亚洲人成电影网站,亚洲视频在线精品,亚洲精品一品区二品区三品区

使用REST API與KEYCLOAK進(jìn)行OUATH2協(xié)議的登錄認(rèn)證

KEYCLOAK是一套用戶、WEB API登錄管理，授權(quán)管理的WEB應(yīng)用。
如果要訪問(wèn)受KEYCLOAK保護(hù)的REST API服務(wù)，則需要夾帶一個(gè)ACCESS_TOKEN。

前端頁(yè)面：

前端頁(yè)面一般是給用戶使用的，則需要用戶輸入在KEYCLOAK中有效的用戶名和密碼，并提供CALL BAK的URL，提交給KEYCLOAK
http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/auth?client_id=app-springboot-confidential&redirect_uri=http://10.80.27.69:8183/&response_type=code&scope=openid
如果KEYCLOAK驗(yàn)證通過(guò)，則通知頁(yè)面重導(dǎo)向回調(diào)的URL，并附上code=xxx，此code則是AUTHORIZATION_CODE
http://10.80.27.69:8183/?session_state=2ad9ab98-6c39-43a8-872f-2112c27b74df&code=3f48ce19-58f9-45d9-8c09-30d492bf4b24.2ad9ab98-6c39-43a8-872f-2112c27b74df.bd7526ef-b1bf-447f-baef-b7dfd6f0df93
回調(diào)的URL對(duì)應(yīng)的SERVELET，取得AUTHORIZATION_CODE，并加上client_id和client_secrect，調(diào)用KEYLOAK的取ACCESS_TOKEN的HTTP API，取得ACCESS_TOKEN，返回給頁(yè)面
http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token
client_id=app-springboot-confidential&client_secret=3acf7692-49cb-4c45-9943-6f3dba512dae&redirect_uri=http://10.80.27.69:8183/&grant_type=authorization_code&code=cc7ac566-90f9-404e-b88e-fa28037b07d1.591311e1-5380-46a2-9363-834f17337922.bd7526ef-b1bf-447f-baef-b7dfd6f0df93
頁(yè)面保存此ACCESS_TOKEN，就可以調(diào)用后臺(tái)的各種API獲取數(shù)據(jù)
{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGSjg2R2NGM2pUYk5MT2NvNE52WmtVQ0lVbWZZQ3FvcXRPUWVNZmJoTmxFIn0.eyJleHAiOjE2MzQwMjA4ODksImlhdCI6MTYzNDAyMDU4OSwianRpIjoiNDAwOTQ4ZmQtMGU0MS00YWRjLTlhY2MtMzczZWM2NDVhNzM5IiwiaXNzIjoiaHR0cDovLzEwLjgwLjI3LjY5OjgxODAvYXV0aC9yZWFsbXMvcXVpY2tzdGFydCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJkZGVkMDA2YS0xY2QxLTRjODUtOTQ1MS0wMjFlZmY3OTFiMmUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcHAtc3ByaW5nYm9vdC1jb25maWRlbnRpYWwiLCJzZXNzaW9uX3N0YXRlIjoiYzRlN2QzYTgtMDg2My00OTAwLTkxZmEtMGExYmFmYmRlNGU3IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYXBwLXNwcmluZ2Jvb3QtY29uZmlkZW50aWFsIjp7InJvbGVzIjpbInVtYV9wcm90ZWN0aW9uIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudElkIjoiYXBwLXNwcmluZ2Jvb3QtY29uZmlkZW50aWFsIiwiY2xpZW50SG9zdCI6IjEwLjEwLjIwLjU3IiwidXNlcl9uYW1lIjoic2VydmljZS1hY2NvdW50LWFwcC1zcHJpbmdib290LWNvbmZpZGVudGlhbCIsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1hcHAtc3ByaW5nYm9vdC1jb25maWRlbnRpYWwiLCJjbGllbnRBZGRyZXNzIjoiMTAuMTAuMjAuNTcifQ.Ut6aZ6E1d4Esz0gRv2ubxdvrxmGvZLHHZepD5pnGxlqb_yZ4Q82TdGTG0iL4JJn2NH3QAU501dhzzuv6-OT9BUBKP-4ufyKv2DxSvt3GgdN30au5JsATHFyOWuuZGRBd3iWcynf9u3OJnSkHEnrIwRYatgndLzy8dy3AeqF12CI",
    "expires_in": 300,
    "refresh_expires_in": 600,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI2MTlhMmJjOS0yMWIwLTRmNGMtODI4OC1kNTJmMjA3OWEzY2EifQ.eyJleHAiOjE2MzQwMjExODksImlhdCI6MTYzNDAyMDU4OSwianRpIjoiYTM0NTQ1MTYtMzc3NC00YmRlLTgzOTMtN2QyMTdkZjdkZmJkIiwiaXNzIjoiaHR0cDovLzEwLjgwLjI3LjY5OjgxODAvYXV0aC9yZWFsbXMvcXVpY2tzdGFydCIsImF1ZCI6Imh0dHA6Ly8xMC44MC4yNy42OTo4MTgwL2F1dGgvcmVhbG1zL3F1aWNrc3RhcnQiLCJzdWIiOiJkZGVkMDA2YS0xY2QxLTRjODUtOTQ1MS0wMjFlZmY3OTFiMmUiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiYXBwLXNwcmluZ2Jvb3QtY29uZmlkZW50aWFsIiwic2Vzc2lvbl9zdGF0ZSI6ImM0ZTdkM2E4LTA4NjMtNDkwMC05MWZhLTBhMWJhZmJkZTRlNyIsInNjb3BlIjoicHJvZmlsZSBlbWFpbCJ9.QhjkJBGz5UvwBF7xHM7_V_yjfF0lrA_EWzAVdFf-BRI",
    "token_type": "bearer",
    "not-before-policy": 0,
    "session_state": "c4e7d3a8-0863-4900-91fa-0a1bafbde4e7",
    "scope": "profile email"
}
這就是authorization_code流程

后端服務(wù)：

如果是在一個(gè)API中要請(qǐng)求另外一個(gè)API的數(shù)據(jù)，不存在具體用戶的情況
需提供如下參數(shù)：client_id、client_secrect和grant_type，且grant_type=client_credentials，調(diào)用KEYLOAK的取ACCESS_TOKEN的HTTP API，取得ACCESS_TOKEN
http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token
client_id=app-springboot-confidential&client_secret=3acf7692-49cb-4c45-9943-6f3dba512dae&grant_type=client_credentials
再將此ACCESS_TOKEN以Bearer TOKEN的方式調(diào)用別的的API
這就是client_credentials流程

驗(yàn)證Access Token和獲取Token元信息：

http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token/introspect
client_id=app-springboot-confidential&client_secret=3acf7692-49cb-4c45-9943-6f3dba512dae
Access Token無(wú)效時(shí)返回：
{
"active": false
}

刷新Token：

http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token
client_id=app-springboot-confidential&client_secret=3acf7692-49cb-4c45-9943-6f3dba512dae&grant_type=refresh_token&refresh_token=asdfasd
返回
{
    "access_token": "eyJhbGciOiJSUzI1NiIsIn",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOi",
    "token_type": "Bearer",
    "not-before-policy": 1610728470,
    "session_state": "c1273eb5-f922-420c-b23a-854be9735c1d",
    "scope": "profile email"
}

Reference:
https://blog.csdn.net/nklinsirui/article/details/112706006

https://www.baeldung.com/?s=keycloak

https://www.doag.org/formes/pubfiles/11143470/2019-NN-Sebastien_Blanc-Easily_Secure_your_Microservices_with_Keycloak-Praesentation.pdf

posted on 2021-10-12 14:40 paulwong 閱讀(781) 評(píng)論(0) 編輯收藏所屬分類: OAUTH2 、KEYCLOAK

新用戶注冊(cè) 刷新評(píng)論列表


只有注冊(cè)用戶登錄后才能發(fā)表評(píng)論。




網(wǎng)站導(dǎo)航: 博客園 IT新聞 Chat2DB C++博客博問(wèn) 管理
相關(guān)文章: OAUTH2 - 4流程如何選擇？ OIDC - KEYCLOAK - 自定義CLIENT SCOPE OAUTH2 - 4流程 OAUTH2 - SPRING SECURITY + KEYCLOAK SPRING BOOT OAUTH2 + KEYCLOAK - service to service call 使用REST API與KEYCLOAK進(jìn)行OUATH2協(xié)議的登錄認(rèn)證 SPRING CLOUD JWT資源理解OAuth 2.0

paulwong

My Links

Blog Stats

常用鏈接

留言簿(66)

隨筆分類(1386)

隨筆檔案(1144)

文章分類(7)

文章檔案(10)

相冊(cè)

收藏夾(2)

AI

Develop

E-BOOK

Other

養(yǎng)生

微服務(wù)

搜索

最新評(píng)論

閱讀排行榜

評(píng)論排行榜

60天內(nèi)閱讀排行

使用REST API與KEYCLOAK進(jìn)行OUATH2協(xié)議的登錄認(rèn)證