从外部源向 Keycloak 身份验证添加其他角色

Posted

技术标签:

【中文标题】从外部源向 Keycloak 身份验证添加其他角色【英文标题】:Add additional role to Keycloak authentication from outer source 【发布时间】:2020-09-28 13:01:34 【问题描述】:

我想通过 Keycloak 对用户进行身份验证,但我需要向 Spring Security 使用的 Authentication 对象添加额外的角色。添加角色保存在 Postgres 数据库中。

    我尝试使用自定义 AuthenticationProvider 覆盖 configureGlobal,但没有成功。 

    @Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception 
    ApplicationAuthenticationProvider provider = new ApplicationAuthenticationProvider();
    provider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
    auth.authenticationProvider(provider);

    @组件 公共类 ApplicationAuthenticationProvider 扩展 KeycloakAuthenticationProvider 

    @Autowired
private UserService userService;

private GrantedAuthoritiesMapper grantedAuthoritiesMapper;

public void setGrantedAuthoritiesMapper(GrantedAuthoritiesMapper grantedAuthoritiesMapper) 
    this.grantedAuthoritiesMapper = grantedAuthoritiesMapper;


@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException 
    KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) authentication;
    List<GrantedAuthority> grantedAuthorities = new ArrayList<>();

    String username = ((KeycloakAuthenticationToken) authentication)
            .getAccount().getKeycloakSecurityContext().getToken().getPreferredUsername();
    List<Role> roles = userService.findRoles(username);

    for (Role role : roles) 
        grantedAuthorities.add(new KeycloakRole(role.toString()));
    
    return new KeycloakAuthenticationToken(token.getAccount(), token.isInteractive(), mapAuthorities(grantedAuthorities));


@Override
public boolean supports(Class<?> authentication) 
    return authentication.equals(UsernamePasswordAuthenticationToken.class);


private Collection<? extends GrantedAuthority> mapAuthorities(
        Collection<? extends GrantedAuthority> authorities) 
    return grantedAuthoritiesMapper != null
            ? grantedAuthoritiesMapper.mapAuthorities(authorities)
            : authorities;

    尝试添加额外的过滤器,但我不确定配置是否正确。

    @豆

    @Override
protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter() throws Exception 
    RequestMatcher requestMatcher =
            new OrRequestMatcher(
                    new AntPathRequestMatcher("/api/login"),
                    new QueryParamPresenceRequestMatcher(OAuth2Constants.ACCESS_TOKEN),
                    // We're providing our own authorization header matcher
                    new IgnoreKeycloakProcessingFilterRequestMatcher()
            );
    return new KeycloakAuthenticationProcessingFilter(authenticationManagerBean(), requestMatcher);


// Matches request with Authorization header which value doesn't start with "Basic " prefix
private class IgnoreKeycloakProcessingFilterRequestMatcher implements RequestMatcher 
    IgnoreKeycloakProcessingFilterRequestMatcher() 
    

public boolean matches(HttpServletRequest request) 
    String authorizationHeaderValue = request.getHeader("Authorization");
    return authorizationHeaderValue != null && !authorizationHeaderValue.startsWith("Basic ");

【问题讨论】:

你是怎么解决的? 【参考方案1】:

现在我只将 Keycloak 用于登录名/密码。角色和权限现在保存在本地数据库中。

【讨论】:

以上是关于从外部源向 Keycloak 身份验证添加其他角色的主要内容,如果未能解决你的问题,请参考以下文章

Spring过滤器将角色添加到来自令牌的请求

如何从外部 IDP 读取/导入角色到 Keycloak

Keycloak:我可以为每个客户端/用户/角色设置令牌的到期时间吗?

向从外部提供者检索到的 JWT 添加其他声明(例如角色)

使用用户 SPI 在 Keycloak 中为外部用户分配角色

带有外部身份提供者的 Keycloak 失败