如何让所有可以访问特定资源的keycloak用户
[英]how to get all keycloak users who can access to a specific resource
问题描述
I have a KC instance where I have some clients with the Authorization option enabled.
我有一个 KC 实例,我有一些客户端启用了Authorization选项。 All works well, but, acting as a client, I need this specific information: Given a certain resource with specific scopes I want the list of users who have accesse to this resource.一切正常,但作为客户,我需要以下特定信息:给定具有特定范围的特定资源,我想要有权访问该资源的用户列表。
I've explored the available APIs multiple times without success.我已经多次探索可用的 API,但都没有成功。 Is there a way to obtain this information or do I necessary need to extends KC capabilities with a dedicated SPI?有没有办法获取此信息,或者我是否需要使用专用 SPI 扩展 KC 功能?
2 个解决方案
解决方案1
0 2022-11-28 18:42:19
Unfortunately, you cannot.不幸的是,你不能。 Keycloak authorization mechanism examines only when it has input. Keycloak授权机制只有在有输入时才会检查。 Here your input is User.此处您的输入是用户。 To do that, you have to ask for all users.为此,您必须询问所有用户。 This is not practical bcz there might be thousand of users.这是不切实际的,因为可能有成千上万的用户。
Resource servers (applications or services serving protected resources) usually rely on some kind of information to decide if access should be granted to a protected resource.
解决方案2
0 2022-11-28 19:10:52
It is possible by Admin rest-API for finding a specific resource's all of user.管理员 rest-API 可以找到特定资源的所有用户。
This steps这一步
I am using Keycloak v18.0.2 (if use v19/v20, just remove auth in API endpoint)我正在使用 Keycloak v18.0.2(如果使用 v19/v20,只需删除auth端点中的身份验证)
#1 Get specific client uuid #1 获取特定客户端uuid
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}
#2 Get specific resource uuid #2 获取特定资源uuid
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/resource/{resource-uuid}
#3 Get specific permission of #2 #3 获得#2 的特定许可
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/resource/{resource-uuid}/permissions
#4 Get policy of #3 Get policy and permission list #4 获取策略 #3 获取策略和权限列表
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy
Get policy of specific permission获取特定权限的策略
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{permission-uuid}/associatedPolicies
#5 Get user list of #4 #5 获取#4的用户列表
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{policy-uuid}
The user list will return in body of response用户列表将在响应正文中返回
{
"id": {policy-uuid},
"name": {policy-name},
"config": {
"users": "[array of {user-uuid}]"
}
}
Demo by UI UI演示
I will find all of user in resource1 of my-test client.我将在my-test客户端的resource1中找到所有用户。
It assosicated permission1它关联了permission1
permissions1 apply policy1 permissions1 1 应用policy1
policy 's user two users policy的用户两个用户
Demo by API API演示
Same step by APIs API 的相同步骤
Find client uuid查找客户端uuid
Find a specific resource uuid查找特定资源 uuid
Get specific resource获取特定资源
Get permission and policy list获取权限和策略列表
Get associated policy for permission获取关联策略以获取权限
Get user list for policy获取策略的用户列表
That user uuid matched user list该用户 uuid 匹配用户列表
So you can find resource1 's user are user1 and user3所以你可以找到resource1的用户是user1和user3
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.