2

我需要在哪里发送请求以更新访问令牌?因为如果我向我的资源服务发送请求,即使网守更新了令牌,我也会遇到令牌过期异常。

我想使用刷新令牌更新访问令牌。网守文档说“如果对访问令牌的请求包含刷新令牌并且 --enable-refresh-tokens 设置为 true,则代理将自动为您刷新访问令牌。” - https://www.keycloak.org/docs/latest/securing_apps/index.html#refresh-tokens

实际上,当令牌过期时,网守会更新访问令牌并将其注入响应中的某处,但是当请求被转发到资源服务时,我有 ExpiredJwtException,因为请求中没有新的刷新令牌。我可以在失败的响应中看到有一个旧令牌而不是新令牌。但是,如果资源服务端发生超时错误并且网守向用户返回自己的响应,那么我可以看到访问和刷新令牌已更新。

这是网守日志:

1.5732098220167706e+09  info    keycloak-gatekeeper/middleware.go:154   accces token for user has expired, attemping to refresh the token   {"client_ip": "172.18.0.1:36270", "email": "demo@demo1.com"}
1.5732098220504465e+09  info    keycloak-gatekeeper/middleware.go:206   injecting the refreshed access token cookie {"client_ip": "172.18.0.1:36270", "cookie_name": "kc-access", "email": "demo@demo1.com", "refresh_expires_in": 3600, "expires_in": 59.949554727}
1.573209822050499e+09   debug   keycloak-gatekeeper/middleware.go:226   renew refresh cookie with new refresh token {"refresh_expires_in": 3600}
1.5732098220505428e+09  debug   keycloak-gatekeeper/middleware.go:367   access permitted to resource    {"access": "permitted", "email": "demo@demo1.com", "expires": -5.050542554, "resource": "/*"}
1.573209851051063e+09   info    keycloak-gatekeeper/middleware.go:90    client request  {"latency": 29.036757293, "status": 500, "bytes": 44, "client_ip": "172.18.0.1:36270", "method": "GET", "path": "/ping"}
4

1 回答 1

0

刷新令牌加密存储在HTTP 标头中的kc-statecookie 中。Set-Cookie要转发此请求,您需要将kc-state参数添加到CookieHTTP 标头。

请参阅https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies

HTTP/2.0 200 OK
Content-Type: text/html
Set-Cookie: kc-state=blabla
Set-Cookie: another-cookie=yadada

GET /sample_page.html HTTP/2.0
Host: www.example.org
Cookie: kc-state=blabla; another-cookie=yadada

如果您有前端,Cookie则会自动添加标题。

于 2020-10-28T14:25:49.617 回答