0

我正在尝试从 keycloak 服务器访问领域用户列表,但我不明白为什么来自Flask-OIDC in-buildget_access_token()方法的令牌对我不起作用。

当我如下所述使用请求中的令牌时,一切都很好:

body_dict = {
    'grant_type': 'client_credentials',
    'client_id': client_secrets['web']['client_id'],
    'client_secret': client_secrets['web']['client_secret']
}

headers = {
    'Content-Type': 'application/x-www-form-urlencoded'
}

_, content = Http().request(
    uri=client_secrets['web']['token_uri'],
    method='POST',
    headers=headers,
    body=urlencode(body_dict)
)

token = json.loads(content.decode('utf-8'))['access_token']

但是当token = openid_connect.get_access_token()我收到{"error":"HTTP 401 Unauthorized"}

这是我的 client_secrets.json 文件:

{
  "web": {
    "auth_uri": "http://localhost:8080/auth/realms/my_realm/protocol/openid-connect/auth",
    "client_id": "tracker",
    "client_secret": "b76d7cfb-02d7-4c7b-8fd8-85604e620e1a",
    "redirect_uris": [
      "http://localhost:9000/oidc_callback"
    ],
    "userinfo_uri": "http://keycloak:8080/auth/realms/my_realm/protocol/openid-connect/userinfo",
    "token_uri": "http://keycloak:8080/auth/realms/my_realm/protocol/openid-connect/token",
    "token_introspection_uri": "http://keycloak:8080/auth/realms/my_realm/protocol/openid-connect/token/introspect"
  }
}

get_access_token()来自方法的令牌:

{
  "exp": 1627897825,
  "iat": 1627897525,
  "auth_time": 1627897525,
  "jti": "6456732f-d1ac-4d3f-91c9-b3fb1f40f756",
  "iss": "http://localhost:8080/auth/realms/my_realm",
  "aud": [
    "realm-management",
    "account"
  ],
  "sub": "abeea329-1e46-472d-9474-56bffe111701",
  "typ": "Bearer",
  "azp": "tracker",
  "session_state": "9e2a7d90-b04c-4d4b-b2c3-ea8e76dab9a8",
  "acr": "1",
  "realm_access": {
    "roles": [
      "default-roles-my_realm",
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "realm-management": {
      "roles": [
        "view-users",
        "query-groups",
        "query-users"
      ]
    },
    "tracker": {
      "roles": [
        "tracker_role_admin"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid email profile",
  "email_verified": false,
  "name": "admin_firstname admin_lastname",
  "preferred_username": "tracker_admin",
  "given_name": "admin_firstname",
  "family_name": "admin_lastname",
  "email": "admin@domain.com"
}

由于某些明显的原因它不起作用吗?也许Flask-OIDC使用密码grant_type 来获取令牌?我没有在OpenIDConnect对象源代码中找到指定的grant_type,只是它将令牌保存在模块中的神秘g对象中。flask

先感谢您!

4

0 回答 0