时间戳

首页 > 解决方案 > spring security OIDC keycloak 无法获取权限和应用授权

spring-boot - spring security OIDC keycloak 无法获取权限和应用授权

问题描述

我有 Spring Security Oauth2 应用程序,连接到 OIDC 服务器密钥斗篷,我能够连接并获取访问令牌并执行身份验证,但无法执行授权。

令牌的自省以 json 响应中的 Authorities 响应,如下所示。

{
    "jti": "f21b1ecd-05b7-435b-a571-1b8554ae3666",
    "exp": 1583995545,
    "nbf": 0,
    "iat": 1583994645,
    "iss": "http://192.168.56.101:8080/auth/realms/master",
    "sub": "e7462035-316e-4970-afde-e44ffd9f169e",
    "typ": "Bearer",
    "azp": "app1_client",
    "auth_time": 1583994645,
    "session_state": "7a36dc7f-dd5d-42cb-8684-398825fcacde",
    "name": "Administrator 1",
    "given_name": "Administrator",
    "family_name": "1",
    "preferred_username": "admin1",
    "email_verified": false,
    "acr": "1",
    "resource_access": {
        "app1_client": {
            "roles": [
                "APP1_ADMIN"
            ]
        }
    },
    "scope": "email app1 profile",
    "authorities": [
        "ROLE_APP1_ADMIN"
    ],
    "client_id": "app1_client",
    "username": "admin1",
    "active": true
}

但是,当我Authorities在日志中打印时,我无法在日志ROLE_APP1_ADMIN下方的打印中获取权限。

K-[ROLE_USER, SCOPE_address, SCOPE_app1, SCOPE_email, SCOPE_microprofile-jwt, SCOPE_offline_access, SCOPE_openid, SCOPE_phone, SCOPE_profile]

下边是HelloRest.java

@RestController
@Slf4j
@RequestMapping("/api")
public class HelloRest {

    //@PreAuthorize("hasRole('APP1_ADMIN')")
    @GetMapping("/admin")
    public String admin(OAuth2AuthenticationToken e1) {
        log.info("K-{}", e1.getAuthorities());
        log.info("K-{}", e1.getAuthorizedClientRegistrationId());
        log.info("K-{}", e1.getDetails());
        log.info("K-{}", e1.getPrincipal().getAttributes());
        log.info("K-{}", e1.getPrincipal().getAuthorities());
        log.info("K-{}", e1.getName());
        return "Hello from Admin of APP1";
    }

    @PreAuthorize("hasRole('APP1_USER')")
    @GetMapping("/user")
    public String user() {
        return "Hello from User of APP1";
    }
}

应用程序.yml

server:
  port: 8082
spring:
  security:
    oauth2:
#      resourceserver:
#        jwt:
#          issuer-uri: http://192.168.56.101:8080/auth/realms/master
      client:
        provider:
          keycloak:
            issuer-uri: http://192.168.56.101:8080/auth/realms/master
        registration:
          keycloak:
            client-id: app1_client
            client-secret: <secret>
            provider: keycloak

最后pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.2.5.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>io.github.kprasad99</groupId>
    <artifactId>app1-backend</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>app1-backend-1</name>
    <description>Demo project for Spring Boot</description>

    <properties>
        <java.version>11</java.version>
        <spring-cloud.version>Hoxton.SR3</spring-cloud.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-actuator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-oauth2-client</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-configuration-processor</artifactId>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
            <exclusions>
                <exclusion>
                    <groupId>org.junit.vintage</groupId>
                    <artifactId>junit-vintage-engine</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>${spring-cloud.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

如何使用带有 keycloak 的 Spring Security 应用授权?

标签: spring-bootspring-securitykeycloakspring-security-oauth2spring-cloud-security

解决方案

从源代码来看,我们需要编写自定义映射器,spring security 默认添加作用域作为角色和默认角色ROLE_USER。在自定义映射器下方添加。

@Component
@Slf4j
public class KGrantedAuthoritiesMapper implements GrantedAuthoritiesMapper {

    @Override
    public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
        Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
        authorities.forEach(mappedAuthorities::add);
        authorities.forEach(authority -> {
            if (OidcUserAuthority.class.isInstance(authority)) {
                OidcUserAuthority oidcUserAuthority = (OidcUserAuthority) authority;

                OidcUserInfo userInfo = oidcUserAuthority.getUserInfo();
                Optional.ofNullable(userInfo.getClaimAsStringList("authorities")).orElse(Collections.emptyList())
                        .stream().map(SimpleGrantedAuthority::new).forEach(mappedAuthorities::add);
                // Map the claims found in idToken and/or userInfo
                // to one or more GrantedAuthority's and add it to mappedAuthorities

            } else if (OAuth2UserAuthority.class.isInstance(authority)) {
                OAuth2UserAuthority oauth2UserAuthority = (OAuth2UserAuthority) authority;

                Map<String, Object> userAttributes = oauth2UserAuthority.getAttributes();
                log.info("{}", userAttributes);
                // Map the attributes found in userAttributes
                // to one or more GrantedAuthority's and add it to mappedAuthorities
                // Not sure when this is being used
            }
        });
        return mappedAuthorities;
    }

}

任何可用的配置或内置映射器,请发布,我将其标记为答案。

推荐阅读