提示=在 Keycloak 和 Spring 安全 Oauth2 之间登录
[英]Prompt=login between Keycloak and Spring Security Oauth2
问题描述
I am using Spring Security Oauth2 with keycloak 10 to authenticate my app users.
我正在使用带有 keycloak 10 的 Spring Security Oauth2 来验证我的应用程序用户。
Can anyone tell me how to ask an authenticated user to provide his credentials again when trying to do sensitive actions on the app?谁能告诉我在尝试对应用程序执行敏感操作时如何要求经过身份验证的用户再次提供他的凭据?
Keycloak has a parameter named prompt that must be forwarder from my app to keycloak, but I don't know how to do that. Keycloak 有一个名为 prompt 的参数,它必须是从我的应用程序到 keycloak 的转发器,但我不知道该怎么做。
Thanks for your help谢谢你的帮助
2 个解决方案
解决方案1
0 2020-07-10 15:38:29
you can create a custom Oauth2AuthorizationRequestResolver Override the public OAuth2AuthorizationRequest resolve method and include prompt.您可以创建自定义 Oauth2AuthorizationRequestResolver 覆盖公共 OAuth2AuthorizationRequest 解析方法并包含提示。 Some more detail in this doc.此文档中有更多详细信息。 https://docs.spring.io/spring-security/site/docs/5.1.7.RELEASE/reference/html/jc.html https://docs.spring.io/spring-security/site/docs/5.1.7.RELEASE/reference/html/jc.html
This allows you to add custom properties to the authorize request.这允许您向授权请求添加自定义属性。
解决方案2
0 2020-07-13 09:28:58
After I did a few tests, I can say that the resolver doesn't solve the whole problem.在我做了一些测试之后,我可以说解析器并没有解决整个问题。
To sum up my discovery, by default spring doesn't ask an authenticated request to login again.总结一下我的发现,默认情况下 spring 不会要求经过身份验证的请求再次登录。 In fact, when I try to do a sensitive action, Spring allows me to go ahead because as I said, it finds that I have an active session.实际上,当我尝试执行敏感操作时,Spring 允许我前进 go 因为正如我所说,它发现我有一个活动的 session。
Regards问候
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.