新的Keycloak Realm未提供应用程序登录的角色。

huangapple go评论114阅读模式
英文:

New Keycloak Realm not providing roles for app login

问题

我正在设置Keycloak作为我的认证提供程序,使用OIDC。我的应用程序是使用Quarkus编写的。

我正在按照以下步骤创建一个新的领域:

  1. 进入Keycloak管理控制台。
  2. 在领域下拉菜单中,点击"创建领域"。命名为oqm
  3. 领域设置 -> 常规
    1. 领域ID更改为oqm
    2. 显示名称和HTML显示名称设置为Open QuarterMaster
    3. 打开用户管理访问权限。
    4. 点击"保存"。
  4. 领域设置 -> 登录。打开以下选项:
    • 用户注册
    • 忘记密码
    • 记住我
    • 电子邮件作为用户名?
    • 编辑用户名
  5. 认证 -> 策略 -> 密码策略。添加以下策略:
    • 最小长度为8
    • 不是用户名
    • 不是电子邮件
    • 特殊字符
    • 大写字母
    • 小写字母
    • 数字
  6. 创建客户端
    1. 客户端 -> 创建客户端
    2. 客户端ID:oqm-app
    3. 名称:Open QuarterMaster App
    4. 始终在UI中显示
    5. 启用客户端身份验证
    6. "标准流"、"直接访问授权"、"隐式流"和"服务帐户角色"全部启用
    7. 有效的重定向URI:*
    8. 有效的注销后重定向URI:+
    9. 创建
  7. 添加角色
    • inventoryAdmin -> 启用库存管理的角色。可以导入/导出库存数据。
    • inventoryView -> 启用查看库存的角色。
    • inventoryEdit -> 启用编辑库存的角色。
    • itemCheckout -> 启用签出(和签入)物品的角色。
  8. 添加带有角色的群组:
    • 用户
      • inventoryView
      • inventoryEdit
      • itemCheckout
    • 管理员作为用户的子群组
      • inventoryAdmin
  9. 领域设置 -> 用户注册 -> 默认群组
    1. 添加管理员到默认群组(我也尝试添加所有角色作为默认群组)

然而,当我创建用户并登录时,应用程序返回403,并显示以下日志输出:

12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.CodeAuthenticationMechanism |vert.x-eventloop-thread-3 ]():: Session cookie is present, starting the reauthentication
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcIdentityProvider        |vert.x-eventloop-thread-3 ]():: Starting creating SecurityIdentity
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 ]():: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcIdentityProvider        |vert.x-eventloop-thread-3 ]():: Verifying the JWT token with the local JWK keys
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils                   |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'groups' at the path segment 'groups'
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils                   |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'realm_access/roles' at the path segment 'realm_access'
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76|  |c06abf9f49a51772|true ][io.qu.oi.ru.OidcUtils                   |vert.x-eventloop-thread-3 ]():: No claim exists at the path 'resource_access/oqm-app/roles' at the path segment 'resource_access'

在我看来,角色似乎没有包含在JWT中?我正在模仿Quarkus的Keycloak开发服务提供的领域,当我在那里添加所需的角色时,它可以正常工作。

从jwt.io中的"KEYCLOAK_IDENTITY"内容:

{
  "exp": 1691800027,
  "iat": 1691764027,
  "jti": "ef4a49f0

<details>
<summary>英文:</summary>

I&#39;m working on setting up Keycloak to be my auth provider, using OIDC. My app is written using Quarkus.

I am creating a new realm using the following steps:


1. Enter Keycloak Admin Console
2. Under realm dropdown, hit &quot;Create Realm&quot;. Name it `oqm`.
3. Realm Settings -&gt; General
    1. Realm ID changed to `oqm`
    2. Display name and HTML Display name set to `Open QuarterMaster`
    3. User-managed access turned on
    4. Hit &quot;Save&quot;
4. Realm Settings -&gt; Login. Turn on:
    - User Registration
    - Forgot Password
    - Remember Me
    - Email as Username?
    - Edit Username
5. Authentication -&gt; Policies -&gt; Password Policy. Add the following policies:
    - Minimum Length of 8
    - Not username
    - Not email
    - Special chars
    - Uppercase letters
    - Lowercase letters
    - Digits
5. Create Client
    1. Clients -&gt; Create Client
    2. Client id: `oqm-app`
    3. Name: `Open QuarterMaster App`
    4. Always display in UI
    5. Client authentication on
    6. &quot;Standard flow&quot;, &quot;Direct access grants&quot;, &quot;Implicit flow&quot;, and &quot;Service Account Roles&quot; all on
    7. Valid redirect URIs: `*`
    8. Valid post logout redirect URIs: `+`
    9. Create
6. Add roles
   - `inventoryAdmin` -&gt; `Role to enable inventory administration. Can import/export inventory data.`
   - `inventoryView` -&gt; `Role to enable viewing inventory.`
   - `inventoryEdit` -&gt; `Role to enable editing inventory.`
   - `itemCheckout` -&gt; `Role to enable checking out (and back in) items.`
7. Add groups with roles:
   - `users`
       - `inventoryView`
       - `inventoryEdit`
       - `itemCheckout`
   - `admins` as child group of `users`
       - `inventoryAdmin`
8. Realm Settings -&gt; User Registration -&gt; Default Groups
   1. Add `admins` to default group (I have also tried adding all roles as default)

However, when I create a user and login, the app returns a 403, with the following log output:

12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 :: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.CodeAuthenticationMechanism |vert.x-eventloop-thread-3 :: Session cookie is present, starting the reauthentication
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 :: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.OidcIdentityProvider |vert.x-eventloop-thread-3 :: Starting creating SecurityIdentity
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.DefaultTenantConfigResolver |vert.x-eventloop-thread-3 :: Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.OidcIdentityProvider |vert.x-eventloop-thread-3 :: Verifying the JWT token with the local JWK keys
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.OidcUtils |vert.x-eventloop-thread-3 :: No claim exists at the path 'groups' at the path segment 'groups'
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.OidcUtils |vert.x-eventloop-thread-3 :: No claim exists at the path 'realm_access/roles' at the path segment 'realm_access'
12:53:07 [DEBUG][9202a4ca6299115508ca0c543b9beb76| |c06abf9f49a51772|true ]io.qu.oi.ru.OidcUtils |vert.x-eventloop-thread-3 :: No claim exists at the path 'resource_access/oqm-app/roles' at the path segment 'resource_access'


It seems to me that the roles never make it into the jwt? I am modeling my realm after the one provided by Quarkus&#39; keycloak dev service, which works when I add the roles required to the users provided there.
Content of &quot;KEYCLOAK_IDENTITY&quot; from jwt.io:

{
"exp": 1691800027,
"iat": 1691764027,
"jti": "ef4a49f0-db0d-49f8-a2a2-36bd35cdb4ef",
"iss": "http://localhost:32769/realms/oqm",
"sub": "a1f2f54d-35b9-4e94-b673-0fbec79d7c33",
"typ": "Serialized-ID",
"session_state": "08730e5a-7f3b-4731-8062-c0083bfef614",
"sid": "08730e5a-7f3b-4731-8062-c0083bfef614",
"state_checker": "5F2Y4AL-QC1KUOwTLBXEGK_ZrHdlq9na6d0_joCJTaQ"
}


I would think I should see username/email/name as well as roles, but none are present? This is the only cookie that resembles a jwt, except maybe `q_session*`, but it is split up. I am wondering about the &quot;two token&quot; thing, I was expecting to see two jwt&#39;s, one identity and one auth?
I can obviously sign in fine, as going to keykloak&#39;s account page shows my user&#39;s info, just not have the right info passed to my app in the tokens.
</details>
# 答案1
**得分**: 0
已经搞清楚,需要在 Clients -> oqm-app -> Client Scopes 中将 microprofile-jwt 设置为 "default"。
更多关于思考过程的细节,尽管我基本上需要比较这两个 realm json 文件才能搞清楚:https://github.com/keycloak/keycloak/discussions/22398
<details>
<summary>英文:</summary>
Figured it out, needed to: Clients -&gt; oqm-app -&gt; Client Scopes, set microprofile-jwt to &quot;default&quot;.
More detail on the thought process, though I basically needed to compare the two realm json&#39;s to figure it out: https://github.com/keycloak/keycloak/discussions/22398
</details>

huangapple
  • 本文由 发表于 2023年8月11日 04:24:36
  • 转载请务必保留本文链接:https://go.coder-hub.com/76879100.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定