我正在为应用程序的后端设置API。我想将API访问权限限制为我的用户。我们使用Keycloak作为我们的SSO提供程序。我们还要求每个API请求都附带一个JWT令牌。我在线上找到了一些文档,有关如何通过Keycloak AuthzClient here验证这些令牌。
我写了一个小测试来尝试一下。我已经从我的API请求之一中获取了令牌,并将其传递给AuthzClient进行验证。
public static void main(String[] args) throws FileNotFoundException, IOException {
System.setProperty("org.apache.commons.logging.Log","org.apache.commons.logging.impl.SimpleLog");
System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true");
System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.http.wire", "DEBUG");
System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.http.impl.conn", "DEBUG");
System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.http.impl.client", "DEBUG");
System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.http.client", "DEBUG");
System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.http", "DEBUG");
AuthzClient authzClient = AuthzClient
.create(JsonSerialization.readValue(new FileInputStream("keycloak.json"), Configuration.class));
TokenIntrospectionResponse requestingPartyToken = authzClient.protection()
.introspectRequestingPartyToken(TOKEN);
System.out.println("Token status is: " + requestingPartyToken.getActive());
}
但是,从Keycloak返回的响应表明令牌无法正确解析。
2019/01/16 13:58:35:349 CET [DEBUG] wire - http-outgoing-0 >> "token_type_hint=requesting_party_token&grant_type=client_credentials&token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZRVdnTzZzamtlU3laQnZJd1Yzek1ZNjJtTjU2QlN6NlJYUXhxVmlrczdvIn0.eyJqdGkiOiI5MWVmM2VmOC02ZDNhLTRjMjktODRhOS1hMzlhZmM3OWMyZDMiLCJleHAiOjE1NDc2MzUyOTQsIm5iZiI6MCwiaWF0IjoxNTQ3NjM0Mzk0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvbTRpIiwiYXVkIjoibTRpX3RoaWpzIiwic3ViIjoiZmViNmVlNjUtYWU4Ni00ZWQwLWI3YjAtYWE0YmE3ZjIxYmQ1IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibTRpX3RoaWpzIiwibm9uY2UiOiI3YmVlOTZjNi1jODJmLTQyMTMtOGYxYi1hNWM5NjczNjhmM2EiLCJhdXRoX3RpbWUiOjE1NDc2MzAyNDksInNlc3Npb25fc3RhdGUiOiI4OTg5ZDFlNS04NGQ0LTRlMWQtOGE2ZC0zODhlYTYxYzM0ZTciLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5zIjpbIioiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm00aV9wdWJsaWMiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0aGlqc2ZyYW5jayIsImdpdmVuX25hbWUiOiJUaGlqcyIsImZhbWlseV9uYW1lIjoiRnJhbmNrIiwiZW1haWwiOiJ0aGlqcy5mcmFuY2tAYXVyZWxpdXNlbnRlcnByaXNlLmNvbSJ9.GBaBOLWYsrqfVfRysoCTlm9VgD1AQocMDCAY96-peeAYRT9_RRu2mTtwiNlB4Gv7cCKkcj4jehKOiOUBudlS0Ths_hTKigHW-eyo_KTMwVYgq0YeVce8UG1F9SJQrioMBRUS47Au-4syjpp158pVvzdPcYBUD5-bzOTusxtGaEcK4rnCYolq_h6PV6eypr9ej2-mFu_EXHPT0m7TNUeb8IlSJ53wb0W5q1R696UExfp9DiKehYGKuY8LuRx9n9Ao0r1P_GSENWNfQBKExCVGOEDCqDZ02-3jx8PqLcykWpdEOTo3RPUi2-HXgwyGO4UeL8proG0tdUEn4Oo12znlzQ"
2019/01/16 13:58:35:358 CET [DEBUG] wire - http-outgoing-0 << "{"error":"invalid_request","error_description":"Failed to introspect token."}"
我的测试和在线示例之间的主要区别在于,我不是在生成新令牌,而是在使用之前生成的令牌。我使用的令牌也是为不同于RestAPI的客户端生成的。这也许是不允许的吗?
要使自省成功,我还需要更改什么?