[英]Implementing JWT, JWE and JWS (signed JWT) with Keycloak in Spring Boot
I try to implement a simple OAuth2 "Client Authentication with Signed JWT" Demo App using Spring Boot and Keycloak as AuthService. 我尝试使用Spring Boot和Keycloak作为AuthService来实现一个简单的OAuth2“使用签名的JWT进行客户端身份验证”演示应用程序。
The idea is: 这个想法是:
Feign
client using an RequestInterceptor to pass the AccessToken (signed JWT / JWS) Feign
客户端使用RequestInterceptor调用内部的“生产者”以传递AccessToken(签名的JWT / JWS) I read about the docs: 我阅读了有关文档:
http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/java/client-authentication.html http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/java/client-authentication.html
saying: 他说:
Once the client application is started, it allows to download its public >key in JWKS format using a URL such as http://myhost.com/myapp/k_jwks , >assuming that http://myhost.com/myapp is the base URL of your client >application.
客户端应用程序启动后,就可以使用http://myhost.com/myapp/k_jwks之类的URL以JWKS格式下载其公共密钥,前提是假定http://myhost.com/myapp是基础您的客户端>应用程序的URL。 This URL can be used by Keycloak (see below).
Keycloak可以使用此URL(请参见下文)。
During authentication, the client generates a JWT token and signs it with >its private key and sends it to Keycloak in the particular backchannel >request (for example, code-to-token request) in the client_assertion >parameter.
在身份验证期间,客户端会生成一个JWT令牌,并使用其私钥对其进行签名,然后在client_assertion>参数中的特定反向通道请求(例如,代码令牌请求)中将其发送到Keycloak。
I googled a lot to find tutorials/demos or docs about this topic but failed so far. 我在Google上进行了大量搜索,以找到有关此主题的教程/演示或文档,但到目前为止仍失败。 So here my questions:
所以这是我的问题:
How do I implement this "k_jwk" endpoint? 如何实现此“ k_jwk”端点? Do I simple build a
@RestController
by myself in "the Producer"? 我是否自己在“生产者”中简单地构建
@RestController
? How do I configure Keycloak to get aware of this URL? 如何配置Keycloak来了解此URL?
How do I implement my "Consumer" to get fresh signed JWT from Keycloak? 如何实现我的“消费者”以从Keycloak获得新的签名JWT?
Update Removed irritating PS statement. 更新删除了烦人的PS语句。
You don't need to implement the k_jwk endpoint, this is handled by the adapter. 您不需要实现k_jwk端点,这是由适配器处理的。 Keycloak will by default look at
http:///your.app.com/k_jwk
(but if needed you can override that in the console). 默认情况下,Keycloak将查看
http:///your.app.com/k_jwk
(但如果需要,您可以在控制台中覆盖它)。 Then you need to configure your Spring Boot client, just use the same properties as the keycloak.json but in the application.properties format: 然后,您需要配置Spring Boot客户端,只需使用与keycloak.json相同的属性,但格式为application.properties:
... ...
keycloak.credentials.jwt.client-keystore-file=classpath:keystore-client.jks keycloak.credentials.jwt.client-keystore-type=JKS keycloak.credentials.jwt.client-keystore-file = classpath:keystore-client.jks keycloak.credentials.jwt.client-keystore-type = JKS
etc ... 等...
You need a token to call the producer
but as you said the entry point will be an insecured endpoint so you might want to use a Service Account for this. 您需要一个令牌来调用
producer
但是正如您所说的,入口点将是一个不安全的端点,因此您可能要为此使用服务帐户 。
I hope this will help. 我希望这将有所帮助。
Update 更新
I couldnt solve this issue but learned some things about singned JWT in the mean time: 我无法解决此问题,但与此同时了解了一些关于JWT的知识:
create a so called "Bearer Token" by creating a Json Structure with all necessary claims (sub, nbf, exp ...) by yourself and sign/certificate it with your JKS/Private Key from Keycloak. 通过自己创建具有所有必要声明(sub,nbf,exp ...)的Json结构并使用Keycloak的JKS /私钥对其进行签名/验证,从而创建所谓的“承载者令牌”。 There are some nice third party libs beside Keycloak to do this.
在Keycloak旁边有一些不错的第三方库可以做到这一点。
To get a real AccessToken (JWE/JWS) from Keycloak: send this static final Bearer Token to Keycloak at /auth/realms/$realm/protocol/openid-connect/token/introspect 要从Keycloak获取真实的AccessToken(JWE / JWS):在/ auth / realms / $ realm / protocol / openid-connect / token / introspect将此静态最终承载令牌发送到Keycloak
with QueryParams: 使用QueryParams:
grant_type=client_credentials&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=$BEARER_TOKEN grant_type = client_credentials&client_assertion_type =瓮%3Aietf%3Aparams%3Aoauth%3Aclient断言型%3Ajwt承载&client_assertion = $ BEARER_TOKEN
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.