添加访问令牌Keycloak的声明

时间:2020-02-04 05:35:30

标签: jwt keycloak claims

以下是我的用例: 我需要向访问令牌添加一个声明,以便可以在对资源进行策略评估时使用它。我的策略是基于javascript的策略,它只能访问登录用户的保留和自定义属性。 我已使用以下API来推送声明:

curl -X POST \
  http://localhost:8082/auth/realms/cms-non-prod/protocol/openid-connect/token \
  -H 'Authorization: Bearer eyJhbGciOiJSXXXXXXXXXXXXXXXX' \
  -H 'Cache-Control: no-cache' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Postman-Token: ac020c2b-9efb-4817-81ea-61895c8775a7' \
  -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&claim_token=ewoiaW5zdGl0dXRpb25JZCI6WyJEQ0IiXQp9& claim_token_format=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Ajwt&client_id=indra-bff \
&client_Secret=5760582d-74ff-496c-a6c2-2530ddde6408&audience=indra-bff'

它添加了声明,但又添加到了授权->权限->资源中。如果我有基于JS的策略,该如何阅读。 关于此的任何指示将有所帮助。 以下是我在url上方点击时获得的令牌:

{
  "jti": "4c00f1a4-8038-4c45-820d-23a9c9ab6d42",
  "exp": 1580733917,
  "nbf": 0,
  "iat": 1580730317,
  "iss": "http://localhost:8082/auth/realms/cms-non-prod",
  "aud": "indra-bff",
  "sub": "9ab2fc80-3a5c-426d-ae78-56de01d214df",
  "typ": "Bearer",
  "azp": "indra-bff",
  "auth_time": 0,
  "session_state": "2ab35757-d09d-4d52-946b-f519a1338abf",
  "acr": "1",
  "realm_access": {
    "roles": [
      "PR_DCB_RECON_ASSOCIATE",
      "PR_YBL_RECON_ASSOCIATE",
      "offline_access",
      "uma_authorization",
      "PR_DCB_RECON_MGR"
    ]
  },
  "resource_access": {
    "indra-bff": {
      "roles": [
        "uma_protection"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "authorization": {
    "permissions": [
      {
        "claims": {
          "institutionId": [
            "DCB"
          ]
        },
        "rsid": "17fdf554-8643-4741-b9a4-13309e830b6f",
        "rsname": "Default Resource"
      },
      {
        "scopes": [
          "DELETE",
          "POST",
          "GET",
          "PUT",
          "PATCH"
        ],
        "claims": {
          "institutionId": [
            "DCB"
          ]
        },
        "rsid": "56cabb7c-76a1-4260-bd9f-d5494458c6bf",
        "rsname": "adjustment"
      },
      {
        "scopes": [
          "DELETE",
          "POST",
          "GET",
          "PUT",
          "PATCH"
        ],
        "claims": {
          "institutionId": [
            "DCB"
          ]
        },
        "rsid": "70297346-8010-4c1d-91b1-9bc22edd3061",
        "rsname": "chargeback"
      }
    ]
  },
  "scope": "profile email",
  "institution": "UNKNOWN",
  "email_verified": false,
  "preferred_username": "siva",
  "email": "siva@goniyo.com"
}

感谢您的帮助。 干杯,

3 个答案:

答案 0 :(得分:2)

此方法(如果用于UI)。在您的领域中,选择您的客户。对于该客户端,请转到“映射器”选项,然后单击“创建”。您可以将映射器类型设置为“用户属性”,然后选择将属性添加到ID令牌,访问令牌和userinfo的选项。此处添加的属性应该存在于用户上。

example settings

答案 1 :(得分:0)

检查是否可以从资源中获取

var permission = $evaluation.getPermission();
var resource = permission.getResource();

答案 2 :(得分:0)

可以通过权限句柄访问您的声明令牌中的声明。

考虑到您的 claim_token 包含以下信息:

{
   "institutionId":["DCB"]
}

您可以在您的策略中使用此 Javascript 来获取字符串值“DCB”:

$evaluation.getPermission().getClaims()["institutionId"].toArray()[0]

来源:Keycloak JavaDocs: ResourcePermission

相关问题
最新问题