登录密钥库后拒绝访问。我的密钥斗篷服务器中没有任何角色

时间:2019-02-21 05:42:59

标签: keycloak access-denied

我正在为我的Node.js应用程序实现密钥转换授权。我在其中创建了一个领域和一个客户。在领域或客户端中,我没有任何角色。我有一条通过密钥斗篷保护的“ / test”路由。

我的keycloak.json是

{
  "realm": "demo",
  "auth-server-url": "http://localhost:8080/auth",
  "ssl-required": "external",
  "resource": "myapp",
  "public-client": true,
  "confidential-port": 0
}

1 个答案:

答案 0 :(得分:2)

定义角色(领域角色或客户端角色),将角色分配给您的用户(用于执行测试的用户),检查您的角色范围映射(或者您可以将客户端配置为全面测试用途) ,并检查您是否正在使用相同的权限保护您的'/ test'路由。

例如您可以尝试使用keycloak-nodejs适配器(example)。

查看此配置文件(keycloak realm configuration example):

{
    "realm": "nodejs-example",
    "enabled": true,
    "sslRequired": "external",
    "registrationAllowed": true,
    "privateKey": "...................",
    "publicKey": ".....................",
    "requiredCredentials": [ "password" ],
    "users" : [
        {
            "username" : "user",
            "enabled": true,
            "email" : "sample-user@nodejs-example",
            "firstName": "Sample",
            "lastName": "User",
            "credentials" : [
                { "type" : "password",
                  "value" : "password" }
            ],
            "realmRoles": [ "user" ],
            "clientRoles": {
                "account": ["view-profile", "manage-account"]
            }
        }
    ],
    "roles" : {
        "realm" : [
            {
                "name": "user",
                "description": "User privileges"
            },
            {
                "name": "admin",
                "description": "Administrator privileges"
            }
        ]
    },
    "scopeMappings": [
        {
            "client": "nodejs-connect",
            "roles": ["user"]
        }
    ],
    "clients": [
        {
            "clientId": "nodejs-connect",
            "enabled": true,
            "publicClient": true,
            "baseUrl": "/",
            "adminUrl" : "http://localhost:3000/",
            "baseUrl" : "http://localhost:3000/",
            "redirectUris": [
                "http://localhost:3000/*"
            ],
            "webOrigins": []
        },
        {
            "clientId": "nodejs-apiserver",
            "enabled": true,
            "secret": "secret",
            "redirectUris": [
              "http://localhost:3000/*"
            ],
            "webOrigins": [
              "http://localhost:3000/*"
            ],
            "serviceAccountsEnabled": true,
            "authorizationServicesEnabled": true,
            "authorizationSettings": {
              "resources": [
                {
                  "name": "resource",
                  "type": "urn:nodejs-apiserver:resources:default",
                  "ownerManagedAccess": false,
                  "uris": [
                    "/*"
                  ],
                  "scopes": [
                    {
                      "name": "view"
                    },
                    {
                      "name": "write"
                    }
                  ]
                }
              ],
              "policies": [
                {
                  "name": "Default Policy",
                  "description": "A policy that grants access only for users within this realm",
                  "type": "js",
                  "config": {
                    "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
                  }
                },
                {
                  "name": "Default Permission",
                  "description": "A permission that applies to the default resource type",
                  "type": "resource",
                  "config": {
                    "defaultResourceType": "urn:nodejs-apiserver:resources:default",
                    "applyPolicies": "[\"Default Policy\"]"
                  }
                }
              ]
            }
          }
    ]
}

说明

从此示例中,研究如何为用户分配角色(领域角色:“用户”,帐户客户角色:“帐户”:[“视图配置文件“,” manage-account“]):

{
...
       "users" : [
            {
                "username" : "user",
                "enabled": true,
                "email" : "sample-user@nodejs-example",
                "firstName": "Sample",
                "lastName": "User",
                "credentials" : [
                    { "type" : "password",
                      "value" : "password" }
                ],
                "realmRoles": [ "user" ],
                "clientRoles": {
                    "account": ["view-profile", "manage-account"]
                }
            }
        ],
    ...
    }

查看领域角色的定义方式:

{
...
    "roles" : {
        "realm" : [
            {
                "name": "user",
                "description": "User privileges"
            },
            {
                "name": "admin",
                "description": "Administrator privileges"
            }
        ]
    },
...
}

看看此示例如何使用“作用域映射”将角色从领域映射到由客户端认证的用户(有关更多信息,请参见role scope mapping

{
...
    "scopeMappings": [
        {
            "client": "nodejs-connect",
            "roles": ["user"]
        }
    ],
...
}

查看如何定义客户端。检查“ nodejs-connect”客户端是否为“ public ”,“ nodejs-apiserver”是否为“ secret ”。在此示例中,服务器使用“授权Api”来保护资源,但是您只能通过授予角色来保护资源(如果需要)。

{
...
    "clients": [
        {
            "clientId": "nodejs-connect",
            "enabled": true,
            "publicClient": true,
            "baseUrl": "/",
            "adminUrl" : "http://localhost:3000/",
            "baseUrl" : "http://localhost:3000/",
            "redirectUris": [
                "http://localhost:3000/*"
            ],
            "webOrigins": []
        },
        {
            "clientId": "nodejs-apiserver",
            "enabled": true,
            "secret": "secret",
            "redirectUris": [
              "http://localhost:3000/*"
            ],
            "webOrigins": [
              "http://localhost:3000/*"
            ],
            "serviceAccountsEnabled": true,
            "authorizationServicesEnabled": true,
            "authorizationSettings": {
              "resources": [
                {
                  "name": "resource",
                  "type": "urn:nodejs-apiserver:resources:default",
                  "ownerManagedAccess": false,
                  "uris": [
                    "/*"
                  ],
                  "scopes": [
                    {
                      "name": "view"
                    },
                    {
                      "name": "write"
                    }
                  ]
                }
              ],
              "policies": [
                {
                  "name": "Default Policy",
                  "description": "A policy that grants access only for users within this realm",
                  "type": "js",
                  "config": {
                    "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
                  }
                },
                {
                  "name": "Default Permission",
                  "description": "A permission that applies to the default resource type",
                  "type": "resource",
                  "config": {
                    "defaultResourceType": "urn:nodejs-apiserver:resources:default",
                    "applyPolicies": "[\"Default Policy\"]"
                  }
                }
              ]
            }
          }
    ]
...
}

最后,查看javascript(index.js)文件,查看其如何使用“ keycloak-connect”(适配器)保护和实施访问策略(使用Authorization Api)。

提示

在开发中,您可以获得访问令牌,并使用此页面进行解码并查看令牌的内容。

JWT.IO

我希望这会有所帮助。

相关问题
最新问题