Keycloak Identity Broker API
[英]Keycloak Identity Broker API
问题描述
So i have a client which consumes an api. 
所以我有一个消耗api的客户端。 The API is secured with keycloak. 该API使用密钥斗篷进行保护。 Users signs in normally, but i want to allow users to sign in user without having to go keycloak's login page with their social media accounts like facebook or google. 用户可以正常登录,但是我想允许用户登录而不必使用他们的社交媒体帐户(例如facebook或google)进入keycloak的登录页面。 I need a rest API with an implementation of how to get a url generated so when user click on this url in a button, it will take the user to the respective social login page to login while keycloak still serves as the broker. 我需要一个REST API,其中包含实现如何生成URL的实现,因此,当用户在按钮中单击此URL时,它将带用户到相应的社交登录页面进行登录,而keycloak仍充当代理。
Below is my implementation, it generates a url alright but does not take the user to google page to login 下面是我的实现,它会生成一个url,但是不会将用户带到google页面进行登录
This is a rest Controller 这是一个休息控制器
@Secured("permitAll")
@GetMapping(path = "/generator")
public String brokerGenerator(HttpServletRequest httpServletRequest) throws ServletException {
String provider = "google";
String authServerRootUrl = "http://localhost:8080/";
String realm = "realmName";
String clientId = "clientName";
String nonce = UUID.randomUUID().toString();
MessageDigest md = null;
try {
md = MessageDigest.getInstance("SHA-256");
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
String input = nonce + clientId + provider;
byte[] check = md.digest(input.getBytes(StandardCharsets.UTF_8));
String hash = Base64Url.encode(check);
httpServletRequest.getSession().setAttribute("hash", hash);
String redirectUri = "http://localhost:4200/dashboard";
return KeycloakUriBuilder.fromUri(authServerRootUrl)
.path("auth/realms/realmName/google/link")
.queryParam("nonce", nonce)
.queryParam("hash", hash)
.queryParam("client_id", clientId)
.queryParam("redirect_uri", redirectUri).build(realm, provider).toString();
}
1 个解决方案
解决方案1
0 已采纳 2019-06-26 17:29:47
Keycloak supports this out of the box. Keycloak开箱即用。 See https://www.keycloak.org/docs/6.0/server_admin/#_client_suggested_idp 参见https://www.keycloak.org/docs/6.0/server_admin/#_client_suggested_idp
OIDC applications can bypass the Keycloak login page by specifying a hint on which identity provider they want to use.
This is done by setting the kc_idp_hint query parameter in the Authorization Code Flow authorization endpoint.
UPDATE 更新
In your case you should use normal Keycloak Auth Code Flow endpoint and in addition to the basic query params provide kc_idp_hint param. 在您的情况下,您应该使用普通的Keycloak Auth Code Flow端点,并且除了基本查询参数外,还提供kc_idp_hint参数。 This way the user is redirected to Keycloak login page first then Keycloak redirects him to the chosen identity provider login page (google in your case). 这样,首先将用户重定向到Keycloak登录页面,然后Keycloak将其重定向到所选身份提供者登录页面(在您的情况下为Google)。
Here is an example redirect URL: 这是重定向URL的示例:
https://keycloak-domain/realms/REALM_NAME/protocol/openid-connect/auth?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&state=STATE&response_type=code&scope=openid&nonce=NONCE&kc_idp_hint=google
Edit your code according this example: 根据此示例编辑代码:
return KeycloakUriBuilder.fromUri(authServerRootUrl)
.path("realms/realmName/protocol/openid-connect/auth") // Url changed
.queryParam("response_type", "code") // Autherization Code Flow
.queryParam("scope", "openid") // Add additional scopes if needed
.queryParam("kc_idp_hint", "google") // This should match IDP name registered in Keycloak
.queryParam("nonce", nonce)
.queryParam("hash", hash)
.queryParam("client_id", clientId)
.queryParam("redirect_uri", redirectUri).build(realm, provider).toString();
You can manually initiate Keycloak redirection for test. 您可以手动启动Keycloak重定向以进行测试。 Start normal login flow and when you redirected to Keycloak login page do not enter credentials, instead add kc_idp_hint=google to the URL and hit ENTER. 开始正常的登录流程,当您重定向到Keycloak登录页面时,不要输入凭据,而是将kc_idp_hint=google添加到URL并按Enter。 Then you will be redirected right to Google login page. 然后,您将被直接重定向到Google登录页面。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.