英文:
New Keycloak Realm not providing roles for app login
问题
我正在设置Keycloak作为我的认证提供程序,使用OIDC。我的应用程序是使用Quarkus编写的。
我正在按照以下步骤创建一个新的领域:
- 进入Keycloak管理控制台。
- 在领域下拉菜单中,点击"创建领域"。命名为
oqm
。 - 领域设置 -> 常规
- 领域ID更改为
oqm
。 - 显示名称和HTML显示名称设置为
Open QuarterMaster
。 - 打开用户管理访问权限。
- 点击"保存"。
- 领域ID更改为
- 领域设置 -> 登录。打开以下选项:
- 用户注册
- 忘记密码
- 记住我
- 电子邮件作为用户名?
- 编辑用户名
- 认证 -> 策略 -> 密码策略。添加以下策略:
- 最小长度为8
- 不是用户名
- 不是电子邮件
- 特殊字符
- 大写字母
- 小写字母
- 数字
- 创建客户端
- 客户端 -> 创建客户端
- 客户端ID:
oqm-app
- 名称:
Open QuarterMaster App
- 始终在UI中显示
- 启用客户端身份验证
- "标准流"、"直接访问授权"、"隐式流"和"服务帐户角色"全部启用
- 有效的重定向URI:
*
- 有效的注销后重定向URI:
+
- 创建
- 添加角色
inventoryAdmin
->启用库存管理的角色。可以导入/导出库存数据。
inventoryView
->启用查看库存的角色。
inventoryEdit
->启用编辑库存的角色。
itemCheckout
->启用签出(和签入)物品的角色。
- 添加带有角色的群组:
用户
inventoryView
inventoryEdit
itemCheckout
管理员
作为用户
的子群组inventoryAdmin
- 领域设置 -> 用户注册 -> 默认群组
- 添加
管理员
到默认群组(我也尝试添加所有角色作为默认群组)
- 添加
然而,当我创建用户并登录时,应用程序返回403,并显示以下日志输出:
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.CodeAuthenticationMechanism |vert.x-eventloop-thread-3 ]():: Session cookie is present, starting the reauthentication
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.OidcIdentityProvider |vert.x-eventloop-thread-3 ]():: Starting creating SecurityIdentity
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.OidcIdentityProvider |vert.x-eventloop-thread-3 ]():: Verifying the JWT token with the local JWK keys
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'groups' at the path segment 'groups'
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'realm_access/roles' at the path segment 'realm_access'
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'resource_access/oqm-app/roles' at the path segment 'resource_access'
在我看来,角色似乎没有包含在JWT中?我正在模仿Quarkus的Keycloak开发服务提供的领域,当我在那里添加所需的角色时,它可以正常工作。
从jwt.io中的"KEYCLOAK_IDENTITY"内容:
{
"exp": 1691800027,
"iat": 1691764027,
"jti": "ef4a49f0
<details>
<summary>英文:</summary>
I'm working on setting up Keycloak to be my auth provider, using OIDC. My app is written using Quarkus.
I am creating a new realm using the following steps:
1. Enter Keycloak Admin Console
2. Under realm dropdown, hit "Create Realm". Name it `oqm`.
3. Realm Settings -> General
1. Realm ID changed to `oqm`
2. Display name and HTML Display name set to `Open QuarterMaster`
3. User-managed access turned on
4. Hit "Save"
4. Realm Settings -> Login. Turn on:
- User Registration
- Forgot Password
- Remember Me
- Email as Username?
- Edit Username
5. Authentication -> Policies -> Password Policy. Add the following policies:
- Minimum Length of 8
- Not username
- Not email
- Special chars
- Uppercase letters
- Lowercase letters
- Digits
5. Create Client
1. Clients -> Create Client
2. Client id: `oqm-app`
3. Name: `Open QuarterMaster App`
4. Always display in UI
5. Client authentication on
6. "Standard flow", "Direct access grants", "Implicit flow", and "Service Account Roles" all on
7. Valid redirect URIs: `*`
8. Valid post logout redirect URIs: `+`
9. Create
6. Add roles
- `inventoryAdmin` -> `Role to enable inventory administration. Can import/export inventory data.`
- `inventoryView` -> `Role to enable viewing inventory.`
- `inventoryEdit` -> `Role to enable editing inventory.`
- `itemCheckout` -> `Role to enable checking out (and back in) items.`
7. Add groups with roles:
- `users`
- `inventoryView`
- `inventoryEdit`
- `itemCheckout`
- `admins` as child group of `users`
- `inventoryAdmin`
8. Realm Settings -> User Registration -> Default Groups
1. Add `admins` to default group (I have also tried adding all roles as default)
However, when I create a user and login, the app returns a 403, with the following log output:
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 :: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.CodeAuthenticationMechanism |vert.x-eventloop-thread-3 :: Session cookie is present, starting the reauthentication
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 :: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.OidcIdentityProvider |vert.x-eventloop-thread-3 :: Starting creating SecurityIdentity
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 :: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.OidcIdentityProvider |vert.x-eventloop-thread-3 :: Verifying the JWT token with the local JWK keys
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.OidcUtils |vert.x-eventloop-thread-3 :: No claim exists at the path 'groups' at the path segment 'groups'
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.OidcUtils |vert.x-eventloop-thread-3 :: No claim exists at the path 'realm_access/roles' at the path segment 'realm_access'
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.OidcUtils |vert.x-eventloop-thread-3 :: No claim exists at the path 'resource_access/oqm-app/roles' at the path segment 'resource_access'
It seems to me that the roles never make it into the jwt? I am modeling my realm after the one provided by Quarkus' keycloak dev service, which works when I add the roles required to the users provided there.
Content of "KEYCLOAK_IDENTITY" from jwt.io:
{
"exp": 1691800027,
"iat": 1691764027,
"jti": "ef4a49f0-db0d-49f8-a2a2-36bd35cdb4ef",
"iss": "http://localhost:32769/realms/oqm",
"sub": "a1f2f54d-35b9-4e94-b673-0fbec79d7c33",
"typ": "Serialized-ID",
"session_state": "08730e5a-7f3b-4731-8062-c0083bfef614",
"sid": "08730e5a-7f3b-4731-8062-c0083bfef614",
"state_checker": "5F2Y4AL-QC1KUOwTLBXEGK_ZrHdlq9na6d0_joCJTaQ"
}
I would think I should see username/email/name as well as roles, but none are present? This is the only cookie that resembles a jwt, except maybe `q_session*`, but it is split up. I am wondering about the "two token" thing, I was expecting to see two jwt's, one identity and one auth?
I can obviously sign in fine, as going to keykloak's account page shows my user's info, just not have the right info passed to my app in the tokens.
</details>
# 答案1
**得分**: 0
已经搞清楚,需要在 Clients -> oqm-app -> Client Scopes 中将 microprofile-jwt 设置为 "default"。
更多关于思考过程的细节,尽管我基本上需要比较这两个 realm json 文件才能搞清楚:https://github.com/keycloak/keycloak/discussions/22398
<details>
<summary>英文:</summary>
Figured it out, needed to: Clients -> oqm-app -> Client Scopes, set microprofile-jwt to "default".
More detail on the thought process, though I basically needed to compare the two realm json's to figure it out: https://github.com/keycloak/keycloak/discussions/22398
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论