Keycloak/OpenID:代表客户端应用程序请求用户信息
[英]Keycloak/OpenID: request user-information on behalf of the client application
问题描述
I have a Spring Boot-application with a public REST-API.
我有一个带有公共 REST-API 的 Spring 引导应用程序。 The user authentication is handled by Keycloak.用户身份验证由 Keycloak 处理。 Users can use the API to submit jobs, which are then executed periodically as a Spring Batch.用户可以使用 API 提交作业,然后作为 Spring Batch 定期执行。 Some of these jobs require the user to be notified via eMail after completion.其中一些作业要求用户在完成后通过 ZB79B0A2B753B8346CBCBEC311C5FF84Z 得到通知。
The application currently does not store any user-related information, except the ID of the user, who submitted the job.该应用程序当前不存储任何与用户相关的信息,除了提交作业的用户的 ID。 My problem is now, that I need the eMail-address belonging to that User-ID to send the job-completion notification.我现在的问题是,我需要属于该用户 ID 的电子邮件地址来发送作业完成通知。 The JWT passed to the API, which contains this information, can't be used at this time, since the job is executed asynchronous in the batch-context.传递给 API 的 JWT 包含此信息,此时无法使用,因为作业是在批处理上下文中异步执行的。
I came up with 2 possible solutions so far, which both have their own drawbacks in my opinion:到目前为止,我提出了 2 种可能的解决方案,在我看来它们都有自己的缺点:
solution 1 : extracting the required information from the JWT and persist them in the application's database for later use解决方案 1 :从 JWT 中提取所需的信息,并将它们保存在应用程序的数据库中以备后用
drawbacks:缺点:
- the application should not be concerned with storing user-information;应用程序不应该关心存储用户信息; it also shouldn't duplicate data controlled by other applications它也不应该复制由其他应用程序控制的数据
- the user might change its eMail-address in the primary user-database, without getting noticed by my application用户可能会在主用户数据库中更改其电子邮件地址,而不会被我的应用程序注意到
solution 2 : requesting user-details as needed by using Keycloak-APIs.解决方案 2 :根据需要使用 Keycloak-API 请求用户详细信息。
This looks theoretically like a good approach to me.这在理论上看起来对我来说是一个很好的方法。 The suggested solutions on SO utilize the Keycloak Admin-API (endpoint /auth/admin/realms/{realm}/users/{user-id} ) to fetch user-details. SO上的建议解决方案利用 Keycloak Admin-API(端点/auth/admin/realms/{realm}/users/{user-id} )来获取用户详细信息。 This requires the application to be configured as a "confidential client" with own client-credentials and an enabled service account.这需要将应用程序配置为具有自己的客户端凭据和启用的服务帐户的“机密客户端”。 What bothers me here: It appears a bit strange to me, that a regular application without any special privileges uses an Admin-API.这里困扰我的是:对我来说似乎有点奇怪,没有任何特殊权限的常规应用程序使用 Admin-API。 Also, the users -endpoint is not restricted to users, which have previously given consent to access their data.此外, users端点不限于先前已同意访问其数据的用户。
Is there a good way to solve this problem?有没有解决这个问题的好方法?
1 个解决方案
解决方案1
0 2020-12-17 18:19:19
If job requires an e-mail for its completion, why doesn't it request it as start parameter and just keep it in memory?如果作业需要一封电子邮件来完成,为什么不要求它作为启动参数而只保留在 memory 中?
This is how I would proceed:这就是我将如何进行:
- @Controller extracts e-mail from ID token on the end-point from which the user triggers job start @Controller 从用户触发作业开始的端点上的 ID 令牌中提取电子邮件
- user e-mail is provided among other parameters to the job在作业的其他参数中提供用户电子邮件
- job completes sending the e-mail作业完成发送电子邮件
- e-mail is lost, with other job resources电子邮件丢失,还有其他工作资源
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.