Why i can't create a new client in KeyCloak with access token from Login() in gocloak?

huangapple
go评论107阅读模式
英文:

Why i can't create a new client in KeyCloak with access token from Login() in gocloak?

问题

我正在编写一个API,用于在Keycloak服务器中创建一个新的客户端。我使用gocloak包与Keycloak服务器进行交互。起初,我将gocloak.Login()函数返回的访问令牌传递给gocloak.CreateClient(),但是在此之后,我收到了403错误。然后我改用gocloak.LoginAdmin()返回的访问令牌,它成功了,成功创建了一个新的客户端。那么是什么导致了gocloak.Login()返回的访问令牌失败?

代码:

  1. func main() {
  3. 	newClientID := "new_client"
  5. 	client := gocloak.NewClient("http://localhost:8080")
  7. 	// The access token returned from Login() causes 403 error
  8. 	jwt, _ := client.Login(context.Background(), "my-go-service", "vizhhp0qnDGaiq4k0aOzzn4RaaqSwU2b", "master", "admin", "Pa55w0rd")
  9. 	_, err := client.CreateClient(context.Background(), jwt.AccessToken, "demorealm", gocloak.Client{ ClientID: &newClientID})
  11. 	if err != nil {
  12. 		fmt.Println(err.Error())
  13. 	}
  15. 	// And the access token returned from LoginAdmin() works
  16. 	jwt, _ = client.LoginAdmin(context.Background(), "admin", "Pa55w0rd", "master")
  17. 	clientID, err := client.CreateClient(context.Background(), jwt.AccessToken, "demorealm", gocloak.Client{ ClientID: &newClientID})
  19. 	if err != nil {
  20. 		fmt.Println(err.Error())
  21. 	} else {
  22. 		fmt.Printf("Client %s created", clientID)
  24. 	}
  26. }

结果:

  1. 403 Forbidden: unknown_error
  2. Client d869fd8d-e5f0-4567-99de-69ccc4403705 created
英文:

I'm writing an API that creates a new client in a keycloak server. I use the gocloak package to interact with the keycloak server. At first i passed in the access token from the gocloak.Login() func to the gocloak.CreateClient() and got a 403 error after that i used the access token from gocloak.LoginAdmin() and it worked, it did create a new client. So what makes the access token returned from gocloak.Login() failed ?

Code:

  1. func main() {
  3. 	newClientID := "new_client"
  5. 	client := gocloak.NewClient("http://localhost:8080")
  7. 	// The access token returned from Login() causes 403 error
  8. 	jwt, _ := client.Login(context.Background(), "my-go-service", "vizhhp0qnDGaiq4k0aOzzn4RaaqSwU2b", "master", "admin", "Pa55w0rd")
  9. 	_, err := client.CreateClient(context.Background(), jwt.AccessToken, "demorealm", gocloak.Client{ ClientID: &newClientID})
  11. 	if err != nil {
  12. 		fmt.Println(err.Error())
  13. 	}
  15. 	// And the access token returned from LoginAdmin() works
  16. 	jwt, _ = client.LoginAdmin(context.Background(), "admin", "Pa55w0rd", "master")
  17. 	clientID, err := client.CreateClient(context.Background(), jwt.AccessToken, "demorealm", gocloak.Client{ ClientID: &newClientID})
  19. 	if err != nil {
  20. 		fmt.Println(err.Error())
  21. 	} else {
  22. 		fmt.Printf("Client %s created", clientID)
  24. 	}
  26. }

Result:

  1. 403 Forbidden: unknown_error
  2. Client d869fd8d-e5f0-4567-99de-69ccc4403705 created

答案1

得分: 2

要使用Keycloak Admin API,其中包括创建客户端的功能,您需要使用admin-cli客户端。

这就是为什么使用以下代码可以正常工作:

  1. jwt, _ = client.LoginAdmin(context.Background(), "admin", "Pa55w0rd", "master")

因为LoginAdmin调用了admin-cli,而以下代码:

  1. jwt, _ := client.Login(context.Background(), "my-go-service", "vizhhp0qnDGaiq4k0aOzzn4RaaqSwU2b", "master", "admin", "Pa55w0rd")

是请求来自客户端"my-go-service"的令牌,该客户端不被允许调用Admin Rest API。因此会返回403 Forbidden: unknown_error。

如果您查看LoginAdmin的实现,您可以确认我所说的:

  1. // LoginAdmin performs a login with Admin client
  2. func (client *gocloak) LoginAdmin(ctx context.Context, username, password, realm string) (*JWT, error) {
  3.     return client.GetToken(ctx, realm, TokenOptions{
  4.         ClientID:  StringP(adminClientID),
  5.         GrantType: StringP("password"),
  6.         Username:  &username,
  7.         Password:  &password,
  8.     })
  9. }

其中

  1. adminClientID string = "admin-cli"
英文:

To use the Keycloak Admin API, which among others allows the creation of clients, you need to use the admin-cli client.

That is why with:

  1. jwt, _ = client.LoginAdmin(context.Background(), "admin", "Pa55w0rd", "master")

works because LoginAdmin calls the admin-cli, whereas:

  1. jwt, _ := client.Login(context.Background(), "my-go-service", "vizhhp0qnDGaiq4k0aOzzn4RaaqSwU2b", "master", "admin", "Pa55w0rd")

is requesting a token from client "my-go-service", which is not allowed to perform calls to the Admin Rest API. Hence:

  1. 403 Forbidden: unknown_error

If you look at the LoginAdmin implementation you can confirm what I have said:

  1. // LoginAdmin performs a login with Admin client
  2. func (client *gocloak) LoginAdmin(ctx context.Context, username, password, realm string) (*JWT, error) {
  3. 	return client.GetToken(ctx, realm, TokenOptions{
  4. 		ClientID:  StringP(adminClientID),
  5. 		GrantType: StringP("password"),
  6. 		Username:  &username,
  7. 		Password:  &password,
  8. 	})
  9. }

where

  1. adminClientID string = "admin-cli"

huangapple
  • 本文由 发表于 2022年6月19日 23:13:12
  • 转载请务必保留本文链接:https://go.coder-hub.com/72678031.html
  • access-token
  • go
  • keycloak
  • keycloak-rest-api
  • rest
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定