0

我使用 Spring Security Oauth2 Client 和 Keycloak 作为身份提供者。

我的应用程序将部署多个域,我们想使用 Keycloak 的单个实例。

我在 Keycloak 的单个实例中设置了 2 个领域,将它们视为不同的租户。

在 application.properties 中,我为两个租户设置了属性 -

但是为什么带有 URL 的应用程序 1 - http://demo-app-1.com将重定向到 keycloak 1,同样对于带有 URL 的应用程序 2 - http://demo-app-2.com将重定向到 keycloak 2。

server.port=8300
spring.security.oauth2.client.registration.demo1.client-name=spring-boot-web
spring.security.oauth2.client.registration.demo1.client-id=spring-boot-web
spring.security.oauth2.client.registration.demo1.client-secret=213e66d5-206f-4948-bd9d-bfa14a70c4cf
spring.security.oauth2.client.registration.demo1.provider=keycloak
spring.security.oauth2.client.registration.demo1.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.demo1.redirect-uri=http://localhost:8300

spring.security.oauth2.client.provider.keycloak.authorization-uri=http://localhost:8081/auth/realms/spring-boot/protocol/openid-connect/auth
spring.security.oauth2.client.provider.keycloak.token-uri=http://localhost:8081/auth/realms/spring-boot/protocol/openid-connect/token


spring.security.oauth2.client.registration.demo2.client-name=spring-boot-web
spring.security.oauth2.client.registration.demo2.client-id=spring-boot-web
spring.security.oauth2.client.registration.demo2.client-secret=d69a7fd1-2297-49d0-b236-7b8039c845b2
spring.security.oauth2.client.registration.demo2.provider=keycloak2
spring.security.oauth2.client.registration.demo2.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.demo2.redirect-uri=http://localhost:8301

spring.security.oauth2.client.provider.keycloak2.authorization-uri=http://localhost:8081/auth/realms/spring-boot-2/protocol/openid-connect/auth
spring.security.oauth2.client.provider.keycloak2.token-uri=http://localhost:8081/auth/realms/spring-boot-2/protocol/openid-connect/token

查询- 我们是否可以设置任何其他属性,可以将请求自动路由到 Keycloak 中的相应领域?

当我点击需要绕过的应用程序 URL 时,我得到一个页面来选择提供商

在此处输入图像描述

4

1 回答 1

0

这是不透明令牌(多租户配置)的示例,这可能会有所帮助 - Spring Security 中多租户的关键是身份验证管理器解析器

@Component public class CustomAuthenticationManagerResolver implements AuthenticationManagerResolver {

@Override
public AuthenticationManager resolve(HttpServletRequest request) {
    String tenantId = request.getHeader("tenant");
    OpaqueTokenIntrospector opaqueTokenIntrospector;
    if (tenantId.equals("1")) {
        opaqueTokenIntrospector =  new NimbusOpaqueTokenIntrospector(
                "https://test/authorize/oauth2/introspect",
                "clientId",
                "clientSecret"
        );
    } else {
        opaqueTokenIntrospector =  new NimbusOpaqueTokenIntrospector(
                "https://test/authorize/oauth2/introspect",
                "clientId",
                "clientSecret");
    }
    return new OpaqueTokenAuthenticationProvider(opaqueTokenIntrospector)::authenticate;
}
}

网络安全配置

@Autowired
 private CustomAuthenticationManagerResolver customAuthenticationManagerResolver;




     @Override
        public void configure(HttpSecurity http) throws Exception {
         http.anyRequest()
                        .authenticated().and().oauth2ResourceServer()
                        .authenticationEntryPoint(restEntryPoint).authenticationManagerResolver(customAuthenticationManagerResolver);
    }
于 2021-10-06T19:18:07.077 回答