0

我的目标是获得两个资源服务器特定的访问令牌,其中仅包含特定于相应资源服务器的数据。

我有以下设置:一个公共客户端正在使用 2 个资源服务器。

在配置客户端用户领域角色客户端范围并使用范围参数后,我可以创建 2 个不同的资源服务器特定访问令牌:

{
  "exp": 1603234566,
  "iat": 1603216566,
  "jti": "13ae00ac-ce57-43ce-8b47-39ad6d5445cd",
  "iss": "http://localhost:8080/auth/realms/fitness-realm",
  "aud": "fitness-resource-server-1",
  "sub": "de1f0820-f4d9-49be-a6d1-c8faef083ffc",
  "typ": "Bearer",
  "azp": "fitness-client",
  "session_state": "47ea42f9-42ac-452e-9e54-be6d705e9a61",
  "acr": "1",
  "realm_access": {
    "roles": [
      "fitness_user"
    ]
  },
  "scope": "openid email profile client_scope_fitness_resource_server_1_roles",
  "email_verified": false,
  "preferred_username": "bill"
}


{
  "exp": 1603235280,
  "iat": 1603217280,
  "jti": "fb75a956-6ed4-4edd-8e20-2cd9678d4869",
  "iss": "http://localhost:8080/auth/realms/fitness-realm",
  "aud": "fitness-resource-server-2",
  "sub": "de1f0820-f4d9-49be-a6d1-c8faef083ffc",
  "typ": "Bearer",
  "azp": "fitness-client",
  "session_state": "966aa651-0534-43d4-9413-a8c141ee8549",
  "acr": "1",
  "realm_access": {
    "roles": [
      "fitness_user"
    ]
  },
  "scope": "openid email profile client_scope_fitness_resource_server_2_roles",
  "email_verified": false,
  "preferred_username": "bill"
}

在登录过程中,我将scope参数设置为client_scope_fitness_resource_server_1_roles并获取第一个资源服务器 1 特定的访问令牌。由于我在登录过程中只获得一个访问令牌并且我的客户端是公共的,因此我想使用资源服务器 1 通过使用 Keycloak 的内部令牌到内部令牌令牌交换功能来获取第二个 - 资源服务器 2 特定的访问令牌。我按照说明进行操作,并且可以通过此调用获得第二个令牌:

curl -X POST http://localhost:8080/auth/realms/fitness-realm/protocol/openid-connect/token \
    -d "client_id=fitness-resource-server-1” \
    -d "client_secret=<my_secret>" \
    -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \ 
    -d "subject_token=$FIRST_ACCESS_TOKEN" \
    -d "requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \
    -d "audience=fitness-resource-server-2" |jq

但是,如果我查看第二个令牌的内部,它包含我想要的更多信息:

{
  "exp": 1603234572,
  "iat": 1603216572,
  "jti": "4f4b0fb6-d759-4c6a-b35d-7e2a998b5a20",
  "iss": "http://localhost:8080/auth/realms/fitness-realm",
  "aud": [
    "other_resource_server",
    "fitness-client",
    "other_client",
    "account",
    "fitness-resource-server-2"
  ],
  "sub": "de1f0820-f4d9-49be-a6d1-c8faef083ffc",
  "typ": "Bearer",
  "azp": "fitness-resource-server-1",
  "session_state": "47ea42f9-42ac-452e-9e54-be6d705e9a61",
  "acr": "1",
  "realm_access": {
    "roles": [
      "fitness_user",
      "offline_access",
      "uma_authorization"
    ]
  },
  "scope": "email profile",
  "email_verified": false,
  "preferred_username": "bill"
}

我的问题是,如何配置 Keycloak 以使第二个访问令牌不包含角色“offline_access”和“uma_authorization”以及 aud:“other_resource_server”、“fitness-client”、“other_client”、“account”?

4

1 回答 1

0

我找到了解决方案:-)

我必须将资源服务器 2 的设置-访问类型配置从承载仅更改为机密,禁用所有流/授权,并且通过此更改,我也可以在资源服务器 2 中配置客户端范围范围

即使因为我不需要机密(流/授权、凭据等) ,我也必须从仅持有者更改为机密,这并不是很好,但这使得更改访问令牌输出成为可能。

于 2020-10-20T18:39:35.830 回答