英文:
Sharing Keycloak users database with Spring Boot resource server
问题
I would like to use Keycloak with a spring boot resource server.
我想要在Spring Boot资源服务器中使用Keycloak。
I would like to have endpoints which return the users data. For example getting the users email from the Authentication object, and then getting the users posts etc. or their first login date or things of this nature.
我想要有一些端点来返回用户的数据。例如,从Authentication对象中获取用户的电子邮件,然后获取用户的帖子等信息,或者是他们的首次登录日期或类似的信息。
Would it be considered bad practice to use the same table for Keycloak's users and "my" users data?
是否将Keycloak的用户和“我的”用户数据存储在同一张表中会被认为是不良做法?
If it is, how should I approach this problem.
如果是,我应该如何解决这个问题。
Should I just save the users data into a separate table / database on the first login?
我是否应该在首次登录时将用户数据保存到单独的表格或数据库中?
I would appreciate any advice if my approach is wrong in any way 
如果我的方法有任何问题,我会很感激任何建议。
英文:
I would like to use Keycloak with a spring boot resource server.
I would like to have endpoints which return the users data. For example getting the users email from the Authentication object, and then getting the users posts etc. or their first login date or things of this nature.
Would it be concidered bad practice to use the same table for keycloak's users and "my" users data?
If it is, how should I approach this problem.
Should I just save the users data into a separate table / database on the first login?
I would appreciate any advice if my approach is wrong in any way
I tried doing some research on this topic but didn't find questions in this topic. Just some ones related to connecting a database to Keycloak.
答案1
得分: 1
以下是翻译好的部分:
这是我个人用作指南的内容(这些都是某种程度上的意见):
- 访问控制涉及到令牌中是否包含用户ID(包括角色、权限、OpenID声明,如姓名或电子邮件等,还包括访问数据,如首次和最后登录时间)。主要原因是性能:这仅需要在每个令牌发放时与数据库进行一次往返,这应该比安全规则评估频率低得多。
- 与领域相关的内容分散在资源服务器中(在你的清单中是用户的“帖子”)
从Spring资源服务器中提供包含在访问令牌中的数据
您可以定义一个像这样的@RestController端点:
@GetMapping("me")
@PreAuthorize("isAuthenticated()")
public Map<String, Object> getMe(JwtAuthenticationToken auth) {
return auth.getTokenAttributes();
}
英文:
Here is what I personally use a guide (this are somehow opinions):
- what is involved in access control and user ID is present in tokens (this includes roles, permissions, OpenID claims like name or e-mail, etc., but also access data like 1st and last login). Main reason is performance: this require a round-trip to database only for each token issuance, which should be much less frequent than security rules evaluation
- if the data is already in Keycloak, then built-in mappers should be enough (look into "mappers" configuration, which is accessible in "Clients -> {client-ID} -> client scopes" tab in latest versions
- if the data is hosted by another service, then I create a custom mapper with a REST client (sample in this project)
- what is related to domain is spread across resource servers (user "posts" in your listing)
Serving data contained in access tokens from Spring resource server
You can define a @RestController endpoint like this one:
@GetMapping("me")
@PreAuthorize("isAuthenticated()")
public Map<String, Object> getMe(JwtAuthenticationToken auth) {
return auth.getTokenAttributes();
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论