如何更改通过Keycloak令牌交换创建的访问令牌的内容

时间:2020-10-20 18:19:11

标签: keycloak token-exchange

我的目标是获取两个特定于资源服务器的访问令牌,这些令牌仅包含特定于各个资源服务器的数据。

我有以下设置:一个公共客户端正在使用2个资源服务器。

配置客户端用户领域角色客户端作用域并使用作用域参数,我可以创建2个不同的,特定于资源服务器的访问令牌:

{
  "exp": 1603234566,
  "iat": 1603216566,
  "jti": "13ae00ac-ce57-43ce-8b47-39ad6d5445cd",
  "iss": "http://localhost:8080/auth/realms/fitness-realm",
  "aud": "fitness-resource-server-1",
  "sub": "de1f0820-f4d9-49be-a6d1-c8faef083ffc",
  "typ": "Bearer",
  "azp": "fitness-client",
  "session_state": "47ea42f9-42ac-452e-9e54-be6d705e9a61",
  "acr": "1",
  "realm_access": {
    "roles": [
      "fitness_user"
    ]
  },
  "scope": "openid email profile client_scope_fitness_resource_server_1_roles",
  "email_verified": false,
  "preferred_username": "bill"
}


{
  "exp": 1603235280,
  "iat": 1603217280,
  "jti": "fb75a956-6ed4-4edd-8e20-2cd9678d4869",
  "iss": "http://localhost:8080/auth/realms/fitness-realm",
  "aud": "fitness-resource-server-2",
  "sub": "de1f0820-f4d9-49be-a6d1-c8faef083ffc",
  "typ": "Bearer",
  "azp": "fitness-client",
  "session_state": "966aa651-0534-43d4-9413-a8c141ee8549",
  "acr": "1",
  "realm_access": {
    "roles": [
      "fitness_user"
    ]
  },
  "scope": "openid email profile client_scope_fitness_resource_server_2_roles",
  "email_verified": false,
  "preferred_username": "bill"
}

在登录过程中,我将 scope 参数设置为 client_scope_fitness_resource_server_1_roles ,并获得第一个资源服务器1特定的访问令牌。因为我在登录过程中仅获得一个访问令牌,并且我的客户是公开的,所以我想使用Keycloak的内部令牌到内部令牌令牌交换来使用资源服务器1来获取第二个特定于资源服务器2的访问令牌。 功能。我按照说明进行操作,因此可以通过此电话获得第二个令牌:

curl -X POST http://localhost:8080/auth/realms/fitness-realm/protocol/openid-connect/token \
    -d "client_id=fitness-resource-server-1” \
    -d "client_secret=<my_secret>" \
    -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \ 
    -d "subject_token=$FIRST_ACCESS_TOKEN" \
    -d "requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \
    -d "audience=fitness-resource-server-2" |jq

但是,如果我查看第二个令牌的内部,它包含我想要的更多信息:

{
  "exp": 1603234572,
  "iat": 1603216572,
  "jti": "4f4b0fb6-d759-4c6a-b35d-7e2a998b5a20",
  "iss": "http://localhost:8080/auth/realms/fitness-realm",
  "aud": [
    "other_resource_server",
    "fitness-client",
    "other_client",
    "account",
    "fitness-resource-server-2"
  ],
  "sub": "de1f0820-f4d9-49be-a6d1-c8faef083ffc",
  "typ": "Bearer",
  "azp": "fitness-resource-server-1",
  "session_state": "47ea42f9-42ac-452e-9e54-be6d705e9a61",
  "acr": "1",
  "realm_access": {
    "roles": [
      "fitness_user",
      "offline_access",
      "uma_authorization"
    ]
  },
  "scope": "email profile",
  "email_verified": false,
  "preferred_username": "bill"
}

我的问题是,我如何配置Keycloak,使其第二个访问令牌不包含角色“ offline_access”和“ uma_authorization”以及aud:“ other_resource_server”,“ fitness-client”,“ other_client”,“ account” ?

1 个答案:

答案 0 :(得分:0)

我找到了解决方法:-)

我必须将资源服务器的2个设置-访问类型配置从仅 bearer 更改为机密,禁用所有流/授予,并且通过此更改,我也能够在资源服务器2中配置 Client Scope Scope

即使我不需要机密(流程/授予,凭据等),但这可以更改访问令牌的输出。

相关问题
最新问题