堆栈内存溢出
  简体   繁体   English

在Spring Boot中使用Keycloak实现JWT,JWE和JWS(签名的JWT)

[英]Implementing JWT, JWE and JWS (signed JWT) with Keycloak in Spring Boot

 原文  2017-10-16 06:06:45       spring-boot/ oauth-2.0/ jwt/ java-web-start/ keycloak

问题描述

I try to implement a simple OAuth2 "Client Authentication with Signed JWT" Demo App using Spring Boot and Keycloak as AuthService. 我尝试使用Spring Boot和Keycloak作为AuthService来实现一个简单的OAuth2“使用签名的JWT进行客户端身份验证”演示应用程序。

The idea is: 这个想法是:

  1. one secured REST service "The Producer" 一项安全的REST服务“生产者”
    • offering an endpoint GET /person for all users/principals with the role "read_person" 为所有具有角色“ read_person”的用户/主体提供端点GET / person
    • offering an endpoint POST /person for all users/principals with the role "write_person" 为所有用户/角色提供端点POST / person,角色为“ write_person”
  2. another (unsecured) REST service "The Consumer" 另一个(不安全的)REST服务“消费者”
    • offering an enpoint /api open for everybody 为所有人提供一个enpoint / api开放
    • calling internal the "producer" via Feign client using an RequestInterceptor to pass the AccessToken (signed JWT / JWS) 通过Feign客户端使用RequestInterceptor调用内部的“生产者”以传递AccessToken(签名的JWT / JWS)

I read about the docs: 我阅读了有关文档:

http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/java/client-authentication.html http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/java/client-authentication.html

saying: 他说:

Once the client application is started, it allows to download its public >key in JWKS format using a URL such as http://myhost.com/myapp/k_jwks , >assuming that http://myhost.com/myapp is the base URL of your client >application. 客户端应用程序启动后,就可以使用http://myhost.com/myapp/k_jwks之类的URL以JWKS格式下载其公共密钥,前提是假定http://myhost.com/myapp是基础您的客户端>应用程序的URL。 This URL can be used by Keycloak (see below). Keycloak可以使用此URL(请参见下文)。

During authentication, the client generates a JWT token and signs it with >its private key and sends it to Keycloak in the particular backchannel >request (for example, code-to-token request) in the client_assertion >parameter. 在身份验证期间,客户端会生成一个JWT令牌,并使用其私钥对其进行签名,然后在client_assertion>参数中的特定反向通道请求(例如,代码令牌请求)中将其发送到Keycloak。

I googled a lot to find tutorials/demos or docs about this topic but failed so far. 我在Google上进行了大量搜索,以找到有关此主题的教程/演示或文档,但到目前为止仍失败。 So here my questions: 所以这是我的问题:

  1. How do I implement this "k_jwk" endpoint? 如何实现此“ k_jwk”端点? Do I simple build a @RestController by myself in "the Producer"? 我是否自己在“生产者”中简单地构建@RestController How do I configure Keycloak to get aware of this URL? 如何配置Keycloak来了解此URL?

  2. How do I implement my "Consumer" to get fresh signed JWT from Keycloak? 如何实现我的“消费者”以从Keycloak获得新的签名JWT?

Update Removed irritating PS statement. 更新删除了烦人的PS语句。

2 个解决方案

解决方案1
 1  2017-10-17 07:12:11

  1. You don't need to implement the k_jwk endpoint, this is handled by the adapter. 您不需要实现k_jwk端点,这是由适配器处理的。 Keycloak will by default look at http:///your.app.com/k_jwk (but if needed you can override that in the console). 默认情况下,Keycloak将查看http:///your.app.com/k_jwk (但如果需要,您可以在控制台中覆盖它)。 Then you need to configure your Spring Boot client, just use the same properties as the keycloak.json but in the application.properties format: 然后,您需要配置Spring Boot客户端,只需使用与keycloak.json相同的属性,但格式为application.properties:

    ... ...

    keycloak.credentials.jwt.client-keystore-file=classpath:keystore-client.jks keycloak.credentials.jwt.client-keystore-type=JKS keycloak.credentials.jwt.client-keystore-file = classpath:keystore-client.jks keycloak.credentials.jwt.client-keystore-type = JKS

    etc ... 等...

  2. You need a token to call the producer but as you said the entry point will be an insecured endpoint so you might want to use a Service Account for this. 您需要一个令牌来调用producer但是正如您所说的,入口点将是一个不安全的端点,因此您可能要为此使用服务帐户

I hope this will help. 我希望这将有所帮助。

解决方案2
 0  2017-12-18 06:59:38

Update 更新

I couldnt solve this issue but learned some things about singned JWT in the mean time: 我无法解决此问题,但与此同时了解了一些关于JWT的知识:

  1. create a so called "Bearer Token" by creating a Json Structure with all necessary claims (sub, nbf, exp ...) by yourself and sign/certificate it with your JKS/Private Key from Keycloak. 通过自己创建具有所有必要声明(sub,nbf,exp ...)的Json结构并使用Keycloak的JKS /私钥对其进行签名/验证,从而创建所谓的“承载者令牌”。 There are some nice third party libs beside Keycloak to do this. 在Keycloak旁边有一些不错的第三方库可以做到这一点。

  2. To get a real AccessToken (JWE/JWS) from Keycloak: send this static final Bearer Token to Keycloak at /auth/realms/$realm/protocol/openid-connect/token/introspect 要从Keycloak获取真实的AccessToken(JWE / JWS):在/ auth / realms / $ realm / protocol / openid-connect / token / introspect将此静态最终承载令牌发送到Keycloak

with QueryParams: 使用QueryParams:

grant_type=client_credentials&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=$BEARER_TOKEN grant_type = client_credentials&client_assertion_type =瓮%3Aietf%3Aparams%3Aoauth%3Aclient断言型%3Ajwt承载&client_assertion = $ BEARER_TOKEN

  1. Use the received real AccessToken to access the ResourceServer... 使用接收到的真实AccessToken访问ResourceServer ...

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 keycloak - JWT 令牌保护 Spring Boot 服务 - Securing Spring Boot service with keycloak - JWT token 在 Spring 引导中无状态地使用 Keycloak 和 JWT - Use Keycloak and JWT Statelessly in Spring Boot 在Spring Boot API上实现JWT身份验证 - Implementing JWT Authentication on Spring Boot APIs 在 spring 引导中实施 jwt 时的角色管理 - role management while implementing jwt in spring boot 如何在 Spring boot 微服务架构中使用 Keycloak 实现 JWT? - How to implement JWT with Keycloak in Spring boot microservice acrhitecture? 我的 spring 启动没有使用 Keycloak 验证 JWT 令牌? - My spring boot does not validate JWT token with the Keycloak? 如何在 Spring Boot 中验证 RSA256 签名的 JWT 令牌 - How to Validate a RSA256 signed JWT token in Spring Boot JWT 弹簧靴 2 - JWT spring boot 2 Spring Boot + Angular 2 + JWT - Spring Boot + Angular 2 + JWT Spring 引导寄存器与 JWT - Spring Boot register with JWT
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM