错误403从Keycloak访问管理员/组OIDC API

时间:2019-05-27 10:34:03

标签: java security keycloak oidc

仅使用keycloak-authz-client(6.0.1)(无Spring Security),我需要从服务提供商处读取用户信息和用户组。

获得正确的访问令牌后,借助AuthzClient,我得以访问用户信息API:

    UriBuilder target = UriBuilder.fromUri(kcURL);
    target.path("realms/{realm}/protocol/openid-connect/userinfo")
          .resolveTemplate("realm", this.realm);

    UserInfoOIDC info = new UserInfoOIDC();
    try {
        UserInfo response = this.buildBearerInvocation(target, accessToken).get(UserInfo.class);
        info.setName(response.getName());
        info.setUsername(response.getPreferredUsername());
        info.setCompleted(true);
        log.info("User info successfully retrieved from {}", this.realm);
    } catch (WebApplicationException e) {
        log.error("User info failure on {}: {}", this.realm, e.getMessage());
    }
...
    private Invocation.Builder buildBearerInvocation(UriBuilder target, String accessToken) {
        WebTarget webTarget = restClient.target(target);
        Invocation.Builder builder = webTarget.request(APPLICATION_JSON)
                .header(AUTHORIZATION, "Bearer " + accessToken);
        return builder;
    }

但是我无法访问“管理员API”:

    UriBuilder target = UriBuilder.fromUri(kcURL);
    target.path("admin/realms/" + this.realm);
    target.path("users/" + userId);
    target.path("groups");
    try {
        return this.buildBearerInvocation(target, accessToken)
                .get(GroupRepresentation.class);
    } catch (WebApplicationException e) {
        log.error("User groups failure on realms {}: {}", this.realm, e.getMessage());
    }

[main] INFO com.LoggingFilter-处理http://localhost:8080/auth/admin/realms/TestRealm/users/0f443554-01d0-4b40-a652-0c8c174632d4/groups [main] com.KeycloakProvider错误-用户组在领域TestRealm上失败:禁止HTTP 403

我想知道这是否可能仅仅是由于用户访问权限不足而引起的,还是来自此处的CORS问题(我已在“ etc / hosts”文件中添加了“ 127.0.0.1 localhost-auth”,根本不确定不过对您有什么帮助)。 如何为用户,更多的CORS配置或用户的任何特殊角色打开“管理API”?

已编辑-Keycloak Admin客户端在这里无济于事(同样禁止HTTP 403):

    @Test
    public void checkKeycloakAdminClient() {
        Keycloak client = KeycloakBuilder.builder()
                .serverUrl(url)
                .realm(realm)
                .username(adminUsername)
                .password(adminPassword)
                .clientId(clientId)
                .clientSecret(clientSecret)
                .build();
        RealmResource realmResource = client.realm(realm);

        UsersResource usersResource = realmResource.users();
        List<UserRepresentation> users = usersResource.search(username);
    }

1 个答案:

答案 0 :(得分:0)

将所有“ view -...”和“ query -...”可用的客户端角色从“领域管理”领域的客户端分配给管理员用户(请参阅用户/角色映射)。

相关问题
最新问题