a dedicated client for this.
您有 2 个选择:您可以代表某个用户(正如Adnan Khan指出的那样),或者为此创建一个专用客户端。
On behalf of the user
代表用户
1) create a confidential client (I suppose you already got one)
1)创建一个机密客户(我想你已经有了一个)
2) create a user and assign an appropriate role/s to it: e.g. view-usersfrom the realm-managementgroup
2)创建一个用户并为其分配适当的角色:例如view-users来自realm-management组
3) get the token (I'm using curl and jq):
3)获取令牌(我使用 curl 和jq):
KCHOST=https://yourkeycloak.com
REALM=realm
CLIENT_ID=confidential-client
CLIENT_SECRET=xxxxxxx-yyyyyy-zzzzzzzz
UNAME=user
PASSWORD=passwd
ACCESS_TOKEN=`curl \
-d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" \
-d "username=$UNAME" -d "password=$PASSWORD" \
-d "grant_type=password" \
"$KCHOST/auth/realms/$REALM/protocol/openid-connect/token" | jq -r '.access_token'`
4) finally call the Admin REST API users endpoint:
4) 最后调用 Admin REST API用户端点:
curl -X GET -H "Authorization: Bearer $ACCESS_TOKEN" $KCHOST/auth/admin/realms/$REALM/users | jq
On behalf of the client (Service account)
代表客户(服务账户)
1) create a confidential client and make sure to toggle the Service Accounts Enabled setting to On
1)创建一个机密客户端并确保将启用服务帐户设置切换为 On
2) go over to the Service account roles taband select the appropriate role for this client, e.g. realm-adminfrom the realm-managementgroup
2)转到Service account roles tab并为该客户选择适当的角色,例如realm-admin从realm-management组中
3) get the access token
3)获取访问令牌
KCHOST=https://yourkeycloak.com
REALM=realm
CLIENT_ID=protector-of-the-realm
CLIENT_SECRET=xxxxxxx-yyyyyyyy-zzzzzzzzz
ACCESS_TOKEN=`curl \
-d "client_id=$CLIENT_ID" -d "client_secret=$CLIENT_SECRET" \
-d "grant_type=client_credentials" \
"$KCHOST/auth/realms/$REALM/protocol/openid-connect/token" | jq -r '.access_token'`
4) call the REST API endpoint:
4)调用REST API端点:
curl -X GET -H "Authorization: Bearer $ACCESS_TOKEN" $KCHOST/auth/admin/realms/$REALM/users | jq
P.S. For debugging I have just written a CLI tool called brauziethat would help you fetch and analyse your JWT tokens (scopes, roles, etc.). It could be used for both public and confidential clients. You could as well use Postman and https://jwt.io
PS 为了调试,我刚刚编写了一个名为brauzie的 CLI 工具,它可以帮助您获取和分析 JWT 令牌(范围、角色等)。它可用于公共和机密客户。您也可以使用 Postman 和https://jwt.io
HTH :)
哈 :)
回答by Adnan Khan
Users in keycloak are realm specific and not every user is allowed to access them. You will be able to get all the users through the admin API after you assign a specific role to the user in the admin dashboard. Simply do
keycloak 中的用户是特定于领域的,并不是每个用户都可以访问它们。在管理仪表板中为用户分配特定角色后,您将能够通过管理 API 获取所有用户。简单地做
- In the admin dashboard, go to
- 在管理仪表板中,转到
Users > myuser > Role Mappings > Client roles > realm-management
用户 > myuser > 角色映射 > 客户端角色 > 领域管理
Assign the user any of the two roles
manage-usersorview-users.Generate a new token.
Hit API with new token
为用户分配两个角色中的任何一个
manage-users或view-users。生成一个新的令牌。
使用新令牌命中 API
and you will have your users
你将拥有你的用户
P.s I think you should update your question header to something more relevant.
Ps 我认为您应该将问题标题更新为更相关的内容。
