英文:
Unable to view Access Token and Refresh token in Spring Boot application integrated with Keycloak
问题
我们已经为基于Spring Reactive的Spring Boot应用程序集成了Keycloak登录,如下所示。
在属性文件中添加了以下属性:
spring.security.oauth2.client.registration.keycloak.client-id
spring.security.oauth2.client.registration.keycloak.client-secret
spring.security.oauth2.client.registration.keycloak.authorization-grant-type
spring.security.oauth2.client.registration.keycloak.scope
spring.security.oauth2.client.provider.keycloak.issuer-uri
spring.security.oauth2.client.provider.keycloak.user-name-attribute
SecurityConfig类如下所示:
@Configuration
@EnableWebFluxSecurity()
@EnableReactiveMethodSecurity
public class SecurityConfig {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange().pathMatchers("/login").permitAll()
.and().authorizeExchange().pathMatchers("/secured/**")
.authenticated()
.and().oauth2Login();
return http.build();
}
}
这是有效的。我们使用的是Spring Security 5.7.7版本。
但是,在浏览器中,我只能看到以下内容的“SESSION” Cookie。我无法查看访问令牌/刷新令牌。请告诉我如何查看访问令牌和刷新令牌。
英文:
We have integrated keycloak login for a Spring Reactive based Spring boot application has follows.
<br/>
Added Oauth client as maven dependency
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
Added below properties in properties file
spring.security.oauth2.client.registration.keycloak.client-id
spring.security.oauth2.client.registration.keycloak.client-secret
spring.security.oauth2.client.registration.keycloak.authorization-grant-type
spring.security.oauth2.client.registration.keycloak.scope
spring.security.oauth2.client.provider.keycloak.issuer-uri
spring.security.oauth2.client.provider.keycloak.user-name-attribute
SecurityConfig class is as below.
@Configuration
@EnableWebFluxSecurity()
@EnableReactiveMethodSecurity
public class SecurityConfig {
@Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange().pathMatchers("/login").permitAll()
.and().authorizeExchange().pathMatchers("/secured/**")
.authenticated()
.and().oauth2Login();
return http.build();
}
}
This is working. <Br/>
We are using Spring security 5.7.7 version
But in browser I am able to see only "SESSION" Cookie as below. I am unable to view Access token/ Refresh token. <br/>
Please let me know how to view Access token and Refresh token.
答案1
得分: 1
请求从浏览器到OAuth2客户端并不受OAuth2访问令牌的保护,而是通过会话进行保护。只有从OAuth2客户端到OAuth2资源服务器的请求才受访问令牌的保护。
如果你想查看访问令牌,查看配置为OAuth2客户端的内容。在你的情况下,这是Spring应用程序(在服务器上),而不是浏览器中的渲染模板。
在Spring安全的Reactive堆栈中,你可以查看ServerOAuth2AuthorizedClientRepository或ReactiveOAuth2AuthorizedClientService以访问“已授权客户端”(其中包含对令牌的引用)。
如果你对OAuth2概念和Spring配置选项有疑问,建议查看我的教程。
英文:
Requests from a browser to an OAuth2 client aren't secured with OAuth2 access tokens, it is secured with sessions. Only requests from OAuth2 clients to OAuth2 resource servers are secured with access tokens.
If you want to see access the tokens, look into what is configured as an OAuth2 client. In your case, it is the Spring application (on the server), not the rendered template in the browser.
In Spring security Reactive stack, you might have a look at ServerOAuth2AuthorizedClientRepository or ReactiveOAuth2AuthorizedClientService to access the "authorized client" (which contain references to tokens).
If you have doubts about OAuth2 concepts and Spring configuration options, I suggest you have a look at my tutorials.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论