使用 Keycloak 进行微服务身份验证
[英]Microservice authentication with Keycloak
问题描述
I'm trying to authenticate one microservice request in another microservice, but I'm failing to find any examples showing how to configure the client in keycloak and how to configure spring security.
我正在尝试在另一个微服务中验证一个微服务请求,但我找不到任何示例来说明如何在 keycloak 中配置客户端以及如何配置 spring 安全性。 This is the architecture I'm trying to archive:这是我要归档的架构:
I have already managed to get user authorization working and secure microservice A, and now i'm trying to authorize requests from microservice B, but i'm not sure how to do it, whether should I create a dedicated user in keycloak for microservice B, or client in realm, or some other technical account?我已经设法让用户授权工作并保护微服务 A,现在我正在尝试授权来自微服务 B 的请求,但我不知道该怎么做,是否应该在 keycloak 中为微服务 B 创建一个专用用户,或realm中的客户,或其他一些技术帐户? Is it done by some api key or should Microservice B request access token in the similar way the user does?它是由一些 api 密钥完成的,还是微服务 B 应该以与用户类似的方式请求访问令牌?
My idea is to create a client in Keycloak for microservice B, request an access token from Keycloak and attach it to every request sent to microservice A.我的想法是在 Keycloak 中为微服务 B 创建一个客户端,从 Keycloak 请求访问令牌并将其附加到发送到微服务 A 的每个请求中。
Is this the correct approach?这是正确的方法吗?
Is there some library addressing this case?是否有一些图书馆解决这种情况?
I could not find any example of such communication with spring, are you aware of any repositories with such example?我找不到与 spring 进行此类通信的任何示例,您是否知道带有此类示例的任何存储库?
1 个解决方案
解决方案1
0 2021-01-23 13:51:55
As far as I understood, your Frontend access to MS-A is done with different user accounts (logins).据我了解,您对 MS-A 的前端访问是通过不同的用户帐户(登录名)完成的。 But for MS-B accessing MS-A it's okay when MS-B always use the same account (MS-B Service Account)?但是对于访问 MS-A 的 MS-B 来说,当 MS-B 始终使用相同的帐户(MS-B 服务帐户)时可以吗?
In this scenario I would create a second client for this backend authentication, let's call it backend-client with the following options:在这种情况下,我将为此后端身份验证创建第二个客户端,我们将其称为backend-client并使用以下选项:
OIDC, confidential, enable Direct Access Grants and Service Accounts, disable standard Flow OIDC,机密,启用直接访问授权和服务帐户,禁用标准流
MS-B can now obtain a Access Token via a simple Request to Keycloak MS-B 现在可以通过对 Keycloak 的简单请求获得访问令牌
curl --request POST \
--url https://keycloak/auth/realms/%realm_name%/protocol/openid-connect/token \
--header 'Accept: */*' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data 'client_id=backend-client&client_secret=%client_secret%&grant_type=client_credentials'
(No User+PW is required, so keep client_secret really safe) (不需要用户+密码,所以保持client_secret真的安全)
The access token now needs to be used for all Requests from MS-B to MS-A ( Authentication: Bearer %Access-Token% Header)访问令牌现在需要用于从 MS-B 到 MS-A 的所有请求( Authentication: Bearer %Access-Token%标头)
I'm unaware of any spring implementations / adapters, but I'm pretty sure if you search for Direct Access Grants you will find a proper solution我不知道有任何 spring 实现/适配器,但我很确定如果您搜索Direct Access Grants ,您会找到合适的解决方案
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.