0

大家好,我目前对 Keycloak 有疑问。也许我没有完全了解这一切。

我想做的事:通过 Keycloak 保护 Rest-Service - 这只是承载。客户端从 Keycloak 请求令牌并使用令牌调用 Rest-Service。

到目前为止我做了什么:

步骤 1 保护 Rest-Service:

keycloak.json 文件添加:

{
  "realm": "services",
  "bearer-only": true,
  "auth-server-url": "https://vckeycloak.xxx.xxxxx/auth/",
  "ssl-required": "external",
  "resource": "vux-services",
  "verify-token-audience": true,
  "use-resource-role-mappings": true
}

编辑 web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">
   <module-name>vux-services-rs</module-name>
   <security-constraint>
      <web-resource-collection>
         <web-resource-name>VUXServices</web-resource-name>
         <url-pattern>/Keycloak/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
       <role-name>users</role-name>
      </auth-constraint>
   </security-constraint>

   <login-config>
      <auth-method>KEYCLOAK</auth-method>
      <realm-name>services</realm-name>
   </login-config>

   <security-role>
      <role-name>users</role-name>
   </security-role>
</web-app>

--> 如果我现在调用 RestService,则 ReST-Service 是安全的,我得到“未经授权”作为响应

步骤 2 配置 Keycloak

添加一个新领域 添加 2 个客户端 1 个用于服务(作为承载仅称为 vux-services) 1 个用于客户端(称为 Postman,因为我将使用 postman 作为客户端) 定义范围

步骤 3 使用 Postman 请求令牌

请求令牌工作正常。

如果我解码它,它看起来像:

{
  "exp": 1609755969,
  "iat": 1609755669,
  "auth_time": 1609755666,
  "jti": "238a590c-4603-4aa6-8b20-3a0d6a6dfb3d",
  "iss": "https://vckeycloak.xxx.xxxx/auth/realms/services",
  "aud": [
    "vux-services",
    "account"
  ],
  "sub": "xxxxxx",
  "typ": "Bearer",
  "azp": "postman",
  "session_state": "xxxxxx",
  "acr": "1",
  "realm_access": {
    "roles": [
      "offline_access",
      "uma_authorization",
      "users"
    ]
  },
  "resource_access": {
    "vux-services": {
      "roles": [
        "users"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid email vux-services profile",
  "email_verified": false,
  "name": "XXXXX",
  "preferred_username": "user1",
  "given_name": "XXXX",
  "family_name": "XXXX",
  "email": "XXXXX"
}

所以我可以访问令牌中的 vux-services 等资源。如果我现在通过 Postman 调用带有该令牌的其余服务,例如:

带有授权标头的邮递员呼叫

首先,我遇到了 ReST-Service 响应未授权的问题。我能够(在 stackoverflow 的大力支持下)处理这个问题。问题是我没有在授权标头中的令牌前面添加承载(+空格)。

尽管如此,我得到一个 NullPointer 异常:

    <pre>java.lang.NullPointerException
    at java.base/java.net.URI$Parser.parse(URI.java:3104)
    at java.base/java.net.URI.&lt;init&gt;(URI.java:600)
    at java.base/java.net.URI.create(URI.java:881)
    at org.apache.httpcomponents.core//org.apache.http.client.methods.HttpGet.&lt;init&gt;(HttpGet.java:66)
    at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendRequest(JWKPublicKeyLocator.java:97)
    at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublicKey(JWKPublicKeyLocator.java:63)
    at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.rotation.AdapterTokenVerifier.getPublicKey(AdapterTokenVerifier.java:121)
    at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.rotation.AdapterTokenVerifier.createVerifier(AdapterTokenVerifier.java:111)
    at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.rotation.AdapterTokenVerifier.verifyToken(AdapterTokenVerifier.java:47)
    at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:103)
    at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:88)
    at org.keycloak.keycloak-adapter-core@11.0.3//org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:67)
    at org.keycloak.keycloak-wildfly-elytron-oidc-adapter@11.0.3//org.keycloak.adapters.elytron.ElytronRequestAuthenticator.authenticate(ElytronRequestAuthenticator.java:44)
    at org.keycloak.keycloak-wildfly-elytron-oidc-adapter@11.0.3//org.keycloak.adapters.elytron.KeycloakHttpServerAuthenticationMechanism.evaluateRequest(KeycloakHttpServerAuthenticationMechanism.java:92)
    at org.wildfly.security.elytron-private@1.12.1.Final//org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:119)
    at org.wildfly.security.elytron-private@1.12.1.Final//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:85)
    at org.wildfly.security.elytron-private@1.12.1.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:270)
    at org.wildfly.security.elytron-private@1.12.1.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$800(HttpAuthenticator.java:249)
    at org.wildfly.security.elytron-private@1.12.1.Final//org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:97)
    at org.wildfly.security.elytron-web.undertow-server@1.7.1.Final//org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:96)
    at org.wildfly.security.elytron-web.undertow-server-servlet@1.7.1.Final//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:115)
    at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
    at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
    at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.core@2.1.3.Final//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
    at io.undertow.core@2.1.3.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
    at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
    at io.undertow.core@2.1.3.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    at org.wildfly.security.elytron-web.undertow-server-servlet@1.7.1.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
    at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
    at org.keycloak.keycloak-wildfly-elytron-oidc-adapter@11.0.3//org.keycloak.adapters.elytron.KeycloakServletExtension.lambda$null$0(KeycloakServletExtension.java:39)
    at io.undertow.core@2.1.3.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
    at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
    at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
    at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
    at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
    at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
    at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
    at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
    at org.wildfly.extension.undertow@20.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
    at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
    at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
    at io.undertow.servlet@2.1.3.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
    at io.undertow.core@2.1.3.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:370)
    at io.undertow.core@2.1.3.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
    at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
    at java.base/java.lang.Thread.run(Thread.java:834)
</pre>

我将在 WildFly 服务器上安装新的 KeyCloak 适配器,希望问题可能出在某个地方。我会及时更新。

非常感谢您投入时间:-)

4

1 回答 1

0

我的最后一个问题只是证书问题。我通过 Keycloak.json 禁用了信任管理器,现在它工作正常。谢谢你的帮助

于 2021-01-12T08:27:50.803 回答