keycloak授权流程详解

最新推荐文章于 2024-07-31 13:19:25 发布
最新推荐文章于 2024-07-31 13:19:25 发布
阅读量1.9w 收藏 7
点赞数 3
分类专栏: keycloak 文章标签: java docker spring boot https http
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_33430322/article/details/106420202
版权

授权流程(PS256)


这里需要注意 client一般默认一种加密方式(RS256) 我是修改源码之后才能使用PS256 

package org.keycloak.keys.loader;

import org.jboss.logging.Logger;
import org.keycloak.authentication.authenticators.client.JWTClientAuthenticator;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.KeyType;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.keys.PublicKeyLoader;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelException;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.utils.JWKSHttpUtils;
import org.keycloak.representations.idm.CertificateRepresentation;
import org.keycloak.services.util.CertificateInfoHelper;
import org.keycloak.services.util.ResolveRelative;
import org.keycloak.util.JWKSUtils;
import org.keycloak.util.JsonSerialization;

import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Map;

/**
 * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
 */
public class ClientPublicKeyLoader implements PublicKeyLoader {

    private static final Logger logger = Logger.getLogger(ClientPublicKeyLoader.class);

    private final KeycloakSession session;
    private final ClientModel client;
    private final JWK.Use keyUse;

    public ClientPublicKeyLoader(KeycloakSession session, ClientModel client) {
        this.session = session;
        this.client = client;
        this.keyUse = JWK.Use.SIG;
    }

    public ClientPublicKeyLoader(KeycloakSession session, ClientModel client, JWK.Use keyUse) {
        this.session = session;
        this.client = client;
        this.keyUse = keyUse;
    }

    @Override
    public Map<String, KeyWrapper> loadKeys() throws Exception {
        OIDCAdvancedConfigWrapper config = OIDCAdvancedConfigWrapper.fromClientModel(client);
        try {
            logger.debugv( "oidc advancedConfig is {0}", JsonSerialization.writeValueAsPrettyString( config ) );
        } catch (Exception cause) {

        }

        if (config.isUseJwksUrl()) {
            String jwksUrl = config.getJwksUrl();
            jwksUrl = ResolveRelative.resolveRelativeUri(session.getContext().getUri().getRequestUri(), client.getRootUrl(), jwksUrl);
            JSONWebKeySet jwks = JWKSHttpUtils.sendJwksRequest(session, jwksUrl);
            return JWKSUtils.getKeyWrappersForUse(jwks, keyUse);
        } else if (keyUse == JWK.Use.SIG) {
            try {
                CertificateRepresentation certInfo = CertificateInfoHelper.getCertificateFromClient(client, JWTClientAuthenticator.ATTR_PREFIX);
                KeyWrapper publicKey = getSignatureValidationKey(certInfo);
                return Collections.singletonMap(publicKey.getKid(), publicKey);
            } catch (ModelException me) {
                logger.warnf(me, "Unable to retrieve publicKey for verify signature of client '%s' . Error details: %s", client.getClientId(), me.getMessage());
                return Collections.emptyMap();
            }
        } else {
            logger.warnf("Unable to retrieve publicKey of client '%s' for the specified purpose other than verifying signature", client.getClientId());
            return Collections.emptyMap();
        }
    }

    private static KeyWrapper getSignatureValidationKey(CertificateRepresentation certInfo) throws ModelException {
        KeyWrapper keyWrapper = new KeyWrapper();
        String encodedCertificate = certInfo.getCertificate();
        String encodedPublicKey = certInfo.getPublicKey();

        if (encodedCertificate == null && encodedPublicKey == null) {
            throw new ModelException("Client doesn't have certificate or publicKey configured");
        }

        if (encodedCertificate != null && encodedPublicKey != null) {
            throw new ModelException("Client has both publicKey and certificate configured");
        }

        //here ...................
//        keyWrapper.setAlgorithm(Algorithm.RS256);
//注意这里
        keyWrapper.setAlgorithm(Algorithm.PS256);
        keyWrapper.setType(KeyType.RSA);
        keyWrapper.setUse(KeyUse.SIG);
        String kid = null;
        if (encodedCertificate != null) {
            X509Certificate clientCert = KeycloakModelUtils.getCertificate(encodedCertificate);
            // Check if we have kid in DB, generate otherwise
            kid = certInfo.getKid() != null ? certInfo.getKid() : KeyUtils.createKeyId(clientCert.getPublicKey());
            keyWrapper.setKid(kid);
            keyWrapper.setPublicKey(clientCert.getPublicKey());
            keyWrapper.setCertificate(clientCert);
            logger.debug("getSignatureValidationKey * * * get the kid"+kid+"keyWrapper"+keyWrapper.toString());
        } else {
            logger.debugf( "encodedPublicKey is %s", encodedPublicKey );
            PublicKey publicKey = KeycloakModelUtils.getPublicKey(encodedPublicKey);
            logger.debugv( "public key algo", publicKey.getAlgorithm() );
            // Check if we have kid in DB, generate otherwise
            kid = certInfo.getKid() != null ? certInfo.getKid() : KeyUtils.createKeyId(publicKey);
            keyWrapper.setKid(kid);
            //注意这里
            keyWrapper.setAlgorithm( Algorithm.PS256 );
            keyWrapper.setPublicKey(publicKey);
        }
        return keyWrapper;
    }


}

client配置

在这里插入图片描述
在这里插入图片描述

公钥私钥生成

        RSAKey privateKey = new RSAKeyGenerator(2048)
                .algorithm(JWSAlgorithm.PS256)
                .keyUse(KeyUse.SIGNATURE)
                .keyID("client-PS256")
                .generate();
        RSAKey publicKey = privateKey.toPublicJWK();

私钥

{
    "keys": [
        {
            "p": "77_7i2uGN6RxaCU6m217guw2gdLeknEbi34IeJpvK5xqufrs00aMCqnCXwWAEsqCm3CmITdhTPNZSemETcsouW82NiHQ_cbI7agNpAaTU6kRdzaOVyJSJgs-pmxgFMbgkBmIHZbbtdrpIykTHlhmilPnRhQvwN3N_7eymmbXPe0", 
            "kty": "RSA", 
            "q": "nbVbCk7BMP1syPPR0IUbDwYmLkFnUL6TXgXA4o-3IIdP-bFJKc2ONTxtsLl-Q-H2dDKugjHe-AyVvVRmiMUna2VVEUbG3I6z0mvok19fC9Gd7kCalJuXfNBnJVyoJfCfOmDn3RepYUP7mWUAmlbtMxbud0-F90T60vIgewPN7e0", 
            "d": "COuCJEsUHUcg39kF9S9cTt8GsaxIEP-vqI9GonGz_nC3uBFDRhyqGKj-JWWoG3Vso3i658bnJdMf1aW4KjxJon-D0nfAAZXPUj7OfJZ__D874BKRSg9NqE7uubsU3ByPvLVexqsGAy4tRCM14zwXpNM_YAe0z7c4tmSrDmUdFZUpt8YhL33jPi5KDaxtEdMrbL2OKIdrolJjJnX7loVJcSneM7bXvx-6ieDfO8HgMlmnpik3t_9HVeJ1-o30ndv5KsVG1i7NtTDgAGTqbInHD7WdRLIzgTbXTmoAWY4ccHeDNzh6S_9jKk_sQE9A1oLFUmL-7qtk8qnl9ZBDoxGIYQ", 
            "e": "AQAB", 
            "use": "sig", 
            "kid": "client-PS256", 
            "qi": "AiADA77A6JGn1iOEd2CM0c17LK6AzpGkVUzMfI_yoIzwpaJh41zd77nO_xe49e0FQNEEIjh__C4svctz7RA_90pteFDQ8TBoSmm8j6Jb-BdaDVIt_Ax77RRAiPD5ZSSqj-XzkjIUCNjghWjDz6H_k1FbcBA-lTBaia1tvioWh7A", 
            "dp": "vue3TBAlgr8Nkqk6XrMyC1E-IeggVKl-DnggFLCcXzShA1CcLavaLU95t6IwlkXs9AsiLgbkEpsfeSxZrnxcBDRbDYWl3b3hFuSfYAHgZFiW0L9_XkC0-xgvHePkKgcmn3fFHBKZBti2lcnKMHqhw_oFiZbfY4r60mma7TmAoQ0", 
            "alg": "PS256", 
            "dq": "O75nNblt8Fwg6OOM2VyDSqa-sgku1WTMuPKfBnUBH76C6olhuQdY1wwEVc1_asHgNla4yzOPTxKdazLdAPUHIOUrW7cfQJCCyLT-T03y2KxZEtfAd4mV0r-0Q3Addvn3qArr61K6ZNF3L74Wg2FozFDkl6g1jN3B00XMTi27xmU", 
            "n": "k7KVREAwJPKOfJC9Q71ZA3MZyZpv2S0wRDtz4wurqu2kNNd33-pIAkUABnSFDWxHdrXF0lL6fBJ558f5ybLk4rXE4dT0UJQLYxjBONoilkOIbZhXvtd-GWRy6bzmuRMBgUzvULTjCXSUpyllche6uStZFMRrlrRaZYGU1K0MNGmC6VzbKyYU8SJg9T9OupdtVSA0zmRtMeI7tk8-vQceonStkNrBklJ_pbqtFh-UpqRlZABJ-UqTNRY3Cm2x8X_QaEzGA-3eeRk4uNLTPVdgOOKven0lZdePRtdCowfXRxVwGrFGINonZn--gqlVc6rqo2KRIJgSTWXndIsb12G9aQ"
        }
    ]
}

公钥

{
    "keys": [
        {
            "kty": "RSA", 
            "e": "AQAB", 
            "use": "sig", 
            "kid": "client-PS256", 
            "alg": "PS256", 
            "n": "k7KVREAwJPKOfJC9Q71ZA3MZyZpv2S0wRDtz4wurqu2kNNd33-pIAkUABnSFDWxHdrXF0lL6fBJ558f5ybLk4rXE4dT0UJQLYxjBONoilkOIbZhXvtd-GWRy6bzmuRMBgUzvULTjCXSUpyllche6uStZFMRrlrRaZYGU1K0MNGmC6VzbKyYU8SJg9T9OupdtVSA0zmRtMeI7tk8-vQceonStkNrBklJ_pbqtFh-UpqRlZABJ-UqTNRY3Cm2x8X_QaEzGA-3eeRk4uNLTPVdgOOKven0lZdePRtdCowfXRxVwGrFGINonZn--gqlVc6rqo2KRIJgSTWXndIsb12G9aQ"
        }
    ]
}

request加密

claims

{
    "aud": "http://localhost:8080/auth/realms/openbanking", 
    "claims": {
        "id_token": {
            "openbanking_intent_id": {
                "essential": true, 
                "value": "64a7d936-c063-45a9-bc81-40e851bc5d30"
            }
        }
    }, 
    "client_id": "client-PS256", 
    "exp": 1581680397, 
    "iss": "client-PS256", 
    "nonce": "SqoQKopVco", 
    "redirect_uri": "http://localhost:8080/v3/hello", 
    "response_type": "code id_token", 
    "scope": "openid accounts", 
    "state": "0nidnhEdvX"
}

header

{
    "kid": "client-PS256", 
    "typ": "JWT", 
    "alg": "PS256"
}

加密代码

public static void main(String[] args) throws Exception {
        Provider bc = BouncyCastleProviderSingleton.getInstance();
        Security.addProvider(bc);
        String pdpAddress = "http://localhost:8080";
        String realmName = "openbanking";
        String clientId = "client-PS256";
        String redirectClientId = "client-PS256";
        String clienSecret = "9563616a-31d2-45ce-94a2-c0109963a134";
        String client_alg = "PS256";
        String kid = "client-PS256";
        String openbankingIntentIdValue = "64a7d936-c063-45a9-bc81-40e851bc5d30";
        String state = "0nidnhEdvX";
        String nonce = "SqoQKopVco";
        String uri = "http://localhost:8080/v3/hello";
        OpenbankingIntentId openbankingIntentId = new OpenbankingIntentId();
        openbankingIntentId.setValue(openbankingIntentIdValue);
        openbankingIntentId.setEssential(true);
        IdToken idToken = new IdToken();
        idToken.setOpenbanking_intent_id(openbankingIntentId);
        ClaimsModel claimsModel = new ClaimsModel();
        claimsModel.setId_token(idToken);
        Claims claims = new Claims();
        StringBuffer bufferAud = new StringBuffer();
        bufferAud.append(pdpAddress);
        bufferAud.append("/auth/realms/");
        bufferAud.append(realmName);
        String aud = bufferAud.toString();
        claims.setAud(aud);
        claims.setScope("openid accounts");
        claims.setClaims(claimsModel);
        claims.setIss(clientId);
        claims.setResponse_type("code id_token");
        claims.setRedirect_uri(uri);
        claims.setState(state);
        claims.setNonce(nonce);
        claims.setExp(new Long(new Date(new Date().getTime() + 5 * 60 * 1000).getTime()).intValue());
        claims.setClient_id(clientId);

        JSONObject json = JSONObject.fromObject(claims);
        String requestObjectClaims = json.toString();
        BufferedReader reader = new BufferedReader(new InputStreamReader(Thread.currentThread().getContextClassLoader().getResourceAsStream("ps256jwt.json"), "UTF-8"));
        StringBuilder sb = new StringBuilder();
        String s; // 依次循环,至到读的值为空
        while ((s = reader.readLine()) != null) {
            sb.append(s);
        }
        reader.close();
        String jwks = sb.toString();
        JWTClaimsSet claimSet = JWTClaimsSet.parse(requestObjectClaims);
        JWKSet jwkSet = JWKSet.parse(jwks);
        if (jwkSet.getKeys().size() == 1) {
            // figure out which algorithm to use
            JWK jwk = jwkSet.getKeys().iterator().next();
            JWSSigner signer = null;
            if (jwk.getKeyType().equals(KeyType.RSA)) {
                signer = new RSASSASigner((RSAKey) jwk);
            } else if (jwk.getKeyType().equals(KeyType.EC)) {
                signer = new ECDSASigner((ECKey) jwk);
            } else if (jwk.getKeyType().equals(KeyType.OCT)) {
                signer = new MACSigner((OctetSequenceKey) jwk);
            }
            JWSHeader header = new JWSHeader(JWSAlgorithm.parse(client_alg), JOSEObjectType.JWT, null, null, null, null, null, null, null, null, kid, null, null);
            SignedJWT requestObject = new SignedJWT(header, claimSet);
            requestObject.sign(signer);
//            logger.debug("**********claims" + claimSet.toString());
//            logger.debug("**********header" + header.toString());
//            logger.debug("**********requestObject" + requestObject.serialize());
//            logger.debug("**********key" + jwk.toJSONString());
            StringBuffer buffer = new StringBuffer();
            buffer.append(pdpAddress);
            buffer.append("/auth/realms/");
            buffer.append(realmName);
            buffer.append("/protocol/openid-connect/auth?request=");
            buffer.append(requestObject.serialize());
            buffer.append("&client_id=");
            buffer.append(redirectClientId);
            buffer.append("&redirect_uri=");
            buffer.append(uri);
            buffer.append("&scope=openid%20accounts&response_type=code%20id_token");
            String path = buffer.toString();
//            logger.debug("**********path" + path);
//            resultMap.put("path", path);
            System.out.println("path*****" + path);
        }

    }

生成授权跳转页面地址

http://localhost:8080/auth/realms/openbanking/protocol/openid-connect/auth?request=eyJraWQiOiJjbGllbnQtUFMyNTYiLCJ0eXAiOiJKV1QiLCJhbGciOiJQUzI1NiJ9.eyJhdWQiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4MFwvYXV0aFwvcmVhbG1zXC9vcGVuYmFua2luZyIsInNjb3BlIjoib3BlbmlkIGFjY291bnRzIiwiY2xhaW1zIjp7ImlkX3Rva2VuIjp7Im9wZW5iYW5raW5nX2ludGVudF9pZCI6eyJ2YWx1ZSI6IjY0YTdkOTM2LWMwNjMtNDVhOS1iYzgxLTQwZTg1MWJjNWQzMCIsImVzc2VudGlhbCI6dHJ1ZX19fSwiaXNzIjoiY2xpZW50LVBTMjU2IiwicmVzcG9uc2VfdHlwZSI6ImNvZGUgaWRfdG9rZW4iLCJyZWRpcmVjdF91cmkiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4MFwvdjNcL2hlbGxvIiwic3RhdGUiOiIwbmlkbmhFZHZYIiwiZXhwIjoxNTgxOTIxMTk4LCJub25jZSI6IlNxb1FLb3BWY28iLCJjbGllbnRfaWQiOiJjbGllbnQtUFMyNTYifQ.TqSYiATjGMk_aHxMliYP5jzANnnCOlAjF8H5fG99g9AEPa3asWhAJJVleXoekf5T56PRYWBEqjcTqJDrTYmthTEoSIAgGd7zalztt1TuWa-0FND43VzdsC2CEsh9B7BbNraROVMY1AKBzrPeTeEdgasH-RBVj-f9dQkIhFrJWplmXEZSZ0ZyvvcelWZqklfeSWH_3OCVlmUkf5TxJLtoXpHYlWZOTe_exm-jeKK_jWzuNsBvcAAVnfDG15EgZH6M8buecXtlatnOzM-SKWxPzfxlfg4HX8e8IPkANDoemCpQCZfPvblzHfBOdl0fk5mY9LQpaz-iHgDDCEtlkAIpFA&client_id=client-PS256&redirect_uri=http://localhost:8080/v3/hello&scope=openid%20accounts&response_type=code%20id_token

授权跳转返回 code

在这里插入图片描述

{
 http://localhost:8080/auth/realms/openbanking/login-actions/authenticate?session_code=2iFMm2p6Hk3ynNwaQqDF6MRnoAuMiUn8ltUltgXfCCA&execution=b5a519cd-ce00-48fe-a890-72e4bf7fd5a1&client_id=client-RS256&tab_id=r2S0SP5L16Q
}

http://localhost:8888/v3/hello#state=0nidnhEdvX&session_state=89e57637-5e0d-4f26-b9b2-05b64bdd183a&code=f0b38a8a-1273-4b34-8f21-bbe2e1edbcfd.89e57637-5e0d-4f26-b9b2-05b64bdd183a.840ce672-051a-4630-a4bd-9eff8573ce4d
&id_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpdmhsSndKdm8xWlNzX1BuTTE0Q1ZFSG5fTUJ3cE5UMkQwSTlFQkFkZEw4In0.eyJqdGkiOiI4NDJjYmNlZS03MGM5LTQ0MzgtOGJhNi1kODhkMzliYmM3YTAiLCJleHAiOjE1OTA3MjIyNTIsIm5iZiI6MCwiaWF0IjoxNTkwNzIxOTUyLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvb3BlbmJhbmtpbmciLCJhdWQiOiJjbGllbnQtUlMyNTYiLCJzdWIiOiJmMTUzYmIwZS0wMDczLTQ1ZWMtODU5NC1mMzJjODQ4ZjhmYWIiLCJ0eXAiOiJJRCIsImF6cCI6ImNsaWVudC1SUzI1NiIsIm5vbmNlIjoiU3FvUUtvcFZjbyIsImF1dGhfdGltZSI6MTU5MDcyMTk1Miwic2Vzc2lvbl9zdGF0ZSI6Ijg5ZTU3NjM3LTVlMGQtNGYyNi1iOWIyLTA1YjY0YmRkMTgzYSIsImNfaGFzaCI6IlVmMHNkakVLRHhxSV9EeW4ydmV4RUEiLCJhY3IiOiIxIiwic19oYXNoIjoiZm9GbUZmUWZyTXhLWVpOTnc5SGRRQSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoib3BlbmJhbmtpbmcifQ.RyG8eCt4gCdbC1yTyi69Xl4y3397IWlCkjG0J2LdoSMaLjpi9RBMc9louH1moqfOZewJMhuF27E4DXFFbcT9fiXHLFIfRhWHDRJP5CPKVIyjBMrmF2GiPCsNyCX1cAuINc5WujTKL49xGe1FmhYdkxDxJgnVAqQXab89VXQbRk1sctc2nYGaw6q2I9pOQtivbpYrZfl2Ttegvvq4P3I2L_e3v5XskS4VMxtjAwFWngnHjOXYDLPPLmNY-mwmn-Bvl35BiP2yaq9WQKb0TiUOTnDlX_84HmxFtv6yeE65qUIIr7xcBVvF1P6JmAj2eeC4wNnkc0lN0N8Qm1MTlAOyuQ

authorization_code 获取token (只能使用一次)

client必须切换为
在这里插入图片描述

curl --location --request POST 'http://localhost:8080/auth/realms/openbanking/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'code=f0b38a8a-1273-4b34-8f21-bbe2e1edbcfd.89e57637-5e0d-4f26-b9b2-05b64bdd183a.840ce672-051a-4630-a4bd-9eff8573ce4d' \
--data-urlencode 'redirect_uri=http://localhost:8888/v3/hello' \
--data-urlencode 'client_id=client-RS256' \
--data-urlencode 'client_secret=cd949e24-1c96-4ea4-9cb8-03f61aa6c601'

获取到的token id_token中携带的是授权信息

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpdmhsSndKdm8xWlNzX1BuTTE0Q1ZFSG5fTUJ3cE5UMkQwSTlFQkFkZEw4In0.eyJqdGkiOiIxMmNhZDI0Yy1kMGUzLTQ3YzctOGQwNy0wMGU4ODAyOTg4NWUiLCJleHAiOjE1OTA3MjI3MTUsIm5iZiI6MCwiaWF0IjoxNTkwNzIyNDE1LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvb3BlbmJhbmtpbmciLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZjE1M2JiMGUtMDA3My00NWVjLTg1OTQtZjMyYzg0OGY4ZmFiIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiY2xpZW50LVJTMjU2Iiwibm9uY2UiOiJTcW9RS29wVmNvMSIsImF1dGhfdGltZSI6MTU5MDcyMjM5Mywic2Vzc2lvbl9zdGF0ZSI6IjNjZTkzOTVhLWI3YjQtNGQ2Ni05NjRlLTQ4MzcxMzhmNTFiOCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4ODg4Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoib3BlbmJhbmtpbmcifQ.IafBnpwO0nj6JfLx6QnE-bmMYIlhiSrdY7cVPkh1vk6QQbs1XnBVW8ItBmsNdBjZblycPEUQF9C7Ud3GHwOQroKJn99t-Ytsskvy7crQUBeo0GTpVtpvsM2MLvGgKRWUVH31VVL24z-M5POaBAkNiAsGqcgViQCBApIPUP5qFGoNxbyNZAftEiIX_gvygjqN91Telh5aUflsN8FYssKnbKUnNr4TGFs1avTIDYvXToNJDra99GjydgsLkoRU7kp0pjYX8H-VAxXc9jnqkJphfSzdFsYIkVjmxHhKAAD_3IXKM-83yipR5eq_2uSJq_w4ibExp-N0CyqC71pvt0pSEA",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI2YmNkZmNkNy1kOTQ2LTRkNzUtYWQxMi1mZjE0ZGYxZTM4MGMifQ.eyJqdGkiOiI5NDUxOTFhOS0zYWEzLTRlYWQtYTcyYi03YWJhZWMxN2M3NWQiLCJleHAiOjE1OTA3MjQyMTUsIm5iZiI6MCwiaWF0IjoxNTkwNzIyNDE1LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvb3BlbmJhbmtpbmciLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvb3BlbmJhbmtpbmciLCJzdWIiOiJmMTUzYmIwZS0wMDczLTQ1ZWMtODU5NC1mMzJjODQ4ZjhmYWIiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiY2xpZW50LVJTMjU2Iiwibm9uY2UiOiJTcW9RS29wVmNvMSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjNjZTkzOTVhLWI3YjQtNGQ2Ni05NjRlLTQ4MzcxMzhmNTFiOCIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCJ9.sZFYkOf-KgHlaCbOAOofiIr_Dq5xcqLHgdPGmr9za-8",
    "token_type": "bearer",
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpdmhsSndKdm8xWlNzX1BuTTE0Q1ZFSG5fTUJ3cE5UMkQwSTlFQkFkZEw4In0.eyJqdGkiOiJjNjZmMDE3Zi05OGU5LTQ5ZjMtOWJkNi1lNGY5OGRhOTE0MjEiLCJleHAiOjE1OTA3MjI3MTUsIm5iZiI6MCwiaWF0IjoxNTkwNzIyNDE1LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvb3BlbmJhbmtpbmciLCJhdWQiOiJjbGllbnQtUlMyNTYiLCJzdWIiOiJmMTUzYmIwZS0wMDczLTQ1ZWMtODU5NC1mMzJjODQ4ZjhmYWIiLCJ0eXAiOiJJRCIsImF6cCI6ImNsaWVudC1SUzI1NiIsIm5vbmNlIjoiU3FvUUtvcFZjbzEiLCJhdXRoX3RpbWUiOjE1OTA3MjIzOTMsInNlc3Npb25fc3RhdGUiOiIzY2U5Mzk1YS1iN2I0LTRkNjYtOTY0ZS00ODM3MTM4ZjUxYjgiLCJhY3IiOiIxIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJvcGVuYmFua2luZyJ9.c6n_QfMIlTCoZLoWwxaIrlt4L7qBmS5x91bcU31okW2xMgQsDNP_GBLUEjtIthP8hwtXnOh1UZKxrKxrVae0nxdLFxrZ9-t6FHXBseNRK8-JwWxijdvzSBj6UrAnHeUxDPdWsYF6gLn3_KOCJq0bGkXTPzJ6p0n6gZP-3070vvkrkWmjcTCh3wCrcpEIpI8o5z8QlqHLTbFEg78lkLZKhY8oEQZbIkMKJM3Xkz4lrvRGu3tZIAU3RfyyAwsRXwojwiugeS7GLHrNdoalUiR9oyor3NQ3fUfAASp-opracFKijzjbWxng3xNgkwa9biCBmAMgtiTNFLEOKPKbp9oSVA",
    "not-before-policy": 1590722346,
    "session_state": "3ce9395a-b7b4-4d66-964e-4837138f51b8",
    "scope": "openid profile email"
}

token解析

curl --location --request POST 'http://localhost:8080/auth/realms/openbanking/protocol/openid-connect/token/introspect' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=client-RS256' \
--data-urlencode 'client_secret=cd949e24-1c96-4ea4-9cb8-03f61aa6c601' \
--data-urlencode 'token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpdmhsSndKdm8xWlNzX1BuTTE0Q1ZFSG5fTUJ3cE5UMkQwSTlFQkFkZEw4In0.eyJqdGkiOiI1MTdjNjQ4MS00ODNkLTRiM2EtODcxYy1jMWNkODQ0M2JkZDkiLCJleHAiOjE1OTA3MjM1NTUsIm5iZiI6MCwiaWF0IjoxNTkwNzIzMjU1LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvb3BlbmJhbmtpbmciLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZjE1M2JiMGUtMDA3My00NWVjLTg1OTQtZjMyYzg0OGY4ZmFiIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiY2xpZW50LVJTMjU2Iiwibm9uY2UiOiJTcW9RS29wVmNvMyIsImF1dGhfdGltZSI6MTU5MDcyMzIyNSwic2Vzc2lvbl9zdGF0ZSI6IjliODg4MDJiLWUxN2YtNDRiNC04NDdkLTU3ZDExOTQ0ZGU2OSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4ODg4Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoib3BlbmJhbmtpbmcifQ.b8P3gH46pH4fQJgoo4oPyDikGrxljZy_txEiQhPjh7iOivv22HGuqALK4SEmu0SoxaZ7qv4yj-hks0Dbn-RjWUncoLacDHEAXutsLQcE2LDAgEBVKzscpz7Om1cPMUvufH9ruMquohv0n9E-jJ-CBDljynhY12bN_kBKdB_t04rN6ZhqdpxB--vgzPrveXVuW_xzoOwFBswaC7ZsRZSEe77pOIBoZrhEzE-0nQ8VUaUxalNlnXiWJY4xolciqddPZ7iz1Mc6XLi_Q0SoW4Ut5vFpcv8QQDJnfrJSz3GifvFZZeqmuwsmIeUWJ202qqMksW3c-Ka0Uf9jcK1iDtvRLg'

解析完成

{
    "jti": "517c6481-483d-4b3a-871c-c1cd8443bdd9",
    "exp": 1590723555,
    "nbf": 0,
    "iat": 1590723255,
    "iss": "http://localhost:8080/auth/realms/openbanking",
    "aud": "account",
    "sub": "f153bb0e-0073-45ec-8594-f32c848f8fab",
    "typ": "Bearer",
    "azp": "client-RS256",
    "nonce": "SqoQKopVco3",
    "auth_time": 1590723225,
    "session_state": "9b88802b-e17f-44b4-847d-57d11944de69",
    "preferred_username": "openbanking",
    "email_verified": false,
    "acr": "1",
    "allowed-origins": [
        "http://localhost:8888"
    ],
    "realm_access": {
        "roles": [
            "offline_access",
            "uma_authorization"
        ]
    },
    "resource_access": {
        "account": {
            "roles": [
                "manage-account",
                "manage-account-links",
                "view-profile"
            ]
        }
    },
    "scope": "openid profile email",
    "client_id": "client-RS256",
    "username": "openbanking",
    "active": true
}

id token解析

{
    "jti": "bc4a2dc8-9e8b-4314-8d42-31d7fa9ff3bf",
    "exp": 1590724567,
    "nbf": 0,
    "iat": 1590724267,
    "iss": "http://localhost:8080/auth/realms/openbanking",
    "aud": "client-RS256",
    "sub": "f153bb0e-0073-45ec-8594-f32c848f8fab",
    "typ": "ID",
    "azp": "client-RS256",
    "nonce": "SqoQKopVco3",
    "auth_time": 1590724220,
    "session_state": "23a61c31-50b4-4ace-92f6-b81028f083c8",
    "preferred_username": "openbanking",
    "email_verified": false,
    "acr": "1",
    "client_id": "client-RS256",
    "username": "openbanking",
    "active": true
}
彻骨寒风
关注
专栏目录
【微服务】springboot 整合 SA-Token 使用详解
congge
08-04 1万+
springboot 整合 SA-Token 使用详解
输入注册策略服务器url,Keycloak 13 自定义用户身份认证流程(User Storage SPI)
weixin_32578799的博客
07-29 1589
Keycloak版本:13.0.0spring-boot 项目 Githubuser-storage-spi 项目 Github介绍Keycloak 是为现代应用程序和服务提供的一个开源的身份和访问管理的解决方案。Keycloak 在测试环境可以使用内嵌数据库,生产环境需要重新配置数据库。以下将一一介绍如何使用内嵌数据库、重新配置数据库。特别需要注意 Keycloak 是在 WildFly 上构建...
keycloak授权码模式”的运行流程(个人理解)
m0_65939803的博客
02-20 637
keycloak授权码模式
keycloak-otp-authenticator
04-22
keycloak-otp-authenticator 要安装OTP身份验证器,必须执行以下操作: 将jar添加到Keycloak服务器: $ cp target/keycloak-otp-authenticator.jar _KEYCLOAK_HOME_/standalone/deployments 将两个模板添加到Keycloak服务器: $ cp templates/otp.ftl _KEYCLOAK_HOME_/themes/base/login/ 配置您的REALM以使用OTP认证。 首先创建一个新的REALM(或选择一个先前创建的REALM)。 在“身份验证”>“流”下: 将“浏览”流复制到“带有OTP的浏览器”流 单击“带有OTP表单的浏览器”行上的“操作>添加执行”,然后添加“ OTP身份验证” 将“ OTP身份验证”设置为“必需”或“替代” 要配置OTP
【项目实战】最常用的RSA签名方式(PS256、 RS256对比)
最新发布
本本本添哥
07-31 847
RS256 ,是一种非对称算法。RS256 ,是最常用的RSA签名方式之一。RS256 ,使用的是传统的RSA签名算法。RS256 ,采用带有SHA-256的RSA签名算法。RS256 ,其中散列函数SHA-256被用来预先处理消息或令牌。这个散列值然后通过RSA私钥进行加密,生成签名。接收者会使用公钥解密签名,并使用相同的SHA-256散列函数来验证消息的完整性。因为散列函数的使用,即使原始消息非常长,签名的计算也相对快速且资源消耗较少。
Authorization—权限控制流程
微服务技术栈
03-23 1445
本篇是对Shiro体系架构的介绍,本栏目大部分内容来自于Shiro官网。翻译过程中已经尽量保证用词的准确性和易懂性,如有不准确或者不确切的地方,请联系作者加以修改。本篇内容翻译自Authorization特征与Authorization官方指南。 Authorization,也称为访问控制,是确定对应用程序中资源的访问权限的过程。换句话说,确定“谁有权访问什么”。 ...
keycloak-2fa-sms-authenticator:Keycloak身份验证提供程序实现,用于通过通过SMS(通过AWS SNS)发送的OTPcodetoken获得第二因素身份验证。 仅用于演示!
05-18
Keycloak 2FA SMS身份验证器 Keycloak身份验证提供程序实现,以通过通过SMS(通过AWS SNS)发送的OTP /代码/令牌获得第二因素身份验证。 仅用于演示! 不幸的是,我还没有真正的自述文件。 责怪我! 但是,就目前而言,您至少可以在这里阅读我的博客文章有关该增效剂的信息: 或者,只需观看有关此2FA SMS SPI的视频:
keycloak基于servlet的用户身份认证
weixin_42786532的博客
11-12 1039
keycloak基于servlet的用户身份认证 servlet基于AuthenticatorBase的安全认证 一个servlet通过一个叫authenticator的阀门(valve)来支持安全性限制。当容器启动的时候,authenticator被添加到容器的流水线上(一整条流水线:StandardEngineValve->StandardHost->ErroReportValve->StandardContextValve->AuthenticatorValve->Sta
设置Authorization请求头一直访问失败,code-400
热门推荐
weixin_30099811的博客
01-07 1万+
在做公司项目的时候,有个接口是GET请求,需要根据登录后返回的token设置到请求头Authorization调用,但是尝试很多次一直访问失败 错误示例: 请求头错误设置: 返回的错误信息: 纠结了老半天,在网上查找各种资料也没有解决,突然一想,为什么请求的错误信息会返回 Failed to decode JSON object: Expecting value: line ...
Ory Hydra 详解之进阶
清风的博客
10-11 2372
前言 上篇文章简单的讲解了Hydra的用法,本篇文章将深化对单点登录在分布式微服务体系的介绍以及详细用法。 应用场景 想象这样一个场景,你有好几个应用,每个应用对应一个微服务Server,那么如果你需要给一个用户分配一个权限去同时访问这些服务时,你总不能每个服务都重新登录一次吧?这样用户体验及其不好,所以单点登录的概念就应运而生了。 单点登录:所谓的单点登录,说直白了就是只需要登录一次,就可以访问多个服务器。如下图所示,用户仅需要在AuthServer这个服务登录一次,就可以用获取到的idToken
JDK安全机制详解:掌握代码运行的安全性,保障数据安全
[JDK安全机制详解:掌握代码运行的安全性,保障数据安全](https://china-cms.oss-cn-hongkong.aliyuncs.com/9dd84a95d1b0fd9a/HTTP-vs-HTTPS.jpg?x-oss-process=image/format,webp) # 1. JDK安全机制的概述和基础 #...
bctw-ui:BC遥测仓库
03-30
在BC遥测仓库中,Keycloak确保了用户访问数据的安全性,防止未授权的访问。 4. **Jenkins持续集成** Jenkins作为持续集成工具,负责自动化构建、测试和部署流程。通过Jenkins,BC遥测仓库可以实现快速反馈机制,...
keycloak了解说明
songtaiwu的博客
07-19 323
在我的ubuntu虚拟机中,写一个docker-compose.yml文件,内容如下,安装一个keycloak、一个postgres数据库。启动成功后,我们通过vscode编辑器的docker-compose插件,能看到虚拟机中运行了容器。采用docker的方式运行一个keycloak应用,方便进行学习。, 并使用账户admin、admin登录即可。我们用8080端口访问,执行如下命令,启动容器。
微服务架构下的安全认证与鉴权
低代码开发,数据,中间件,企业架构原创技术分享
06-19 3014
转载本文需注明出处:微信公众号EAWorld,违者必究。本文目录:一、单体应用 VS 微服务二、微服务常见安全认证方案三、JWT介绍四、OAuth 2.0 介绍五、思考总...
keycloak 验证 token
chengsu9797的博客
05-06 4273
通过 OpenID Endpoint Configuration 中的 https://*******/auth/realms/test/protocol/openid-connect/token/introspect 验证的话,需要把 keycloak 访问类型 类型改成 confiden...
基于KeyCloak的用户认证与授权(password模式和secret模式)
MRLEE1212的博客
09-24 3985
基于KeyCloak的用户认证与授权(password模式和secret模式) 基于password的用户认证与授权模式 登录到KeyCloak管理端,进入到对应的client(这里用的是demo-cli),在setting下将红线部分设置为public,如下图所示: 在PostMan中使用username和password请求token,PostMan请求配置如下图所示: 至此,已经使...
Linux之KEY加密
k0512的博客
07-22 761
Linux学习之KEY加密 准备工作: 首先是两台虚拟机的ip配置 [westos@westos_student27 Desktop]$ hostnamectl set-hostname westosaaaa.westos.org [westos@westos_student27 Desktop]$ nm-connection-editor 上面的两个是设置虚拟机的名字和打开虚拟机的网络配置的图形界面 具体里面的配置步骤: 1、在主机打开一个terminal,ip a查看主机ip 2、在虚拟机上面输入
Keycloak授权服务指南
weixin_34407348的博客
04-12 1万+
为什么80%的码农都做不了架构师?>>> ...
Keycloak Oauth2.0流程 --- Angular前端 + Django后端 + Keycloak 实现SSO功能
wdquan19851029的专栏
01-07 5750
前言: 一个企业往往拥有多个应用系统,如果每个应用都有独立的用户认证和授权管理功能,这不仅需要运维人员维护多套用户管理系统,用户使用每个系统时都要登录一次,非常不方便。如果能够将所有应用系统的用户集中管理,用户就使用一套用户名登录所有系统,这将会大大改善用户体验。本文前端Angular, 后端Django,基于Keycloak搭建单点登录系统。 前端代码部署到nginx, 前后端代码分开部署 前端Angular集成Keycloak: 前端要怎样集成Keycloak呢? 本文提供两种方式 ...
评论 4
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值