英文:
Authorization mechanism in Keycloak looking in DB for roles/permissions
问题
我需要在Keycloak中实现授权机制,该机制将根据角色从我的客户数据库中查找用户权限。
我无法在Keycloak的管理控制台中管理这些角色和权限,但我必须编写一些SPI来实现我的授权逻辑。就像实现一个用户存储提供程序来在数据库中查找用户/密码认证一样。
但是我找不到如何实现它。我认为,在认证过程中为用户获取有效令牌之后,应用程序应该将该令牌连同所需执行的操作权限一起发送,以便Keycloak(即我的SPI实现)会验证令牌并搜索数据库以授予权限。
也许授权的流程与我之前想的不同(就是我之前写的那样)。
任何线索将不胜感激。
应用程序应该如何将令牌+权限发送到Keycloak?
如何实现SPI来响应这种请求并验证令牌?
英文:
I need to implement authorization mechanism in Keycloak which looks into my customer's DB for user's permission based in roles.
I can't manage such roles and permissions in Keycloak's admin console but I will have to write some SPI to implement my authorization logic. Something like implementing a User Storage Provider to look in DB for user/password autentication.
But I can't find how to implement it. I think that, after obtaining a valid token for the user in authentication process, the application should send that token along with the permission needed to perform an action so Keycloak (my own SPI implementation) would validate the token and search the DB to grant permission.
Maybe the flow of authorization is different to what I think (what I wrote before).
Any clue would be appreciated.
How should the application send the token + permission to Keycloak?
How to implement a SPI which responds to such petition and validates the token?
答案1
得分: 3
为了回答您的第一个问题:Keycloak将为您处理授权流程,您无需担心这部分。您需要做的就是通过实现UserStorageProvider
接口的方法来提供用户存储SPI。
Keycloak文档链接:https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi
如果您还需要添加角色/权限,您需要实现UserModel
接口,该接口具有处理角色/权限的方法。
Keycloak文档链接:https://www.keycloak.org/docs/latest/server_development/index.html#model-interfaces
要将这两者结合起来,您可以使用UserStorageProvider
从Oracle数据库中获取用户记录,并填充UserModel
字段(电子邮件、姓名、角色等)。
伪代码示例:
注意:更详细的步骤请参阅Keycloak文档:https://www.keycloak.org/docs/latest/server_development/index.html#simple-read-only-lookup-example
public class OracleDbUserStorageProvider implements UserStorageProvider, UserLookupProvider {
private Map<String, UserModel> loadedUsers = new HashMap<>();
private OracleDbRepository oracleDbRepository;
@Override
public UserModel getUserByUsername(String username, RealmModel realm) {
UserModel user = loadedUsers.get(username);
if (user == null) {
OracleUser oracleUser = oracleDbRepository.getUser(username);
if (oracleUser != null) {
user = convertToUserModel(oracleUser);
loadedUsers.put(username, user);
}
}
return user;
}
private UserModel convertToUserModel(OracleUser oracleUser) {
// 将oracleUser的属性赋值给UserModel实例
return userModel; // 转换后的用户模型
}
}
希望这能帮助您朝正确的方向前进。
英文:
To answer your first question: Keycloak will handle the authorization flow for you, you don't need to worry about that part. All you need to do is to provide the User Storage SPI by implementing the methods of the UserStorageProvider
interface.
Keycloak documentation: https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi
To also add the roles/permissions you need to implement the UserModel
interface which has methods for handling roles/permissions. keycloak documentation: https://www.keycloak.org/docs/latest/server_development/index.html#model-interfaces
To combine these two, you would fetch the user record from the Oracle DB using the UserStorageProvider
and fill in the UserModel
fields (email, name, roles, etc..).
Ex pseudo code:
NOTE: look at keycloak documentation for a more detailed walkthrough: https://www.keycloak.org/docs/latest/server_development/index.html#simple-read-only-lookup-example
public class OracleDbUserStorageProvider implements UserStorageProvider, UserLookupProvider {
private Map<String, UserModel> loadedUsers = new HashMap<>();
private OracleDbRepository oracleDbRepository;
@Override
public UserModel getUserByUsername(String username, RealmModel realm) {
UserModel user = loadedUsers.get(username);
if (user == null) {
OracleUser oracleUser = oracleDbRepository.getUser(username);
if (oracleUser != null) {
user = convertToUserModel(oracleUser);
loadedUsers.put(username, user);
}
}
return user;
}
private UserModel convertToUserModel(OracleUser oracleUser) {
// take oracleUser attributes and assign to a UserModel instance
return userModel; // user model converted
}
}
Hope this helps set you in the right direction.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论