我需要在哪里发送请求以更新访问令牌?因为如果我向资源服务发送请求,即使网守更新了令牌,我也会有令牌过期异常。
我想使用刷新令牌更新访问令牌。关守文档说:“如果对访问令牌的请求包含刷新令牌,并且--enable-refresh-tokens设置为true,则代理将自动为您刷新访问令牌。” -https://www.keycloak.org/docs/latest/securing_apps/index.html#refresh-tokens
确实,当令牌过期时,网守会更新访问令牌并将其注入响应中的某个位置,但是当请求转发到资源服务时,我会遇到ExpiredJwtException,因为请求中没有新的刷新令牌。 而且我可以在失败的响应中看到,有一个旧令牌而不是新令牌。 但是,如果资源服务端发生超时错误,并且网守向用户返回了自己的响应,那么我将看到访问和刷新令牌已更新。
这是网守日志:
1.5732098220167706e+09 info keycloak-gatekeeper/middleware.go:154 accces token for user has expired, attemping to refresh the token {"client_ip": "172.18.0.1:36270", "email": "demo@demo1.com"}
1.5732098220504465e+09 info keycloak-gatekeeper/middleware.go:206 injecting the refreshed access token cookie {"client_ip": "172.18.0.1:36270", "cookie_name": "kc-access", "email": "demo@demo1.com", "refresh_expires_in": 3600, "expires_in": 59.949554727}
1.573209822050499e+09 debug keycloak-gatekeeper/middleware.go:226 renew refresh cookie with new refresh token {"refresh_expires_in": 3600}
1.5732098220505428e+09 debug keycloak-gatekeeper/middleware.go:367 access permitted to resource {"access": "permitted", "email": "demo@demo1.com", "expires": -5.050542554, "resource": "/*"}
1.573209851051063e+09 info keycloak-gatekeeper/middleware.go:90 client request {"latency": 29.036757293, "status": 500, "bytes": 44, "client_ip": "172.18.0.1:36270", "method": "GET", "path": "/ping"}
答案 0 :(得分:0)
刷新令牌以加密方式存储在kc-state HTTP标头中的Set-Cookie cookie中。要转发此请求,您需要将kc-state参数添加到Cookie HTTP标头中。
请参见https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies:
HTTP/2.0 200 OK
Content-Type: text/html
Set-Cookie: kc-state=blabla
Set-Cookie: another-cookie=yadada
GET /sample_page.html HTTP/2.0
Host: www.example.org
Cookie: kc-state=blabla; another-cookie=yadada
如果有前端,Cookie标头将自动添加。