经过一些努力,我仍然无法重现OIDC直接裸身模拟的功能。
引用:https://www.keycloak.org/docs/latest/securing_apps/#direct-naked-impersonation
我有同样的错误。
curl -X POST http://localhost:8080/auth/realms/iot/protocol/openid-connect/token \
-d "client_id=backend-service" \
-d "client_secret=f0ead74d-c3eb-47c5-82fd-d8fccc5e5096" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "requested_subject=1c04c634-a64a-4905-b87f-e654ca01b889"
{"error":"access_denied","error_description":"Client not allowed to exchange"}
下面是我的开发配置。
$ cat docker-compose.yaml
version: '2.4'
volumes:
postgres_data:
driver: local
services:
postgres:
image: postgres:12-alpine
volumes:
- postgres_data:/var/lib/postgresql/data
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
ports:
- 5432:5432
keycloak:
image: jboss/keycloak:10.0.1
environment:
DB_VENDOR: POSTGRES
DB_ADDR: postgres
DB_DATABASE: keycloak
DB_USER: postgres
DB_SCHEMA: public
DB_PASSWORD: postgres
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin
#JDBC_PARAMS: "ssl=true"
ports:
- 8080:8080
volumes:
- /etc/localtime:/etc/localtime:ro
command: -Dkeycloak.profile=preview
depends_on:
- postgres
realm-export.json https://gist.github.com/whisper-bye/20c86de26459efe641008ba5f448f3f1
答案 0 :(得分:1)
在您的专家中,没有任何政策允许特定的客户使用模拟功能。
我的领域示例:
{
"id": "7588d6d2-82b6-42ef-9bd0-e9c01a2dc92b",
"name": "admin-impersonating.permission.users",
"description": "Client foo may impersonate any user",
"type": "scope",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"resources": "[\"Users\"]",
"scopes": "[\"impersonate\"]",
"applyPolicies": "[\"foo client-policy\"]"
}
}
您可以在左侧配置此帽子管理/用户,然后在右侧配置“权限”。仅当使用-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled启动Keycloak时,此菜单项才会出现!
然后单击“模拟”,并确保“应用策略”已设置。