让当前用户登录 Keycloak 的最简单方法
[英]Simplest way to get current user logged in Keycloak
问题描述
I have implemented a really simple keycloak integration on my maven java web app.
我已经在我的 maven java web 应用程序上实现了一个非常简单的 keycloak 集成。 Assuming I am calling a url directly for the keycloak log in page.假设我直接为 keycloak 登录页面调用 url。
http://localhost:8180/auth/realms/myrealm/protocol/openid-connect/auth?client_id=myclientid&response_type=code&scope=openid&redirect_uri=http//localhost:8080/mypage.html
After entering my username & password on success i am being redirected on mypage.html, the url is like this成功输入我的用户名和密码后,我被重定向到 mypage.html,url 是这样的
http://localhost:8080/mypage.html?session_state=c9482da3-50ff-4176-bf3c-54227271c661&code=5d4aebda-54d8-41ad-8205-c4d7e021770f.c9482da3-50ff-4176-bf3c-54227271c661.d5c1b6ac-c427-46da-8509-f2689849103b
If I break this down its如果我把它分解
http://localhost:8080/mypage.html?
session_state=c9482da3-50ff-4176-bf3c-54227271c661&
code=5d4aebda-54d8-41ad-8205-c4d7e021770f.c9482da3-50ff-4176-bf3c-54227271c661.d5c1b6ac-c427-46da-8509-f2689849103b
What would be the simplest - easiest way to get the user currently logged so i can display it's name?让用户当前登录以便我可以显示它的名称的最简单 - 最简单的方法是什么?
1 个解决方案
解决方案1
1 已采纳 2021-02-09 22:21:52
Looking at the requests you have made you have not completed the OIDC code flow.查看您提出的请求,您还没有完成 OIDC 代码流。
I'm assuming that your java application is acting as the OIDC client, in which case it will need to exchange the authorization code for access, id and refresh tokens by calling the token endpoint of your realm.我假设您的 java 应用程序充当 OIDC 客户端,在这种情况下,它需要通过调用 realm 的令牌端点来交换访问、id 和刷新令牌的授权代码。
eg例如
POST /auth/realms/mmyrealm/protocol/openid-connect/token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
A description of the Token Request 令牌请求的描述
The simplest way would be to use a Java OIDC Client or OAuth2 client to do the authorisation and cod exchange for you and provide OAuth2/OIDC token primitives for you to code against.最简单的方法是使用 Java OIDC 客户端或 OAuth2 客户端为您进行授权和代码交换,并提供 OAuth2/OIDC 令牌原语供您进行编码。
Have a look at: Scribe Java OAuth2 clientNimbus OIDC SDK看看: Scribe Java OAuth2 客户端Nimbus OIDC SDK
The details of the user will be in claims within the tokens returned by the token endpoint, if you are including the user claims in your tokens.如果您在令牌中包含用户声明,则用户的详细信息将在令牌端点返回的令牌中的声明中。
Edit: The OIDC Authorization code flow is one of the OIDC authorisation flows.编辑:OIDC 授权代码流是 OIDC 授权流之一。 It provides the benefit of not exposing any of the actual tokens to the user agent - eg web browser - and allows the oidc client to authenticate with the token server before exchanging the code for the OIDC tokens它提供了不向用户代理公开任何实际令牌的好处 - 例如 web 浏览器 - 并允许 oidc 客户端在交换 OIDC 令牌的代码之前向令牌服务器进行身份验证
At a high level the following occurs:在高层次上会发生以下情况:
OIDC Client makes an authentication request
OIDC 客户端发出身份验证请求Client authenticates - this could be an end user
客户端进行身份验证 - 这可能是最终用户Authorisation server returns an Authorisation code - on a redirect - to the client
授权服务器在重定向时向客户端返回授权代码OIDC Client retrieves Access, ID and Refresh Tokens from the authorisation server's token endpoint
OIDC 客户端从授权服务器的令牌端点检索访问、ID 和刷新令牌If needed User info is retrieved from the UserInfo endpoint or thge access token is inspected using the introspect endpoint
如果需要,从 UserInfo 端点检索用户信息或使用 introspect 端点检查访问令牌
Details of the actual user will be in claims with in the ID token, which is a plain JWT.实际用户的详细信息将在 ID 令牌中的声明中,这是一个普通的 JWT。 Keycloak allows you to embed the claims in the Access token too. Keycloak 也允许您将声明嵌入到访问令牌中。
After authentication with Keycloak you will be redirected back to your web applications redirect URI.使用 Keycloak 进行身份验证后,您将被重定向回 web 应用程序重定向 URI。
As per your breakdown根据你的细分
http://localhost:8080/mypage.html?
session_state=c9482da3-50ff-4176-bf3c-54227271c661&
code=5d4aebda-54d8-41ad-8205-c4d7e021770f.c9482da3-50ff-4176-bf3c-54227271c661.d5c1b6ac-c427-46da-8509-f2689849103b
Your requst handler will need to extract the code from that request and then make another call to keycloak to exchange the authorisation code for Access, ID and refresh tokens您的请求处理程序需要从该请求中提取代码,然后再次调用 keycloak 以交换访问、ID 和刷新令牌的授权代码
eg例如
POST /auth/realms/myrealm/protocol/openid-connect/token HTTP/1.1
Host: localhost:8180
ContentType: application/x-www-form-urlencoded
Authorization: <whatever method your oidc client is usingL
grant_type=authorization_code&
code=5d4aebda-54d8-41ad-8205-c4d7e021770f.c9482da3-50ff-4176-bf3c-54227271c661.d5c1b6ac-c427-46da-8509-f2689849103b&
client_id=myclientid&
redirect_uri=....
Ideally you have a route handler for accepting the tokens - maybe a tokens enpoint that also accepts query parameters that indicate the original uri requested so that you can redirect back to that if this is a user facing web application.理想情况下,您有一个用于接受令牌的路由处理程序 - 可能是一个令牌端点,它也接受指示请求的原始 uri 的查询参数,以便如果这是面向 web 应用程序的用户,您可以重定向回该参数。 If it is completely programatic then you can achive all of it using the nimbus sdk.如果它是完全编程的,那么您可以使用 nimbus sdk 实现所有这些。
The has a good summary of the various parts of Authorization Code flow https://rograce.github.io/openid-connect-documentation/explore_auth_code_flow对授权码流程https://rograce.github.io/openid-connect-documentation/explore_auth_code_flow的各个部分有很好的总结
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.