将Keycloak用户数据库与Spring Boot资源服务器共享

huangapple go评论65阅读模式
英文:

Sharing Keycloak users database with Spring Boot resource server

问题

I would like to use Keycloak with a spring boot resource server.
我想要在Spring Boot资源服务器中使用Keycloak。

I would like to have endpoints which return the users data. For example getting the users email from the Authentication object, and then getting the users posts etc. or their first login date or things of this nature.
我想要有一些端点来返回用户的数据。例如,从Authentication对象中获取用户的电子邮件,然后获取用户的帖子等信息,或者是他们的首次登录日期或类似的信息。

Would it be considered bad practice to use the same table for Keycloak's users and "my" users data?
是否将Keycloak的用户和“我的”用户数据存储在同一张表中会被认为是不良做法?

If it is, how should I approach this problem.
如果是,我应该如何解决这个问题。

Should I just save the users data into a separate table / database on the first login?
我是否应该在首次登录时将用户数据保存到单独的表格或数据库中?

I would appreciate any advice if my approach is wrong in any way 将Keycloak用户数据库与Spring Boot资源服务器共享
如果我的方法有任何问题,我会很感激任何建议。

英文:

I would like to use Keycloak with a spring boot resource server.
I would like to have endpoints which return the users data. For example getting the users email from the Authentication object, and then getting the users posts etc. or their first login date or things of this nature.

Would it be concidered bad practice to use the same table for keycloak's users and "my" users data?

If it is, how should I approach this problem.
Should I just save the users data into a separate table / database on the first login?

I would appreciate any advice if my approach is wrong in any way 将Keycloak用户数据库与Spring Boot资源服务器共享

I tried doing some research on this topic but didn't find questions in this topic. Just some ones related to connecting a database to Keycloak.

答案1

得分: 1

以下是翻译好的部分:

这是我个人用作指南的内容(这些都是某种程度上的意见):

  • 访问控制涉及到令牌中是否包含用户ID(包括角色、权限、OpenID声明,如姓名或电子邮件等,还包括访问数据,如首次和最后登录时间)。主要原因是性能:这仅需要在每个令牌发放时与数据库进行一次往返,这应该比安全规则评估频率低得多。
    • 如果数据已经在Keycloak中,那么内置的映射器应该足够(查看最新版本中“客户端 -> {客户端ID} -> 客户端范围”选项卡中的“映射器”配置)
    • 如果数据由另一个服务托管,那么我会使用REST客户端创建一个自定义映射器(在此项目中有示例)
  • 与领域相关的内容分散在资源服务器中(在你的清单中是用户的“帖子”)

从Spring资源服务器中提供包含在访问令牌中的数据

您可以定义一个像这样的@RestController端点:

@GetMapping("me")
@PreAuthorize("isAuthenticated()")
public Map<String, Object> getMe(JwtAuthenticationToken auth) {
    return auth.getTokenAttributes();
}
英文:

Here is what I personally use a guide (this are somehow opinions):

  • what is involved in access control and user ID is present in tokens (this includes roles, permissions, OpenID claims like name or e-mail, etc., but also access data like 1st and last login). Main reason is performance: this require a round-trip to database only for each token issuance, which should be much less frequent than security rules evaluation
    • if the data is already in Keycloak, then built-in mappers should be enough (look into "mappers" configuration, which is accessible in "Clients -> {client-ID} -> client scopes" tab in latest versions
    • if the data is hosted by another service, then I create a custom mapper with a REST client (sample in this project)
  • what is related to domain is spread across resource servers (user "posts" in your listing)

Serving data contained in access tokens from Spring resource server

You can define a @RestController endpoint like this one:

@GetMapping(&quot;me&quot;)
@PreAuthorize(&quot;isAuthenticated()&quot;)
public Map&lt;String, Object&gt; getMe(JwtAuthenticationToken auth) {
    return auth.getTokenAttributes();
}

huangapple
  • 本文由 发表于 2023年5月25日 22:55:06
  • 转载请务必保留本文链接:https://go.coder-hub.com/76333642.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定