简体繁体 English

我将如何隔离客户端访问、keycloak 配置

[英]How would I isolate client access, keycloak configuration

原文 2020-03-05 11:27:09 2 1 spring-boot/ keycloak

How would I isolate client access, If I have more than one client.如果我有多个客户端，我将如何隔离客户端访问。 what I am trying to achieve is the issued access token should only be valid for the intended service.我想要实现的是发布的访问令牌应该只对预期的服务有效。 example.例子。 If I have two clients client1 and client2, the token issued to client1 should not be able to access resources from client2, at the moment my set up permits this both clients access type is set to confidential.如果我有两个客户端 client1 和 client2，颁发给 client1 的令牌应该无法从 client2 访问资源，目前我的设置允许这两个客户端访问类型都设置为机密。 and the JWT token does contain the client_id(which is "aud") field but this is not evaluated at the authentication stage.并且 JWT 令牌确实包含 client_id（即“aud”）字段，但这不会在身份验证阶段进行评估。

1 个解决方案

There's multiple ways this can be achieved.有多种方法可以实现这一点。 The method I would use would be to define a role inside each client, which the user has to have to access that client.我将使用的方法是在每个客户端中定义一个角色，用户必须访问该客户端。 Then you would check before allowing access to that client that they have that client role.然后，您将在允许访问该客户端之前检查他们是否具有该客户端角色。

To create a client role, inside the admin console, choose your "realm", then "Clients" from the left hand menu => select "client2" => select "Roles" => "Add Role", and name it what ever you want.要创建客户端角色，在管理控制台中，选择您的“领域”，然后从左侧菜单中选择“客户端”=> 选择“client2”=> 选择“角色”=>“添加角色”，然后将其命名为你要。 Say "admin".说“管理员”。

To grant that role to a user so they can access that client, go to "Users" => Select your user => Role Mappings => Under the client role section select your client => select your new role and assign it to the user.要将该角色授予用户以便他们可以访问该客户端，请转到“用户”=> 选择您的用户 => 角色映射 => 在客户端角色部分下选择您的客户端 => 选择您的新角色并将其分配给用户.

You then need to limit the scope access from client 1 by going "Clients" => "Client 1" => "Scopes tab" => Uncheck "Full scopes allowed" => select "client 2" from "Client Roles" drop down, and ensure the role isn't applied to this client.然后，您需要通过“客户端”=>“客户端 1”=>“范围选项卡”=> 取消选中“允许完整范围”=> 从“客户端角色”下拉列表中选择“客户端 2”来限制来自客户端 1 的范围访问，并确保该角色未应用于此客户端。

You can now test out wether this user will get access to this role from logging into "client 1" by going to "Clients" => "Client 1" => "Client Scopes" => "evaluate tab".您现在可以通过转到“客户端”=>“客户端1”=>“客户端范围”=>“评估选项卡”来测试此用户是否可以通过登录“客户端1”来访问此角色。 If the client scopes are configured correctly, you shouldn't gain access to client 2 role.如果客户端范围配置正确，您不应获得对客户端 2 角色的访问权限。

The last piece of the puzzle is configuring your Client to check for this role.难题的最后一部分是配置您的客户端以检查此角色。 On your backend API (or other client side enforcement location), configure keycloak to protect against the newly created client role for that client.在您的后端 API（或其他客户端强制执行位置）上，配置 keycloak 以防止为该客户端新创建的客户端角色。 For example, if your API was written in Node, you would use the Keycloak Node adapter, set it up for "Client 2" app.get( '/special', keycloak.protect('admin'), specialHandler );例如，如果您的 API 是用 Node 编写的，您将使用 Keycloak Node 适配器，将其设置为“客户端 2” app.get( '/special', keycloak.protect('admin'), specialHandler );

More information regarding protection using adapters can be found here: https://www.keycloak.org/docs/latest/securing_apps/#_nodejs_adapter有关使用适配器保护的更多信息，请访问： https : //www.keycloak.org/docs/latest/securing_apps/#_nodejs_adapter