Keycloak 自省端点
[英]Keycloak Introspection Endpoint
问题描述
I'm trying to access to introspect endpoint in my Keycloak server /openid-connect/token/introspect from my front app, but I get next error:
我正在尝试从我的前端应用程序访问我的 Keycloak 服务器/openid-connect/token/introspect中的内省端点,但我收到下一个错误:
Access to fetch at 'http://localhost:8180/auth/realms/backoffice/protocol/openid-connect/token/introspect' from origin 'http://localhost:8080' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Using Postman, curl or Node app this request works fine, but from my front-app using fetch method thows this error.使用 Postman、curl 或 Node 应用程序此请求工作正常,但从我的前端应用程序使用 fetch 方法抛出此错误。 I'm not sure it's possible query for introspect endpoint from front-app in the browser or if it's only possible from server app.我不确定是否可以从浏览器中的前端应用程序查询内省端点,或者是否只能从服务器应用程序查询。
Other endpoints like:其他端点如:
- openid-connect/token: openid-connect/令牌:
- openid-connect/userinfo: openid-connect/用户信息:
Works fine using the Postman JS code.使用 Postman JS 代码工作正常。
Keycloak config密钥斗篷配置
My client in Keycloak has set up Web Origins * and Access Type confidential .我在 Keycloak 中的客户端设置了Web Origins *和Access Type confidential 。
Client Code客户代码
My front app is simply the Postman code JS, and I deploy it using node http-server.我的前端应用程序只是 Postman 代码 JS,我使用节点 http-server 部署它。
var myHeaders = new Headers(); myHeaders.append("Content-Type", "application/x-www-form-urlencoded"); var urlencoded = new URLSearchParams(); urlencoded.append("client_id", "my-client"); urlencoded.append("client_secret", "my-secret"); urlencoded.append("token", "eyJ...oCA"); var requestOptions = { method: 'POST', headers: myHeaders, body: urlencoded, redirect: 'follow' }; fetch("http://localhost:8180/auth/realms/backoffice/protocol/openid-connect/token/introspect", requestOptions).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));
Header Response Header 回复
The header response in userinfo endpoint comes with Access-Control-Allow-Origin and Access-Control-Allow-Credentials but is not present in introspect endpoint . userinfo 端点中的 header 响应带有 Access-Control-Allow-Origin 和 Access-Control-Allow-Credentials 但不存在于 introspect endpoint中。
1 个解决方案
解决方案1
1 2021-01-14 09:10:28
From the looks of it, the Keycloak server prevents the CORS headers to be set for the introspection endpoint.从外观上看,Keycloak 服务器阻止为内省端点设置 CORS 标头。 This could be a bug or by design.这可能是错误或设计使然。 I tried it and I get the same error.我试过了,我得到了同样的错误。
If you really want to access the introspect endpoint from the web app, you could set up a NGINX reverse-proxy in front of your Keycloak server and use it to add the missing headers.如果你真的想从 web 应用程序访问 introspect 端点,你可以在你的 Keycloak 服务器前面设置一个 NGINX 反向代理,并用它来添加丢失的标头。
That being said, according to oauth.com you should not leave the introspection endpoint available to the public, which is what you are currently doing since anyone can retrieve the client id and secret from your web app.话虽这么说,根据oauth.com你不应该让公众可以使用内省端点,这是你目前正在做的,因为任何人都可以从你的 web 应用程序中检索客户端 ID 和密码。
If the introspection endpoint is left open and un-throttled, it presents a means for an attacker to poll the endpoint fishing for a valid token.
This could explain the decision not to allow CORS.这可以解释不允许 CORS 的决定。
Another thing, it looks like you forgot to set the token_type_hint check out this stackoverflow post for more information.另一件事,您似乎忘记设置token_type_hint查看此 stackoverflow 帖子以获取更多信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.