Keycloak – 从服务器端应用程序管理领域数据

huangapple go评论98阅读模式
英文:

Keycloak - manage realm data from server side application

问题

我有一个使用Keycloak进行身份验证的Spring Boot REST API。

我需要处理某些领域操作(例如用户创建),而不将当前用户赋予“realm-management”客户端的“manage-user”角色。

我通过向领域添加一个特殊用户并为他分配正确的角色来部分解决了这个问题。每当我想执行与用户相关的任务时,我使用这个特殊用户登录并使用他执行操作(为了使这项工作起效,我不得不将客户端类型从“仅承载令牌”更改为“机密”)。

我想知道是否有更好的解决方案可以用来解决这个问题。

英文:

I have a Spring Boot REST API that uses keycloak for authentication.

I have the need to handle certain realm actions (e.g. user creation) without giving the current user the "manage-user" role of the "realm-management" client.

I kinda solved this by adding a special user to the realm, and giving him the correct role. Everytime I want to do an user-related task, I log with this special user and use him to perform the action (I had to change my client type from "bearer only" to "confidential" for this to work).

I was wondering if there are better solutions that I can adopt to solve this problem.

答案1

得分: 0

在Keycloak中,声明一个具有Client authenticationService accounts roles启用的客户端。还允许此客户端执行您想要的Keycloak API调用。

然后,在您的Spring配置中,使用client_credentials声明一个客户端注册:

spring:
  security:
    oauth2:
      client:
        provider:
          keycloak:
            issuer-uri: https://localhost:8443/realms/master
        registration:
          robot:
            authorization-grant-type: client_credentials
            client-id: my-client-with-client-credentials
            client-secret: change-me
            provider: keycloak
            scope:
            - openid
            - profile
            - offline_access

请参考您的REST客户端文档,使用来自OAuth2AuthorizedClientRepository的访问令牌授权其请求(使用您的新客户端ID)。

对于在Servlet环境中使用WebClient,可以参考此处进行文档说明。

英文:

In Keycloak, declare a client with Client authentication and Service accounts roles enabled. Also allow this client to perform the Keycloak API calls you want.

Then declare a client registration with client_credentials in your Spring configuration:

spring:
  security:
    oauth2:
      client:
        provider:
          keycloak:
            issuer-uri: https://localhost:8443/realms/master
        registration:
          robot:
            authorization-grant-type: client_credentials
            client-id: my-client-with-client-credentials
            client-secret: change-me
            provider: keycloak
            scope:
            - openid
            - profile
            - offline_access

Refer to your REST client documentation to authorize its requests with access-tokens from the OAuth2AuthorizedClientRepository (using your new client-id).

For WebClient in servlet environments, it is documented there.

huangapple
  • 本文由 发表于 2023年7月18日 00:01:28
  • 转载请务必保留本文链接:https://go.coder-hub.com/76706252.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定