![](/img/trans.png)
[英]Keycloak: Can not read users realm roles as admin cli when calling the admin rest api
[英]JHipster not receiving roles from Keycloak Users when login
我有一个带有 oauth2 的 JHipster 单体应用程序,在本地运行 Keycloak。 我不知道 jhipster 究竟应该如何与 oauth2 一起工作......首先我以为它会自动创建用户,但它没有,所以我配置了keycloak:我创建了jhipster
领域、 web_app
客户端、客户端角色ROLE_ADMIN
和ROLE_USER
,以及具有正确角色的用户admin
和user
。 问题是,当我以管理员身份登录时,它未被识别为ROLE_ADMIN
,因此我无法访问管理员菜单。 所以我开始查看代码,试图了解 Jhipster 如何从 Keycloak 接收凭据,我意识到AccountResource.java
中的OAuth2Authentication
对象没有带来ROLE_ADMIN
,而是ROLE_USER
,我不明白为什么。 json 中的OAuth2Authentication
对象如下所示:
{
"authorities": [
{
"authority": "ROLE_USER"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "rkkveY_Xa5zFFd0SKu9Of_FLGRnbdiTPHdnpj4gc",
"tokenValue": "eyJhbGciOiJSUzI1...",
"tokenType": "bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_USER"
}
],
"details": {
"sub": "f348bbbb-9441-4543-9940-9da31e50d877",
"email _verified": true,
"name": "Admin Administrator",
"preferred_username": "admin",
"given_name": "Admin",
"family_name": "Administrator",
"email": "admin@localhost"
},
"authenticated": true,
"principal": "Admin Administrator",
"credentials": "N/A",
"name": "Admin Administrator"
},
"clientO nly": false,
"principal": "Admin Administrator",
"oauth2Request": {
"clientId": "web_app",
"scope": [
],
"requestParameters": {
},
"resourceIds": [
],
"authorities": [
],
"approved": true,
"refresh": false,
"redirectUri": null,
"responseTypes": [
],
"extensions": {
},
"grantType": null,
"refreshTok enRequest": null
},
"credentials": "",
"name": "Admin Administrator"
}
这是 yo-rc.json:
{
"generator-jhipster": {
"promptValues": {
"packageName": "xxxxxxxxxxx"
},
"jhipsterVersion": "5.7.2",
"applicationType": "monolith",
"baseName": "XXXXXXXXXX",
"packageName": "xxxxxxxxxxxxxx",
"packageFolder": "xxxxxxxxxxxxxx",
"serverPort": "8080",
"authenticationType": "oauth2",
"cacheProvider": "ehcache",
"enableHibernateCache": true,
"websocket": false,
"databaseType": "sql",
"devDatabaseType": "h2Disk",
"prodDatabaseType": "mysql",
"searchEngine": false,
"messageBroker": false,
"serviceDiscoveryType": false,
"buildTool": "maven",
"enableSwaggerCodegen": false,
"clientFramework": "angularX",
"useSass": false,
"clientPackageManager": "npm",
"testFrameworks": [],
"jhiPrefix": "jhi",
"otherModules": [],
"enableTranslation": false
}
}
我怎样才能解决这个问题?
在 keycloak 管理中,转到 Clients >> YOUR_CLIENT >> Mappers -> Add new mapper -> 将 mapper type 设置为“User client Role”,将“Token claim name”设置为“authorities”,将 Claim JSON Type 设置为 string。
我遇到了同样的问题,我想这是因为 Keycloak 在另一个声明“resource_access”中提供了客户端角色,而 Spring Boot Security Oauth2 库没有在这里读取角色。
我修改了 UserService.java 以首先尝试通过解码 JWT 令牌来读取这个声明和对应于 clientId 的子值,这更清晰,因为它只读取客户端角色。
public UserDTO getUserFromAuthentication(OAuth2Authentication authentication) {
OAuth2AuthenticationDetails oauth2AuthenticationDetails = (OAuth2AuthenticationDetails) authentication
.getDetails(); // should be an OAuth2AuthenticationDetails
Map<String, Object> details = (Map<String, Object>) authentication.getUserAuthentication().getDetails();
User user = getUser(details);
String tokenValue = oauth2AuthenticationDetails.getTokenValue();
DecodedJWT jwt = JWT.decode(tokenValue);
Map<String, Object> resourceAccessClaim = jwt.getClaim("resource_access").asMap();
String clientId = authentication.getOAuth2Request().getClientId();
if (resourceAccessClaim.containsKey(clientId)) {
((Map<String, Object>) resourceAccessClaim.get(clientId)).values().forEach(rn -> {
user.setAuthorities(extractAuthorities((List<String>) rn));
});
}
if (user.getAuthorities() == null || user.getAuthorities().size() == 0) {
user.setAuthorities(extractAuthorities(authentication, details));
}
// convert Authorities to GrantedAuthorities
Set<GrantedAuthority> grantedAuthorities = user.getAuthorities().stream().map(Authority::getName)
.map(SimpleGrantedAuthority::new).collect(Collectors.toSet());
...
新解决方案
Keycloak的配置可以在下面的链接中看到更多,所以它发送令牌中的角色,我们不需要更改原始代码。
旧解决方案。 效果不太好,因为角色没有进入正常的授予权限 在 UserService.java 我改变了这样:
public UserDTO getUserFromAuthentication(final AbstractAuthenticationToken authToken) {
Map<String, Object> attributes;
if (authToken instanceof OAuth2AuthenticationToken) {
attributes = ((OAuth2AuthenticationToken) authToken).getPrincipal().getAttributes();
} else if (authToken instanceof JwtAuthenticationToken) {
attributes = ((JwtAuthenticationToken) authToken).getTokenAttributes();
} else {
throw new IllegalArgumentException("AuthenticationToken is not OAuth2 or JWT!");
}
User user = getUser(attributes);
JSONArray auths = (JSONArray) attributes.get("authorities");
Set<Authority> authorities = new HashSet<Authority>();
for(int i=0; i<auths.size(); i++){
Authority au = new Authority();
au.setName(auths.get(i).toString());
authorities.add(au);
}
user.setAuthorities(authorities);
return new UserDTO(syncUserWithIdP(attributes, user));
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.