BlogJava-paulwong-随笔分类-KEYCLOAK

zh-cnThu, 21 Apr 2022 21:40:01 GMTThu, 21 Apr 2022 21:40:01 GMT60KEYCLOAK授权模式与实施http://www.blogjava.net/paulwong/archive/2022/04/21/450723.htmlpaulwongpaulwongThu, 21 Apr 2022 07:32:00 GMThttp://www.blogjava.net/paulwong/archive/2022/04/21/450723.htmlhttp://www.blogjava.net/paulwong/comments/450723.htmlhttp://www.blogjava.net/paulwong/archive/2022/04/21/450723.html#Feedback0http://www.blogjava.net/paulwong/comments/commentRss/450723.htmlhttp://www.blogjava.net/paulwong/services/trackbacks/450723.htmlhttps://stackoverflow.com/questions/42186537/resources-scopes-permissions-and-policies-in-keycloak

paulwong 2022-04-21 15:32 发表评论

]]>KEYCLOA+DMariaDB 在LINUX上的安装http://www.blogjava.net/paulwong/archive/2022/04/14/450717.htmlpaulwongpaulwongThu, 14 Apr 2022 07:15:00 GMThttp://www.blogjava.net/paulwong/archive/2022/04/14/450717.htmlhttp://www.blogjava.net/paulwong/comments/450717.htmlhttp://www.blogjava.net/paulwong/archive/2022/04/14/450717.html#Feedback0http://www.blogjava.net/paulwong/comments/commentRss/450717.htmlhttp://www.blogjava.net/paulwong/services/trackbacks/450717.htmlhttps://www.janua.fr/how-to-install-keycloak-with-mariadb/

启动时配置不通过localhost访问控制台：

#! /bin/bash

BIN_PATH=$(cd `dirname $0`; pwd)
IP=10.10.27.69
KEYCLOAK_OPT="-b ${IP} -Djboss.bind.address.management=${IP} -Dkeycloak.profile.feature.upload_scripts=enabled"
KEYCLOAK_OPT="${KEYCLOAK_OPT} -Djboss.socket.binding.port-offset=100 -Dkeycloak.frontendUrl=http://${IP}:81/auth "
#-Dkeycloak.hostname=${IP} -Dkeycloak.httpPort=81 -Dkeycloak.httpsPort=82

nohup ${BIN_PATH}/bin/standalone.sh ${KEYCLOAK_OPT} > /dev/null &

更改KEYCLOAK的DATASOURCE时，可直接更改默认的而无需重新配置：
https://medium.com/@pratik.dandavate/setting-up-keycloak-standalone-with-mysql-database-7ebb614cc229

KEYCLOAK的JBOSS管理界面地址改为非LOCALHOST：

-Djboss.bind.address.management=${IP}

如果是由NGINX过来的访问，这样前端的地址是和默认的不一样，需配置前端URL：

-Dkeycloak.frontendUrl=http://${IP}:81/auth

更改JVM大小standalone.conf：

#
# Specify options to pass to the Java VM.
#

JBOSS_JAVA_SIZING="-server -Xms3G -Xmx3G -Xmn512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m"

REFERENCE:
https://www.keycloak.org/docs/latest/server_installation/index.html#_hostname

paulwong 2022-04-14 15:15 发表评论

]]>Easily Secure your Microservices with Keycloakhttp://www.blogjava.net/paulwong/archive/2022/01/03/438645.htmlpaulwongpaulwongMon, 03 Jan 2022 02:03:00 GMThttp://www.blogjava.net/paulwong/archive/2022/01/03/438645.htmlhttp://www.blogjava.net/paulwong/comments/438645.htmlhttp://www.blogjava.net/paulwong/archive/2022/01/03/438645.html#Feedback0http://www.blogjava.net/paulwong/comments/commentRss/438645.htmlhttp://www.blogjava.net/paulwong/services/trackbacks/438645.htmlhttps://www.doag.org/formes/pubfiles/11143470/2019-NN-Sebastien_Blanc-Easily_Secure_your_Microservices_with_Keycloak-Praesentation.pdf

paulwong 2022-01-03 10:03 发表评论

]]>OIDC - KEYCLOAK - 自定义CLIENT SCOPEhttp://www.blogjava.net/paulwong/archive/2021/12/22/436242.htmlpaulwongpaulwongWed, 22 Dec 2021 03:15:00 GMThttp://www.blogjava.net/paulwong/archive/2021/12/22/436242.htmlhttp://www.blogjava.net/paulwong/comments/436242.htmlhttp://www.blogjava.net/paulwong/archive/2021/12/22/436242.html#Feedback0http://www.blogjava.net/paulwong/comments/commentRss/436242.htmlhttp://www.blogjava.net/paulwong/services/trackbacks/436242.html

"resource_access": {
    "app-springboot-confidential": {
      "roles": [
        "user"
      ]
    },
    "test-employee-service": {
      "roles": [
        "READ_EMPLOYEE"
      ]
    },
    "service-springboot": {
      "roles": [
        "READ_PRODUCTS"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links"
      ]
    },
    "test-department-service": {
      "roles": [
        "READ_DEPARTMENT"
      ]
    }
  }

需要将权限的信息输出到一个KEY中，这时可以新增自定义CLIENT SCOPE。Mapper中新增KEYCLOAK已内置的【realm roles/client roles】，定义输出到JTW的字段名：my-roles。
授权哪些CLIENT可以读取此CLIENT SCOPE.
在登录参数scope中，加入此值：my-roles，这样在输出的JWT就会以平面的方式输出所有roles

"my-roles": [
    "user",
    "READ_EMPLOYEE",
    "READ_PRODUCTS",
    "manage-account",
    "manage-account-links",
    "READ_DEPARTMENT",
    "offline_access",
    "user"
  ]

SPRING SECURITY中取出权限信息：

@Bean
    public ReactiveJwtAuthenticationConverter jwtAuthenticationConverter(ObjectMapper objectMapper) {

        JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
        jwtGrantedAuthoritiesConverter.setAuthorityPrefix("ROLE_");
        jwtGrantedAuthoritiesConverter.setAuthoritiesClaimName("my-roles");

//        KeycloakRealmRoleConverter keycloakRealmRoleConverter = new KeycloakRealmRoleConverter(objectMapper);

        ReactiveJwtGrantedAuthoritiesConverterAdapter reactiveJwtGrantedAuthoritiesConverterAdapter =
                new ReactiveJwtGrantedAuthoritiesConverterAdapter(
//                        new KeycloakRealmRoleConverter(objectMapper);
                        jwtGrantedAuthoritiesConverter
                    );

        ReactiveJwtAuthenticationConverter jwtConverter = new ReactiveJwtAuthenticationConverter();
        jwtConverter.setJwtGrantedAuthoritiesConverter(reactiveJwtGrantedAuthoritiesConverterAdapter);

        return jwtConverter;
    }

判断是否有权限

ServerHttpSecurity
            .authorizeExchange(
                a -> a.pathMatchers("/", "/error").permitAll()
                      .matchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
                      .pathMatchers(HttpMethod.GET, "/protected/**").hasRole("READ_DEPARTMENT")
                      .anyExchange()
                      .authenticated()
             )

paulwong 2021-12-22 11:15 发表评论

]]>使用REST API与KEYCLOAK进行OUATH2协议的登录认证http://www.blogjava.net/paulwong/archive/2021/10/12/436009.htmlpaulwongpaulwongTue, 12 Oct 2021 06:40:00 GMThttp://www.blogjava.net/paulwong/archive/2021/10/12/436009.htmlhttp://www.blogjava.net/paulwong/comments/436009.htmlhttp://www.blogjava.net/paulwong/archive/2021/10/12/436009.html#Feedback0http://www.blogjava.net/paulwong/comments/commentRss/436009.htmlhttp://www.blogjava.net/paulwong/services/trackbacks/436009.html如果要访问受KEYCLOAK保护的REST API服务，则需要夹带一个ACCESS_TOKEN。

前端页面：

前端页面一般是给用户使用的，则需要用户输入在KEYCLOAK中有效的用户名和密码，并提供CALL BAK的URL，提交给KEYCLOAK
http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/auth?client_id=app-springboot-confidential&redirect_uri=http://10.80.27.69:8183/&response_type=code&scope=openid
如果KEYCLOAK验证通过，则通知页面重导向回调的URL，并附上code=xxx，此code则是AUTHORIZATION_CODE
http://10.80.27.69:8183/?session_state=2ad9ab98-6c39-43a8-872f-2112c27b74df&code=3f48ce19-58f9-45d9-8c09-30d492bf4b24.2ad9ab98-6c39-43a8-872f-2112c27b74df.bd7526ef-b1bf-447f-baef-b7dfd6f0df93
回调的URL对应的SERVELET，取得AUTHORIZATION_CODE，并加上client_id和client_secrect，调用KEYLOAK的取ACCESS_TOKEN的HTTP API，取得ACCESS_TOKEN，返回给页面
http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token
client_id=app-springboot-confidential&client_secret=3acf7692-49cb-4c45-9943-6f3dba512dae&redirect_uri=http://10.80.27.69:8183/&grant_type=authorization_code&code=cc7ac566-90f9-404e-b88e-fa28037b07d1.591311e1-5380-46a2-9363-834f17337922.bd7526ef-b1bf-447f-baef-b7dfd6f0df93
页面保存此ACCESS_TOKEN，就可以调用后台的各种API获取数据
{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGSjg2R2NGM2pUYk5MT2NvNE52WmtVQ0lVbWZZQ3FvcXRPUWVNZmJoTmxFIn0.eyJleHAiOjE2MzQwMjA4ODksImlhdCI6MTYzNDAyMDU4OSwianRpIjoiNDAwOTQ4ZmQtMGU0MS00YWRjLTlhY2MtMzczZWM2NDVhNzM5IiwiaXNzIjoiaHR0cDovLzEwLjgwLjI3LjY5OjgxODAvYXV0aC9yZWFsbXMvcXVpY2tzdGFydCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJkZGVkMDA2YS0xY2QxLTRjODUtOTQ1MS0wMjFlZmY3OTFiMmUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcHAtc3ByaW5nYm9vdC1jb25maWRlbnRpYWwiLCJzZXNzaW9uX3N0YXRlIjoiYzRlN2QzYTgtMDg2My00OTAwLTkxZmEtMGExYmFmYmRlNGU3IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYXBwLXNwcmluZ2Jvb3QtY29uZmlkZW50aWFsIjp7InJvbGVzIjpbInVtYV9wcm90ZWN0aW9uIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudElkIjoiYXBwLXNwcmluZ2Jvb3QtY29uZmlkZW50aWFsIiwiY2xpZW50SG9zdCI6IjEwLjEwLjIwLjU3IiwidXNlcl9uYW1lIjoic2VydmljZS1hY2NvdW50LWFwcC1zcHJpbmdib290LWNvbmZpZGVudGlhbCIsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1hcHAtc3ByaW5nYm9vdC1jb25maWRlbnRpYWwiLCJjbGllbnRBZGRyZXNzIjoiMTAuMTAuMjAuNTcifQ.Ut6aZ6E1d4Esz0gRv2ubxdvrxmGvZLHHZepD5pnGxlqb_yZ4Q82TdGTG0iL4JJn2NH3QAU501dhzzuv6-OT9BUBKP-4ufyKv2DxSvt3GgdN30au5JsATHFyOWuuZGRBd3iWcynf9u3OJnSkHEnrIwRYatgndLzy8dy3AeqF12CI",
    "expires_in": 300,
    "refresh_expires_in": 600,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI2MTlhMmJjOS0yMWIwLTRmNGMtODI4OC1kNTJmMjA3OWEzY2EifQ.eyJleHAiOjE2MzQwMjExODksImlhdCI6MTYzNDAyMDU4OSwianRpIjoiYTM0NTQ1MTYtMzc3NC00YmRlLTgzOTMtN2QyMTdkZjdkZmJkIiwiaXNzIjoiaHR0cDovLzEwLjgwLjI3LjY5OjgxODAvYXV0aC9yZWFsbXMvcXVpY2tzdGFydCIsImF1ZCI6Imh0dHA6Ly8xMC44MC4yNy42OTo4MTgwL2F1dGgvcmVhbG1zL3F1aWNrc3RhcnQiLCJzdWIiOiJkZGVkMDA2YS0xY2QxLTRjODUtOTQ1MS0wMjFlZmY3OTFiMmUiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiYXBwLXNwcmluZ2Jvb3QtY29uZmlkZW50aWFsIiwic2Vzc2lvbl9zdGF0ZSI6ImM0ZTdkM2E4LTA4NjMtNDkwMC05MWZhLTBhMWJhZmJkZTRlNyIsInNjb3BlIjoicHJvZmlsZSBlbWFpbCJ9.QhjkJBGz5UvwBF7xHM7_V_yjfF0lrA_EWzAVdFf-BRI",
    "token_type": "bearer",
    "not-before-policy": 0,
    "session_state": "c4e7d3a8-0863-4900-91fa-0a1bafbde4e7",
    "scope": "profile email"
}
这就是authorization_code流程

后端服务：

如果是在一个API中要请求另外一个API的数据，不存在具体用户的情况
需提供如下参数：client_id、client_secrect和grant_type，且grant_type=client_credentials，调用KEYLOAK的取ACCESS_TOKEN的HTTP API，取得ACCESS_TOKEN
http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token
client_id=app-springboot-confidential&client_secret=3acf7692-49cb-4c45-9943-6f3dba512dae&grant_type=client_credentials
再将此ACCESS_TOKEN以Bearer TOKEN的方式调用别的的API
这就是client_credentials流程

验证Access Token和获取Token元信息：

http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token/introspect
client_id=app-springboot-confidential&client_secret=3acf7692-49cb-4c45-9943-6f3dba512dae
Access Token无效时返回：
{
"active": false
}

刷新Token：

http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token
client_id=app-springboot-confidential&client_secret=3acf7692-49cb-4c45-9943-6f3dba512dae&grant_type=refresh_token&refresh_token=asdfasd
返回
{
    "access_token": "eyJhbGciOiJSUzI1NiIsIn",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOi",
    "token_type": "Bearer",
    "not-before-policy": 1610728470,
    "session_state": "c1273eb5-f922-420c-b23a-854be9735c1d",
    "scope": "profile email"
}

Reference:
https://blog.csdn.net/nklinsirui/article/details/112706006

https://www.baeldung.com/?s=keycloak

https://www.doag.org/formes/pubfiles/11143470/2019-NN-Sebastien_Blanc-Easily_Secure_your_Microservices_with_Keycloak-Praesentation.pdf

paulwong 2021-10-12 14:40 发表评论

]]>基于Spring Cloud的快速开发脚手架&最佳实践总结http://www.blogjava.net/paulwong/archive/2020/10/09/435685.htmlpaulwongpaulwongFri, 09 Oct 2020 02:48:00 GMThttp://www.blogjava.net/paulwong/archive/2020/10/09/435685.htmlhttp://www.blogjava.net/paulwong/comments/435685.htmlhttp://www.blogjava.net/paulwong/archive/2020/10/09/435685.html#Feedback0http://www.blogjava.net/paulwong/comments/commentRss/435685.htmlhttp://www.blogjava.net/paulwong/services/trackbacks/435685.html Spring Cloud 你懂的 Keycloak 微服务认证授权 Jenkins 持续集成 SonarQube 代码质量控制

https://gitee.com/itmuch/spring-cloud-yes

paulwong 2020-10-09 10:48 发表评论

]]>Keycloak初探http://www.blogjava.net/paulwong/archive/2020/10/08/435683.htmlpaulwongpaulwongThu, 08 Oct 2020 05:56:00 GMThttp://www.blogjava.net/paulwong/archive/2020/10/08/435683.htmlhttp://www.blogjava.net/paulwong/comments/435683.htmlhttp://www.blogjava.net/paulwong/archive/2020/10/08/435683.html#Feedback0http://www.blogjava.net/paulwong/comments/commentRss/435683.htmlhttp://www.blogjava.net/paulwong/services/trackbacks/435683.html
有提供一套WEB界面维护用户、应用与角色。

Ream则可认为是多租户，每个租户的应用和用户数据是隔离的。

http://10.80.27.69:8180/auth/realms/quickstart/.well-known/openid-configuration 提供当前所有的API节点。

get_access_token_from_public_client:

curl --location --request POST 'http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=alice' \
--data-urlencode 'password=123456' \
--data-urlencode 'client_id=app-springboot-public' \
--data-urlencode 'grant_type=password' \
| jq

./get_access_token_from_confidential_client.sh

curl --location --request POST 'http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=app-springboot-confidential' \
--data-urlencode 'client_secret=3acf7692-49cb-4c45-9943-6f3dba512dae' \
--data-urlencode 'grant_type=client_credentials' \
| jq

访问一个ACCESS TYPE为Bare only的应用的一个API：

access_token=$(curl \
-d "client_id=app-springboot-public" \
-d "username=alice" \
-d "password=123456" \
-d "grant_type=password" \
"http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token" \
| jq -r '.access_token')

#echo $access_token

curl -H "Authorization: Bearer $access_token" 'http://10.80.27.69:8182/products' | jq

访问用户信息：

access_token=$(curl \
-d "client_id=app-springboot-public" \
-d "username=alice" \
-d "password=123456" \
-d "grant_type=password" \
"http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token" | jq -r '.access_token')

curl -H "Authorization: Bearer $access_token" http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/userinfo | jq

paulwong 2020-10-08 13:56 发表评论

]]>keycloak 资源http://www.blogjava.net/paulwong/archive/2020/09/25/435675.htmlpaulwongpaulwongFri, 25 Sep 2020 07:46:00 GMThttp://www.blogjava.net/paulwong/archive/2020/09/25/435675.htmlhttp://www.blogjava.net/paulwong/comments/435675.htmlhttp://www.blogjava.net/paulwong/archive/2020/09/25/435675.html#Feedback0http://www.blogjava.net/paulwong/comments/commentRss/435675.htmlhttp://www.blogjava.net/paulwong/services/trackbacks/435675.html
Keycloak支持OpenID、OAuth 2.0和SAML 2.0协议；支持用户注册、用户管理、权限管理；支持OTP，支持代理OpenID、SAML 2.0 IDP，支持GitHub、LinkedIn等第三方登录，支持整合LDAP和Active Directory；支持自定义认证流程、自定义用户界面，支持国际化。

有用户管理界面，可用于API的认证和用户的认证，用户认证需人为输入用户名与密码，API则凭BARE TOKEN即可认证。

Spring Boot/Angular整合Keycloak实现单点登录
https://blog.51cto.com/7308310/2446368

僅十分鐘即可接入Spring Boot/Vue前後端分離應用實現SSO單點登錄
https://kknews.cc/code/a6am5pj.html

SpringBoot整合KeyCloak权限管理
https://qianmoq.com/fuwuduan/springboot/springbootzhenghekeycloakquanxianguanli.html

使用Spring Gateway和KeyCloak构建一个OIDC认证系统
https://zhuanlan.zhihu.com/p/138578359

A Quick Guide to Using Keycloak with Spring Boot
https://www.baeldung.com/spring-boot-keycloak

Keycloak与微服务的整合
https://gitee.com/itmuch/spring-cloud-yes/blob/master/doc/keycloak-learn/Keycloak%E6%90%AD%E5%BB%BA%E6%89%8B%E6%8A%8A%E6%89%8B%E6%93%8D%E4%BD%9C%E6%8C%87%E5%8D%97.md

RedHat
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.4/html/securing_applications_and_services_guide/openid_connect_3

https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.4/html-single/authorization_services_guide/index

https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.4/

paulwong 2020-09-25 15:46 发表评论

]]>