KeyCloak jti声明存储在哪里?

时间:2019-08-28 07:41:36

标签: keycloak

我正在尝试研究密钥斗篷提供的防止重播攻击,我认为它使用jti声明来处理

首先,我通过openid RESTAPI(... protocol / openid-connect / token)登录,它返回JWT 

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlX0l1RWo2cWEza2ZMb1MyVUwyNGJUMGJKUElXRWRkU3YxM2RSd1ZTM1lzIn0.eyJqdGkiOiI2ZjE3OGQxMi00Mzc3LTQ5MzEtOTljOC1lYmIyNDk1OWY3NmIiLCJleHAiOjE1NjY5NzczOTMsIm5iZiI6MCwiaWF0IjoxNTY2OTc3MzMzLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6ODA4MC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOlsibWFzdGVyLXJlYWxtIiwiYWNjb3VudCJdLCJzdWIiOiI0OTEwMGFiZC00ZGFjLTQ5MzQtOTUwYi05N2I0ZGMxYmI5MGMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzZWN1cml0eS1hZG1pbi1jb25zb2xlIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiNmJkZTM5ZGYtN2FkZi00MDVlLThjYTEtMGI3NDlhYWUwN2Q1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJjcmVhdGUtcmVhbG0iLCJvZmZsaW5lX2FjY2VzcyIsImFkbWluIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJxdWVyeS1ncm91cHMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6InN1cGVyYWRtaW4gc3VwZXJhZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6InN1cGVyYWRtaW4iLCJnaXZlbl9uYW1lIjoic3VwZXJhZG1pbiIsImZhbWlseV9uYW1lIjoic3VwZXJhZG1pbiIsInVzZXIiOnsiZGV2aWNlSWQiOlsiMTIzNCJdfSwiZW1haWwiOiJzdXBlcmFkbWluQGdtYWlsLmNvbSJ9.OZnw3SbaBpVJSN1KbHMcdmP-zt55AIxmBv3ddyvfXEV-zqStH_TkmZ6P36oDoKu-UctGb9KdemmO0EHM0z1tN4vk35WtS5K3luWtYv42FWvx67mifUxc9BCsgXPz4qx78Kd05UzQ6297NqAAiDfU8gdeywT3mNZ_2AoT45Sw5Sb1cCq8pAJokOHT2PSLHGgTYpY6wbSKe9msfchmzJv1FZK1RnLuLY9HwDhbn_VDIgWlmro8bXNq5eTLAVtnzEL2vEokeFdKDlnPfoBk1oPE5XfjVaqoSBo5yxwxPMKDX_g4EayOXHjQqRCTTKdZm3Ah14DN0t8XBWi3p2vdUhqoIA",
    "expires_in": 59,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3ZTVmNzhhYy05ODVmLTRjMTgtYmMwYS1kMDJjZDFlOGRhNGQifQ.eyJqdGkiOiJmNTEwMjUxNC0wMGE4LTQzNDEtOTljOC1mNjg3ZjBmOTk0MTMiLCJleHAiOjE1NjY5NzkxMzQsIm5iZiI6MCwiaWF0IjoxNTY2OTc3MzM0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6ODA4MC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6ODA4MC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJzdWIiOiI0OTEwMGFiZC00ZGFjLTQ5MzQtOTUwYi05N2I0ZGMxYmI5MGMiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoic2VjdXJpdHktYWRtaW4tY29uc29sZSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjZiZGUzOWRmLTdhZGYtNDA1ZS04Y2ExLTBiNzQ5YWFlMDdkNSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJjcmVhdGUtcmVhbG0iLCJvZmZsaW5lX2FjY2VzcyIsImFkbWluIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJxdWVyeS1ncm91cHMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCJ9.Hsaib16poW3SW0EYUB80jU0HyseZi_Ui9tj_2QJAZ-w",
    "token_type": "bearer",
    "not-before-policy": 1566975958,
    "session_state": "6bde39df-7adf-405e-8ca1-0b749aae07d5",
    "scope": "profile email"
}

access_token解码后,您会看到 jti声明 

{
  "jti": "6f178d12-4377-4931-99c8-ebb24959f76b",
  "exp": 1566977393,
  "nbf": 0,
  "iat": 1566977333,
  "iss": "http://192.168.99.100:8080/auth/realms/master",
  "aud": [
    "master-realm",
    "account"
  ], 
 ...

接下来,我将在管理员上看到新的会话列表,如下图所示 enter image description here

第二,我使用access_token获取RESTAPI用户信息RESTAPI(... / protocol / openid-connect / userinfo),它返回这样的响应

{
"sub": "49100abd-4dac-4934-950b-97b4dc1bb90c",
"email_verified": false,
"name": "superadmin superadmin",
"preferred_username": "superadmin",
"given_name": "superadmin",
"family_name": "superadmin",
"user": {
    "deviceId": []
},
"email": "superadmin@gmail.com"
}

当我单击“注销backoffice上的所有会话”时,jti在存储中被删除,并且我再次获得userinfo,它返回

{
    "error": "invalid_request",
    "error_description": "User session not found or doesn't have client attached on it"
}

jti声明存储在哪里?

1 个答案:

答案 0 :(得分:1)

JTI声明值只是一个随机UUID,不存储在任何地方。您正在寻找的是session_state参数,它是会话ID。当您将access_token传递给/userinfo时,端点Keycloak会检索session_state的值,并在分布式缓存(Infinispan)中搜索相应的会话。

单击logout all sessions按钮后,Keycloak将清除缓存中的所有会话。

更新

https://www.keycloak.org/docs/latest/server_admin/index.html#compromised-access-and-refresh-tokens

  

减轻泄漏的访问令牌的另一种方法是缩短其寿命。您可以在“超时”页面中指定此项。客户端和应用程序的访问令牌寿命短(分钟),可在较短的时间后刷新其访问令牌。如果管理员检测到泄漏,则他们可以注销所有用户会话以使这些刷新令牌无效或设置吊销策略。同样重要的是,确保刷新令牌始终对客户端保持私有状态,并且永远不会传输。

上面的链接中提供了有关安全注意事项的更多信息。

令牌黑名单

在Keycloak中没有令牌黑名单这样的东西,应该没有。令牌是代表特定客户的用户或服务帐户发行的。因此,如果您想让普通用户访问受Keycloak保护的某些服务,只需在Keycloak管理控制台中创建该用户。对于机器对机器通信中的第三方应用程序,您将创建一个启用了服务帐户的客户端,并且第三方应用程序将使用其client_id和secret代表自身发出访问权限并刷新令牌。

您无需注销令牌,只需注销(从缓存中删除)用户或客户端的会话即可。

如果要完全删除合作伙伴对API的访问权限,则可以仅禁用客户端(管理员->客户端->客户端->设置为false)或用户(管理员->用户->用户->设置为false) )。

相关问题
最新问题