2

我有一个具有此配置的 Spring Boot 应用程序:

server:
  port: 9292

keycloak:
  auth-server-url: http://localhost:8180/auth
  realm: SampleRealm
  resource: non-existing
  public-client: false
  principal-attribute: preferred_username
  credentials:
    secret: wrong-secret
  bearer-only: true

我使用另一个有效的客户端(cli1,secret1)获得了访问令牌:

curl -X POST \
    -H "Authorization: Basic c2ItYXBwOmEyY2ViZmI2LTBjMzgtNDNiNS1hMDAwLThhYmUzYjU5YjJiMQ==" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'username=someuser&password=somepassword&grant_type=password' \
    "http://localhost:8180/auth/realms/SampleRealm/protocol/openid-connect/token"

现在我使用该不记名令牌来调用我的 Spring Boot 服务:

curl -X GET \
  http://localhost:9292/me \
  -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPVE5xWF9jYWRXbEc1dGZYRmJVdEJ2V25hb2NTTGhuSm9LWndpOGxkYjZZIn0.eyJqdGkiOiI5ZTdlMjRmZC1lZDZmLTQzZTItYTFjZC1iMjlkMWRkN2I5ZWUiLCJleHAiOjE1MTk2NjQwODMsIm5iZiI6MCwiaWF0IjoxNTE5NjYzNzgzLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvU2FtcGxlUmVhbG0iLCJhdWQiOiJzYi1hcHAiLCJzdWIiOiIyNTFlZjNhNS1iNTRkLTQ4MmMtYTAzZS0wN2MzN2M0OGE5ZWIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzYi1hcHAiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJlNjdjMDBiYy0zODUxLTQ4ZjYtYTIxZi1hNDVhOGI0NGQyOGMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIiwidXNlciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJKb3NlIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiamFpbmlnbyIsImdpdmVuX25hbWUiOiJKb3NlIiwiZW1haWwiOiJqYWluaWdvQHByb2ZpbGUuZXMifQ.bkMPSEvUHnVr5QoCsldKcFjKw3E_3Rhdu_SJ6LbgUehysAsLuG6pyjAQ4uqShTKphuXjOUf3E1eFMlttKSxZstCqP7iRU-OyHueGZ-_zGNx1ycvDBWSxCSmQufu9cx_dmnYW4NR9u5sSsZ052eDX0T0VgCvxeTtLJCsoH741SmJIVUvzrkPagKF_M_INVBQ3qaOds74o088qJy4GVJ8eZGqgsW9YOW6nNLV6kERwLAD9WZJoEARCdTBuGARTVJZuJ0lYVI0-jI0wN88T1G3vX3DZS0HIAROmgIait89PZ5wyfOu9u6ohTyFsi3uHV6uSJcN7x7t51snnBpr9KSSMMQ' \
  -H 'Cache-Control: no-cache'

Spring Boot 应用程序正在正确调用安全端点,但不应允许这样做,因为资源(不存在)和秘密(错误秘密)实际上并不存在,它们甚至没有在 KeyCloak 中配置! !为什么这行得通?客户端不应该验证其客户端 ID 客户端机密吗?

o.k.a.BearerTokenRequestAuthenticator    : Verifying access_token
o.k.a.BearerTokenRequestAuthenticator    :  access_token: xxxxxxxxxx.signature
 o.k.a.rotation.JWKPublicKeyLocator       : Going to send request to retrieve new set of realm public keys for client non-existing
 o.k.a.rotation.JWKPublicKeyLocator       : Realm public keys successfully retrieved for client non-existing. New kids: [OTNqX_cadWlG5tfXFbUtBvWnaocSLhnJoKZwi8ldb6Y]
 o.k.a.BearerTokenRequestAuthenticator    : successful authorized

Realm public keys successfully retrieved for client non-existing什么???不存在的客户不存在!!

4

0 回答 0