keycloak界面配置及认证流程详解

最新推荐文章于 2024-06-10 17:05:28 发布
最新推荐文章于 2024-06-10 17:05:28 发布
阅读量2.2w 收藏 37
点赞数 14
分类专栏: keycloak 文章标签: https 安全 程序人生
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_33430322/article/details/105861261
版权

界面上的字段和一些术语不懂的话可以自己百度。由于https需要证书不方便postman展示,所以使用http

keycloak设置master登录用户

在这里插入图片描述

keycloak 管理界面

在这里插入图片描述

keycloak 获取用户token

  1. 创建我们自己的域
    在这里插入图片描述

  2. 添加域的用户
    在这里插入图片描述

  3. 设置密码
    在这里插入图片描述

  4. 创建client(普通用户登录 设置public)
    在这里插入图片描述

  5. 查看openid配置详情
    接口:http://localhost:8080/auth/realms/{创建的realm名字}/.well-known/openid-configuration
    示例:http://localhost:8080/auth/realms/keycloak-manage-user/.well-known/openid-configuration

{
    "issuer": "http://localhost:8080/auth/realms/keycloak-manage-user",
    "authorization_endpoint": "http://localhost:8080/auth/realms/keycloak-manage-user/protocol/openid-connect/auth",
    "token_endpoint": "http://localhost:8080/auth/realms/keycloak-manage-user/protocol/openid-connect/token",
    "token_introspection_endpoint": "http://localhost:8080/auth/realms/keycloak-manage-user/protocol/openid-connect/token/introspect",
    "userinfo_endpoint": "http://localhost:8080/auth/realms/keycloak-manage-user/protocol/openid-connect/userinfo",
    "end_session_endpoint": "http://localhost:8080/auth/realms/keycloak-manage-user/protocol/openid-connect/logout",
    "jwks_uri": "http://localhost:8080/auth/realms/keycloak-manage-user/protocol/openid-connect/certs",
    "check_session_iframe": "http://localhost:8080/auth/realms/keycloak-manage-user/protocol/openid-connect/login-status-iframe.html",
    "grant_types_supported": [
        "authorization_code",
        "implicit",
        "refresh_token",
        "password",
        "client_credentials"
    ],
    "response_types_supported": [
        "code",
        "none",
        "id_token",
        "token",
        "id_token token",
        "code id_token",
        "code token",
        "code id_token token"
    ],
    "subject_types_supported": [
        "public",
        "pairwise"
    ],
    "id_token_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512"
    ],
    "id_token_encryption_alg_values_supported": [
        "RSA-OAEP",
        "RSA1_5"
    ],
    "id_token_encryption_enc_values_supported": [
        "A128GCM",
        "A128CBC-HS256"
    ],
    "userinfo_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512",
        "none"
    ],
    "request_object_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512",
        "none"
    ],
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
    "registration_endpoint": "http://localhost:8080/auth/realms/keycloak-manage-user/clients-registrations/openid-connect",
    "token_endpoint_auth_methods_supported": [
        "private_key_jwt",
        "client_secret_basic",
        "client_secret_post",
        "tls_client_auth",
        "client_secret_jwt"
    ],
    "token_endpoint_auth_signing_alg_values_supported": [
        "PS384",
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "PS256",
        "PS512",
        "RS512"
    ],
    "claims_supported": [
        "aud",
        "sub",
        "iss",
        "auth_time",
        "name",
        "given_name",
        "family_name",
        "preferred_username",
        "email",
        "acr"
    ],
    "claim_types_supported": [
        "normal"
    ],
    "claims_parameter_supported": false,
    "scopes_supported": [
        "openid",
        "address",
        "email",
        "microprofile-jwt",
        "offline_access",
        "phone",
        "profile",
        "roles",
        "web-origins"
    ],
    "request_parameter_supported": true,
    "request_uri_parameter_supported": true,
    "code_challenge_methods_supported": [
        "plain",
        "S256"
    ],
    "tls_client_certificate_bound_access_tokens": true,
    "introspection_endpoint": "http://localhost:8080/auth/realms/keycloak-manage-user/protocol/openid-connect/token/introspect"
}

大家看着理解,不懂的留言,这里面列举了openid支持的配置uma后面讲
6. 获取public client 用户token
“token_endpoint”: “http://localhost:8080/auth/realms/keycloak-manage-user/protocol/openid-connect/token”

curl --location --request POST 'http://localhost:8080/auth/realms/keycloak-manage-user/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=test' \
--data-urlencode 'password=123456' \
--data-urlencode 'client_id=user-token' \
--data-urlencode 'grant_type=password'

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjQ3JWRXFCYUNxcG1vcFNTMFpicVozeGsydWdUT2NRQ19NLVV0NkVBWWlzIn0.eyJqdGkiOiJhNzkzMzM3MS0wNzVkLTQ2ZTctYjYzYS05NDQ2NDZhNjk1MDgiLCJleHAiOjE1ODgyMzA2OTksIm5iZiI6MCwiaWF0IjoxNTg4MjMwMzk5LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMva2V5Y2xvYWstbWFuYWdlLXVzZXIiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZjcxMDgzZTctNGUxYy00NmU2LWJkNjYtMTQ5Yjg3ZDIxNWRhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidXNlci10b2tlbiIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjUwMzU3OWZmLWZlMDUtNDZmMi04YjQ2LWU3MWE4M2RkNmFkNyIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0In0.TICwaP0N00YnSk_RNYZOM9miF_Bx8PZqsR-h91vdGr6lFlxSVSIspLzwRjM1oZ5NDcbEJvD43Nirn5L3aoVzdFoPWU2dEIO8Py_TiONCc1UPmzE9HJ2OudhcVc7tMCPnhm3QKJ1df3QO7icz0ErHrpBdcxjAjt9wLipxjgPF96Mdif1kvLeDmSCz4-adgWk2OHlaiGsjfuoWTliWHS5nY_92c3w2wglrplB-6UF11khR70-wZWYaxT1I85FiD9cJ9UaW2tnehPyNenGvi7n5PTEEraDtYxxgnEn6bXYXeBfor9hPs6rVuMyguBHqRSPexVnbcrdB3caHQKLnVfEF2A",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3NWNiZjc2ZC0zNzkwLTRiMjYtYTRjMi0wMmQ0YjZkMjlhNmUifQ.eyJqdGkiOiJmMzNlZWE2MC1jMTM4LTQ5OGEtYmM4Yy1mZTE3YTkyMzNiZmMiLCJleHAiOjE1ODgyMzIxOTksIm5iZiI6MCwiaWF0IjoxNTg4MjMwMzk5LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMva2V5Y2xvYWstbWFuYWdlLXVzZXIiLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMva2V5Y2xvYWstbWFuYWdlLXVzZXIiLCJzdWIiOiJmNzEwODNlNy00ZTFjLTQ2ZTYtYmQ2Ni0xNDliODdkMjE1ZGEiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoidXNlci10b2tlbiIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjUwMzU3OWZmLWZlMDUtNDZmMi04YjQ2LWU3MWE4M2RkNmFkNyIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIn0.FwDKqA3l-ZA3i8WBIur8lQ6LRkw7HHZNWgzgj8Wbs5Y",
    "token_type": "bearer",
    "not-before-policy": 0,
    "session_state": "503579ff-fe05-46f2-8b46-e71a83dd6ad7",
    "scope": "email profile"
}
  1. 用户token解析
curl --location --request POST 'http://localhost:8080/auth/realms/keycloak-manage-user/protocol/openid-connect/userinfo' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjQ3JWRXFCYUNxcG1vcFNTMFpicVozeGsydWdUT2NRQ19NLVV0NkVBWWlzIn0.eyJqdGkiOiI3MjUwNjU2Zi1jNGY0LTQ2NWUtYjFmNC02MmU5Yzk2ODA0NzYiLCJleHAiOjE1ODgyMzExODcsIm5iZiI6MCwiaWF0IjoxNTg4MjMwODg3LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMva2V5Y2xvYWstbWFuYWdlLXVzZXIiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZjcxMDgzZTctNGUxYy00NmU2LWJkNjYtMTQ5Yjg3ZDIxNWRhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoidXNlci10b2tlbiIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjhmNzJmMjU3LTg4ZTAtNDE5Ni1hZDllLTIyOGJjZDE1ZTU2NCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0In0.ZSfY_SouVSxcLsloQl8h1KEzH1TnrJvMT3bkcK0X116kq6M3Oa43tiUm4NYOxSDqg5L9nwbVaVaFrE7_n1M6V392sl1zhZljmKldsSHzUGzuk5gIk50LckDNC160YBpFgv8yBb_E_NTWcymp71q90IuZ36QgnbgDpxl5r_RrKjcuZMrzje5LGhVSI4FXyS3Ed--pP7GHSG8Rd1vAhvL4ZEsTNq5brwKaREmiNV0w959E78nB4SUWAdY0H8H2J7umaFUUMpFh4MgIdYl6iZTKIqXymxrnEhLcVWEqVDYHf1L097fqijW7QBxFjMihAca4QWxF2zoKguDJq5x5paQQWw'

在这里插入图片描述
8. confidential client 设置
在这里插入图片描述
public confidential 区别:
public 就是简单的账号密码登录
confidential 需要算法支持
从配置中可以看到支持5种:

     "private_key_jwt",
     "client_secret_basic",
     "client_secret_post",
     "tls_client_auth",
     "client_secret_jwt"
  1. client_secret 方式获取用户token
    在这里插入图片描述
curl --location --request POST 'http://localhost:8080/auth/realms/keycloak-manage-user/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=user-token' \
--data-urlencode 'client_secret=40bf9908-94e1-4571-8ad3-10940e21ee9f' \
--data-urlencode 'username=test' \
--data-urlencode 'password=123456'

注意grant_type=client_credentials参数的修改
10. client 认证 "client_secret_post " 获取client token
在这里插入图片描述
在这里插入图片描述
这里新建了realm和client方便区分

curl --location --request POST 'http://localhost:8080/auth/realms/openbanking/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=client1-mtls-PS256-PS256' \
--data-urlencode 'client_secret=63795b52-65ec-468c-a7b9-4b73817bdfc9' \
--data-urlencode 'grant_type=client_credentials'
  1. client 认证 “client_secret_basic” 获取client token
    在这里插入图片描述

在这里插入图片描述

curl --location --request POST 'http://localhost:8080/auth/realms/openbanking/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic Y2xpZW50MS1tdGxzLVBTMjU2LVBTMjU2OjYzNzk1YjUyLTY1ZWMtNDY4Yy1hN2I5LTRiNzM4MTdiZGZjOQ==' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=client1-mtls-PS256-PS256' \
--data-urlencode 'scope=accounts'

Base64.getEncoder().encodeToString((id + “:” + secret).getBytes());
13. client 认证 “private_key_jwt” 获取client token
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
(1) 使用java代码生成公钥私钥
参考:https://connect2id.com/products/nimbus-jose-jwt/examples/jwt-with-rsa-signature

      <dependency>
            <groupId>com.nimbusds</groupId>
            <artifactId>nimbus-jose-jwt</artifactId>
            <version>${nimbus-version}</version>
        </dependency>
       <dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcprov-jdk15on</artifactId>
            <version>${bcprov-version}</version>
        </dependency>
        <dependency>
            <groupId>commons-codec</groupId>
            <artifactId>commons-codec</artifactId>
            <version>1.14</version>
        </dependency>
        
         <nimbus-version>7.0</nimbus-version>
        <gson-version>2.8.4</gson-version>
        <bcprov-version>1.60</bcprov-version>

         RSAKey privateKey = new RSAKeyGenerator(2048)
                .algorithm(JWSAlgorithm.PS256)
                .keyUse(KeyUse.SIGNATURE)
                .keyID("client-PS256")
                .generate();
        RSAKey publicKey = privateKey.toPublicJWK();

生成的私钥

{
    "keys": [
        {
            "p": "77_7i2uGN6RxaCU6m217guw2gdLeknEbi34IeJpvK5xqufrs00aMCqnCXwWAEsqCm3CmITdhTPNZSemETcsouW82NiHQ_cbI7agNpAaTU6kRdzaOVyJSJgs-pmxgFMbgkBmIHZbbtdrpIykTHlhmilPnRhQvwN3N_7eymmbXPe0", 
            "kty": "RSA", 
            "q": "nbVbCk7BMP1syPPR0IUbDwYmLkFnUL6TXgXA4o-3IIdP-bFJKc2ONTxtsLl-Q-H2dDKugjHe-AyVvVRmiMUna2VVEUbG3I6z0mvok19fC9Gd7kCalJuXfNBnJVyoJfCfOmDn3RepYUP7mWUAmlbtMxbud0-F90T60vIgewPN7e0", 
            "d": "COuCJEsUHUcg39kF9S9cTt8GsaxIEP-vqI9GonGz_nC3uBFDRhyqGKj-JWWoG3Vso3i658bnJdMf1aW4KjxJon-D0nfAAZXPUj7OfJZ__D874BKRSg9NqE7uubsU3ByPvLVexqsGAy4tRCM14zwXpNM_YAe0z7c4tmSrDmUdFZUpt8YhL33jPi5KDaxtEdMrbL2OKIdrolJjJnX7loVJcSneM7bXvx-6ieDfO8HgMlmnpik3t_9HVeJ1-o30ndv5KsVG1i7NtTDgAGTqbInHD7WdRLIzgTbXTmoAWY4ccHeDNzh6S_9jKk_sQE9A1oLFUmL-7qtk8qnl9ZBDoxGIYQ", 
            "e": "AQAB", 
            "use": "sig", 
            "kid": "client-PS256", 
            "qi": "AiADA77A6JGn1iOEd2CM0c17LK6AzpGkVUzMfI_yoIzwpaJh41zd77nO_xe49e0FQNEEIjh__C4svctz7RA_90pteFDQ8TBoSmm8j6Jb-BdaDVIt_Ax77RRAiPD5ZSSqj-XzkjIUCNjghWjDz6H_k1FbcBA-lTBaia1tvioWh7A", 
            "dp": "vue3TBAlgr8Nkqk6XrMyC1E-IeggVKl-DnggFLCcXzShA1CcLavaLU95t6IwlkXs9AsiLgbkEpsfeSxZrnxcBDRbDYWl3b3hFuSfYAHgZFiW0L9_XkC0-xgvHePkKgcmn3fFHBKZBti2lcnKMHqhw_oFiZbfY4r60mma7TmAoQ0", 
            "alg": "PS256", 
            "dq": "O75nNblt8Fwg6OOM2VyDSqa-sgku1WTMuPKfBnUBH76C6olhuQdY1wwEVc1_asHgNla4yzOPTxKdazLdAPUHIOUrW7cfQJCCyLT-T03y2KxZEtfAd4mV0r-0Q3Addvn3qArr61K6ZNF3L74Wg2FozFDkl6g1jN3B00XMTi27xmU", 
            "n": "k7KVREAwJPKOfJC9Q71ZA3MZyZpv2S0wRDtz4wurqu2kNNd33-pIAkUABnSFDWxHdrXF0lL6fBJ558f5ybLk4rXE4dT0UJQLYxjBONoilkOIbZhXvtd-GWRy6bzmuRMBgUzvULTjCXSUpyllche6uStZFMRrlrRaZYGU1K0MNGmC6VzbKyYU8SJg9T9OupdtVSA0zmRtMeI7tk8-vQceonStkNrBklJ_pbqtFh-UpqRlZABJ-UqTNRY3Cm2x8X_QaEzGA-3eeRk4uNLTPVdgOOKven0lZdePRtdCowfXRxVwGrFGINonZn--gqlVc6rqo2KRIJgSTWXndIsb12G9aQ"
        }
    ]
}

公钥

{
    "keys": [
        {
            "kty": "RSA", 
            "e": "AQAB", 
            "use": "sig", 
            "kid": "client-PS256", 
            "alg": "PS256", 
            "n": "k7KVREAwJPKOfJC9Q71ZA3MZyZpv2S0wRDtz4wurqu2kNNd33-pIAkUABnSFDWxHdrXF0lL6fBJ558f5ybLk4rXE4dT0UJQLYxjBONoilkOIbZhXvtd-GWRy6bzmuRMBgUzvULTjCXSUpyllche6uStZFMRrlrRaZYGU1K0MNGmC6VzbKyYU8SJg9T9OupdtVSA0zmRtMeI7tk8-vQceonStkNrBklJ_pbqtFh-UpqRlZABJ-UqTNRY3Cm2x8X_QaEzGA-3eeRk4uNLTPVdgOOKven0lZdePRtdCowfXRxVwGrFGINonZn--gqlVc6rqo2KRIJgSTWXndIsb12G9aQ"
        }
    ]
}

公钥导入到kecloak中 私钥进行加密
在这里插入图片描述
在这里插入图片描述
私钥加密过程
参考:https://tools.ietf.org/html/rfc7523

      Provider bc = BouncyCastleProviderSingleton.getInstance();
        Security.addProvider(bc);
        //        iss:client1-mtls-PS256-PS256
//        sub:client1-mtls-PS256-PS256
//        aud:http://192.168.11.63:8080/auth/realms/openbanking/protocol/openid-connect/token
//        jti:bMLxAT7Kw0xhDN2ughzy
//        iat:Long.toString(new Date(System.currentTimeMillis()).getTime()
//        exp:Long.toString(new Date(System.currentTimeMillis() + 30 * 60 * 1000).getTime()
        BufferedReader reader = new BufferedReader(new InputStreamReader(Thread.currentThread().getContextClassLoader().getResourceAsStream("ps256jwt.json"), "UTF-8"));
        StringBuilder sb = new StringBuilder();
        String s; // 依次循环,至到读的值为空
        while ((s = reader.readLine()) != null) {
            sb.append(s);
        }
        reader.close();
        String jwks = sb.toString();
        JsonObject claims = new JsonObject();
        claims.addProperty("iss", "client-PS256");
        claims.addProperty("sub", "client-PS256");
        claims.addProperty("aud", "http://localhost:8080/auth/realms/openbanking/protocol/openid-connect/token");
        claims.addProperty("jti", RandomStringUtils.randomAlphanumeric(20));
        Instant iat = Instant.now();
        Instant exp = iat.plusSeconds(60);
        claims.addProperty("iat", iat.getEpochSecond());
        claims.addProperty("exp", exp.getEpochSecond());
        JWTClaimsSet claimSet = JWTClaimsSet.parse(claims.toString());
        JWKSet jwkSet = JWKSet.parse(jwks.toString());
        SignedJWT assertion = null;
        if (jwkSet.getKeys().size() == 1) {
            // figure out which algorithm to use
            JWK jwk = jwkSet.getKeys().iterator().next();
            JWSSigner signer = null;
            if (jwk.getKeyType().equals(KeyType.RSA)) {
                signer = new RSASSASigner((RSAKey) jwk);
            } else if (jwk.getKeyType().equals(KeyType.EC)) {
                signer = new ECDSASigner((ECKey) jwk);
            } else if (jwk.getKeyType().equals(KeyType.OCT)) {
                signer = new MACSigner((OctetSequenceKey) jwk);
            }
            Algorithm alg = jwk.getAlgorithm();
            JWSHeader header = new JWSHeader(JWSAlgorithm.parse(alg.getName()), null, null, null, null, null, null, null, null, null, jwk.getKeyID(), null, null);
            assertion = new SignedJWT(header, claimSet);
            assertion.sign(signer);
        }
        System.out.println(assertion.serialize());
    }

client_assertion

eyJraWQiOiJjbGllbnQtUFMyNTYiLCJhbGciOiJQUzI1NiJ9.eyJzdWIiOiJjbGllbnQtUFMyNTYiLCJhdWQiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4MFwvYXV0aFwvcmVhbG1zXC9vcGVuYmFua2luZ1wvcHJvdG9jb2xcL29wZW5pZC1jb25uZWN0XC90b2tlbiIsImlzcyI6ImNsaWVudC1QUzI1NiIsImV4cCI6MTU5MDcxODAwOSwiaWF0IjoxNTkwNzE3OTQ5LCJqdGkiOiJtUk9lU2p6V2tHU0FCaFRwU3V0dCJ9.anYhhS5CGUXLmQN7VJkVmVqajVLKO62t48yLlp0WPYMRn9rQp7-RpTTVYRctHcLSN5INGbIjO8jJjAl5M3jpE5vGcOa-bzHWJiTGxxwUevwRVru9oCaVdd9ESBH9TOMuiaQyzHCZI5m8uWg_3TSzXxk9p3yAh8SswTEiOuSPGW7EvRZ8T_Q_z_hnJrUqGqYYodMxook1YtZ1TsX58UexbKKXpTLZpTPGaYWkY-DJoQ5_B8vupmcydSgVMH30Z-xpRcHL497l2R3zLBVi5wC1e7zIbVUcKjMaKC7-JpFafeTNFXAorfQ8TD0jYCCTJLZA34ntulRoJ8ptvZs3CGiaPA

curl命令

curl --location --request POST 'http://localhost:8080/auth/realms/openbanking/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=client-PS256' \
--data-urlencode 'client_secret=9563616a-31d2-45ce-94a2-c0109963a134' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=eyJraWQiOiJjbGllbnQtUFMyNTYiLCJhbGciOiJQUzI1NiJ9.eyJzdWIiOiJjbGllbnQtUFMyNTYiLCJhdWQiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4MFwvYXV0aFwvcmVhbG1zXC9vcGVuYmFua2luZ1wvcHJvdG9jb2xcL29wZW5pZC1jb25uZWN0XC90b2tlbiIsImlzcyI6ImNsaWVudC1QUzI1NiIsImV4cCI6MTU5MDcxODAwOSwiaWF0IjoxNTkwNzE3OTQ5LCJqdGkiOiJtUk9lU2p6V2tHU0FCaFRwU3V0dCJ9.anYhhS5CGUXLmQN7VJkVmVqajVLKO62t48yLlp0WPYMRn9rQp7-RpTTVYRctHcLSN5INGbIjO8jJjAl5M3jpE5vGcOa-bzHWJiTGxxwUevwRVru9oCaVdd9ESBH9TOMuiaQyzHCZI5m8uWg_3TSzXxk9p3yAh8SswTEiOuSPGW7EvRZ8T_Q_z_hnJrUqGqYYodMxook1YtZ1TsX58UexbKKXpTLZpTPGaYWkY-DJoQ5_B8vupmcydSgVMH30Z-xpRcHL497l2R3zLBVi5wC1e7zIbVUcKjMaKC7-JpFafeTNFXAorfQ8TD0jYCCTJLZA34ntulRoJ8ptvZs3CGiaPA'

返回结果

{
    "access_token": "eyJhbGciOiJQUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxaGdobFlJUURabU13cVpHbS1HSlFmUGJfU3NnWmk5UWV2Y0tYWFFTUTRVIn0.eyJqdGkiOiJiNDk2OTI4Yy0zZDZmLTQwZDUtYTcwOS00NTZhYjEwNzhkYzciLCJleHAiOjE1OTA3MTgyODEsIm5iZiI6MCwiaWF0IjoxNTkwNzE3OTgxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvb3BlbmJhbmtpbmciLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiY2M5NTA5M2ItZDM2YS00ZWQ5LWFhZDQtZTVkMDAxZGY3NmRkIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiY2xpZW50LVBTMjU2IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZjA4YmZmMGEtNzhkOC00MTI3LWJiYmMtNGRhZGZhNTRjZTcxIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vbG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJjbGllbnQtUFMyNTYiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImNsaWVudElkIjoiY2xpZW50LVBTMjU2IiwiY2xpZW50SG9zdCI6IjEyNy4wLjAuMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoic2VydmljZS1hY2NvdW50LWNsaWVudC1wczI1NiIsImNsaWVudEFkZHJlc3MiOiIxMjcuMC4wLjEiLCJlbWFpbCI6InNlcnZpY2UtYWNjb3VudC1jbGllbnQtcHMyNTZAcGxhY2Vob2xkZXIub3JnIn0.k4tENDhWlOTUgJmHO7WHKBNc34KgqW2Cpuo04aeIJXDePTZr4FaC5HlcenfBUQpXwkEnaAuYVA08wIcUAVXRfpUbhRBZmZGNGcclfz3BqTQ8XH5lAiIslVHqJtDDExcADbUXjgv2PASlPSCI7LXy5vLNqO2AIvG-8mFXEx7r5NbIcu12AiZMwXPQYYlWq4iWAx6Zm_LyFoLjKAEvCO5gKNpXAeCDM-UkalGA9JqmFcjRimW_k8p8JGvLpUZiTxYozlTSFcViBm2RkCR2jQjzIgw2o1C2nNwqsp11fHiKCGr9cCRtD_9V33MePv3X8vxPMG3tv0npAY3DdNR_yTDJNw",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIwOGYxYmUyMC04ODU0LTRlYzQtYTllZi1jYTkyOTYzZTY4YmIifQ.eyJqdGkiOiI4YjQ0OWMzYS0yNzM3LTQxNTQtOGRjZi01YThlN2NmMGM3NzkiLCJleHAiOjE1OTA3MTk3ODEsIm5iZiI6MCwiaWF0IjoxNTkwNzE3OTgxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvb3BlbmJhbmtpbmciLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvb3BlbmJhbmtpbmciLCJzdWIiOiJjYzk1MDkzYi1kMzZhLTRlZDktYWFkNC1lNWQwMDFkZjc2ZGQiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiY2xpZW50LVBTMjU2IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZjA4YmZmMGEtNzhkOC00MTI3LWJiYmMtNGRhZGZhNTRjZTcxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJjbGllbnQtUFMyNTYiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.kBZtPPTLY1grDosKUSywxs8TIjm7ghq9GJp5KKJITBM",
    "token_type": "bearer",
    "not-before-policy": 0,
    "session_state": "f08bff0a-78d8-4127-bbbc-4dadfa54ce71",
    "scope": "email profile"
}

(2)使用工具生成公钥私钥
https://github.com/hkj123/jwk-keygen.git

curl -s -L https://github.com/openstandia/jwk-keygen/releases/download/v0.1/jwk-keygen-v0.1-linux-amd64.tar.gz | tar zx -C .bin

mkdir -p .bin
    curl -s -L https://github.com/openstandia/jwk-keygen/releases/download/v0.1/jwk-keygen-v0.1-linux-amd64.tar.gz | tar zx -C .bin
    PATH=$PATH:.bin
    
jwk-keygen --use=sig --format --jwks --pem --pem-body --alg=PS256 --kid=client1-PS256
jwk-keygen --use=sig --format --jwks --pem --pem-body --alg=PS256 --kid=client2-PS256

执行完毕会生成
在这里插入图片描述
在这里插入图片描述
导入client 私钥
在这里插入图片描述
获取keycloak公钥

curl --location --request GET 'http://localhost:8080/auth/realms/openbanking/protocol/openid-connect/certs'
  1. "client_secret_jwt"获取 id_token
    相关依赖
<dependency>
            <groupId>org.bouncycastle</groupId>
            <artifactId>bcprov-jdk15on</artifactId>
            <version>1.60</version>
        </dependency>

        <dependency>
            <groupId>commons-codec</groupId>
            <artifactId>commons-codec</artifactId>
            <version>1.14</version>
        </dependency>

        <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-text -->
        <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-text</artifactId>
            <version>1.8</version>
        </dependency>

跳转路径生成
在这里插入图片描述

public static void main(String[] args) throws Exception{
        Provider bc = BouncyCastleProviderSingleton.getInstance();
        Security.addProvider(bc);
        String pdpUrl = "https://qms-obp-pdp-test.qloudobp.service.sd";
        String realmName = "openbanking";
        String client_id = "client1-mtls-RS256-RS256";
        String redirect_uri = "http://192.168.11.253:8888/v3/hello";
        String scope = "openid%20accounts";
        String state = "WBMDzUQtKO";
        String nonce = "axo5pyKHfk";
        String response_type = "code id_token";

        // https://tools.ietf.org/html/rfc7636#section-4.1
        char [][] pairs = {
                {'A','Z'},
                {'a','z'},
                {'0','9'},
                {'-','-'},
                {'.','.'},
                {'_','_'},
                {'~','~'},
        };
        final SecureRandom rand = new SecureRandom();
        RandomStringGenerator generator = new RandomStringGenerator.Builder()
                .usingRandom(rand::nextInt)
                .withinRange(pairs).build();
        // test maximum permitted length
        String code_verifier = generator.generate(128);

        byte[] bytes = code_verifier.getBytes(StandardCharsets.US_ASCII);
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        md.update(bytes, 0, bytes.length);
        byte[] digest = md.digest();
        String code_challenge = org.apache.commons.codec.binary.Base64.encodeBase64URLSafeString(digest);
        String code_challenge_method = "S256";
        StringBuffer bufferAud = new StringBuffer();
        bufferAud.append(pdpUrl);
        bufferAud.append("/auth/realms/");
        bufferAud.append(realmName);
        bufferAud.append("/protocol/openid-connect/auth");
        bufferAud.append("?client_id="+client_id);
        bufferAud.append("&redirect_uri="+redirect_uri);
        bufferAud.append("&scope="+scope);
        bufferAud.append("&state="+state);
        bufferAud.append("&nonce="+nonce);
        bufferAud.append("&response_type="+response_type);
        bufferAud.append("&code_challenge="+code_challenge);
        bufferAud.append("&code_challenge_method="+code_challenge_method);
        String path = bufferAud.toString();
        System.out.println(path);
    }

https://qms-obp-pdp-test.qloudobp.service.sd/auth/realms/openbanking/protocol/openid-connect/auth?client_id=client1-mtls-RS256-RS256&redirect_uri=http://192.168.11.253:8888/v3/hello&scope=openid%20accounts&state=WBMDzUQtKO&nonce=axo5pyKHfk&response_type=code

返回值:
在这里插入图片描述
解析后的参数
在这里插入图片描述

彻骨寒风
关注
专栏目录
keycloak 微服务认证_微服务统一认证,OAuth2 的认证流程
weixin_39737764的博客
12-01 816
随着微服务的兴起,OAuth2也火了起来,由于其自身的优势,俨然已成为微服务API服务接口安全防护的首选。啥是 OAuth2OAuth2(Open Authorization,开放授权)是OAuth的升级版本。OAuth 是一个开放标准,允许用户让第三方应用访问该用户在某一网站上存储的私密的资源(如照片,视频,联系人列表),而无需将用户名和密码提供给第三方应用。OAuth允许用户提供一个令牌给第三...
史上最全的keycloak部署与启动教程
最新发布
qq_31532979的博客
07-31 1739
Keycloak是一个开源的身份和访问管理解决方案,它提供了OIDC(OpenID Connect)、OAuth 2.0和SAML 2.0等通用认证和授权协议的支持。下面将解释这些概念和相关知识。OIDC(OpenID Connect)是一个构建在OAuth 2.0之上的认证协议,它允许用户使用一个统一的身份标识(OpenID)进行身份验证和授权。OIDC在OAuth 2.0的基础上添加了身份验证的能力,使得应用程序可以获得用户信息,并且可以验证这些信息的真实性。
Keycloak入门指南
白石的专栏
02-17 3289
Keycloak入门指南
Keycloak Oauth2.0流程 --- Angular前端 + Django后端 + Keycloak 实现SSO功能
wdquan19851029的专栏
01-07 5749
前言: 一个企业往往拥有多个应用系统,如果每个应用都有独立的用户认证和授权管理功能,这不仅需要运维人员维护多套用户管理系统,用户使用每个系统时都要登录一次,非常不方便。如果能够将所有应用系统的用户集中管理,用户就使用一套用户名登录所有系统,这将会大大改善用户体验。本文前端Angular, 后端Django,基于Keycloak搭建单点登录系统。 前端代码部署到nginx, 前后端代码分开部署 前端Angular集成Keycloak: 前端要怎样集成Keycloak呢? 本文提供两种方式 ...
keycloak-2fa-sms-authenticator:Keycloak身份验证提供程序实现,用于通过通过SMS(通过AWS SNS)发送的OTPcodetoken获得第二因素身份验证。 仅用于演示!
05-18
Keycloak 2FA SMS身份验证器 Keycloak身份验证提供程序实现,以通过通过SMS(通过AWS SNS)发送的OTP /代码/令牌获得第二因素身份验证。 仅用于演示! 不幸的是,我还没有真正的自述文件。 责怪我! 但是,就目前而言,您至少可以在这里阅读我的博客文章有关该增效剂的信息: 或者,只需观看有关此2FA SMS SPI的视频:
keycloak 认证服务
热门推荐
刘毅的博客
11-16 2万+
文章目录1. 概述1.1 架构1.1.1 认证流程1.1.2 认证服务1.2 术语1.2.1 资源服务器(Resource Server)1.2.2 资源(Resource)1.2.3 范围(Scope)1.2.4 权限(Permission)1.2.5 策略(Policy)1.2.6 策略提供者(Policy Provider)1.2.7 权限票据(Permission Ticket)2 入门指...
认证和授权系列主题:keycloak界面配置认证流程详解
Larry的博客
03-02 8315
本文转自:彻骨寒风 keycloak设置master登录用户 keycloak 管理界面 keycloak 获取用户token 创建我们自己的域 添加域的用户 设置密码 创建client(普通用户登录 设置public) 查看openid配置详情 接口:http://localhost:8080/auth/realms/{创建的realm名字}/.well-known/openid-configuration 示例:http://localhos..
keycloak 微服务认证_VMware vRA8集成KeyCloak认证
weixin_39967938的博客
12-03 451
概述 企业中一般都有自己的单点登录认证(SSO)服务器负责业务系统(移动端、应用服务器、Web等)的认证,而VMware产品通常与vIDM集成,这样企业就有两个SSO服务器,用户体验非常不好; 伴随信息化的发展,企业内部的管理系统也越来越多,每次都进行登录,影响使用和运维效率,更有用户每套系统一套账户和密码,只能靠Excel记录了,不仅登录繁琐,且存在安全隐患;所以一套统一身份认证系统和单点登录系...
【Django-keycloak认证keycloak认证
Season CSDN博客
07-28 365
【Django-keycloak认证keycloak认证
keycloak集群部署配置
11-05
### Keycloak集群部署配置知识点详解 #### 一、Keycloak简介 Keycloak是一个开源的身份管理和访问控制解决方案,专为现代应用程序和服务设计。它提供了一系列功能,包括认证、授权、单点登录(Single Sign-On, SSO...
输入注册策略服务器url,Keycloak 13 自定义用户身份认证流程(User Storage SPI)
weixin_32578799的博客
07-29 1589
Keycloak版本:13.0.0spring-boot 项目 Githubuser-storage-spi 项目 Github介绍Keycloak 是为现代应用程序和服务提供的一个开源的身份和访问管理的解决方案。Keycloak 在测试环境可以使用内嵌数据库,生产环境需要重新配置数据库。以下将一一介绍如何使用内嵌数据库、重新配置数据库。特别需要注意 Keycloak 是在 WildFly 上构建...
【微服务】spring读取配置文件多种方式深入详解
congge
04-21 7814
spring读取配置文件多种方式深入详解
【微服务】springcloud-alibaba 配置多环境管理使用详解
congge
06-10 6385
springcloud-alibaba 配置多环境管理使用详解
spring security认证过程详解
CVPR收割机的博客
04-18 3922
在 Web 应用中这是通过 SecurityContextPersistentFilter 实现的,默认情况下其会在每次请求开始的时候从 session 中获取 SecurityContext,然后把它设置给 SecurityContextHolder,在请求结束后又会将 SecurityContextHolder 所持有的 SecurityContext 保存在 session 中,并且清除 SecurityContextHolder 所持有的 SecurityContext。
什么是Keycloak?怎么样使用Keycloak实现登录和权限验证?
m0_63144319的博客
05-14 2157
在下面的配置文件中需要主要需要配置的是realm(你创建的realm的名称),resource(Clients 的id名称), credentials secret(你的Clients的密钥),其他都是固定的,可以照搬我下面的配置文件。根据网上博主的分享和官方的文档,上述操作是可以实现的,但是在我创建之后发现报错,只能访问公共页面,登录之后admin连user.html都不能访问,报错就是权限的问题。来访问admin页面,并验证权限,现在是user角色登录,所以登录权限不够(报403错误,权限不足)
Kubernetes 整合 keycload 实现 OIDC 认证
CodingDemo
06-15 739
Kubernetes 使用 keycload 实现 OIDC 认证
concat效率 mysql_Mysql 之concat语法
weixin_39860952的博客
12-21 87
在使用keycloak集成springboot的过程中,对于需要授权访问的接口,它会跳到keycloak里进行登录,之前有个redirect_uri,登录成功后会跳回本客户端,而这个地址默认没有修改的地方,需要我们手动开发,这块不是很方便。拉勾IT课小编为大家分解自定义redirect_uri一 重写BeanPostProcessor来实现@Componentpublic class Keyclo...
KeyCloak 管理 OpenID Connect 和 SAML 客户端
xy的博客
09-12 546
theme: cyanosis 参考 Server Administration Guide (keycloak.org) 管理 OpenID Connect 客户端 创建 OpenID 连接客户端 单击菜单中的客户端。 单击创建客户端。 将 “客户端类型”设置为“OpenID 连接”。 输入客户端 ID。 此 ID 是一个字母数字字符串,用于 OIDC 请求和 Keycloak...
Spring Security 身份认证流程详解:从基础到实践
Spring Security 身份认证流程讲解 Spring Security 是一个功能强大且复杂的身份认证框架,对于 JavaEE 工程师来说是一个不可避免的领域。下面我们将详细介绍 Spring Security 中的身份认证流程。 一、身份认证和...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值