403 spring-boot-2-keycloak-适配器

Posted

技术标签:

【中文标题】403 spring-boot-2-keycloak-适配器【英文标题】:403 spring-boot-2-keycloak-adapter 【发布时间】:2018-11-01 17:12:14 【问题描述】:

我遇到了和这里完全相同的问题:Spring Boot - KeyCloak directed to 403 forbidden 但是,该问题的答案表明,在我的情况下,可能未在 keycloak 服务器中配置或分配角色。

一个 Angular 前端应用程序,通过 keycloak 服务器对用户进行身份验证。

然后将接收到的令牌传递给使用 spring-boot 开发的 rest 服务,使用 keycloak-spring-boot-2-starter。

这就是问题所在:我的服务获取令牌,使用 keycloak 对其进行身份验证没有问题,但将 403 返回到客户端应用程序。

我确实调试了keycloak适配器发现,在请求中找到的主体(GenericPrincipal)中,没有角色信息(和空列表)。

在keycloak服务器上,我在领域设置中添加了角色,并将角色分配给了用户(只有一个用户)。也尝试过客户端角色(使用 use-resource-role-mappings: true)但同样的问题。

这是我在 application.yaml 中的 keycloak 配置:

keycloak:
  auth-server-url: http://localhost:8084/auth
  ssl-required: external
  realm: soccer-system
  resource: league-service
  bearer-only: true
  cors: true
  use-resource-role-mappings: false
  enabled: true
  credentials:
    secret: myClientKey
  security-constraints:
    0:
      auth-roles:
      - user
      security-collections:
        0:
          patterns:
          - /*

Keycloak 服务器版本为 3.4.3.Final

我已经为此苦苦挣扎了两天。希望有人能帮我上路:)

Maven 依赖:

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.keycloak</groupId>
        <artifactId>keycloak-spring-boot-2-starter</artifactId>
        <version>4.0.0.Beta2</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
</dependencies>

来自适配器的调试日志:

2018-05-27 12:32:09.266 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler       : adminRequest http://localhost:8081/league
2018-05-27 12:32:09.273 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Using provider 'secret' for authentication of client 'league-service'
2018-05-27 12:32:09.275 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret
2018-05-27 12:32:09.277 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider jwt
2018-05-27 12:32:09.278 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret-jwt
2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret
2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider jwt
2018-05-27 12:32:09.279 DEBUG 2607 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils   : Loaded clientCredentialsProvider secret-jwt
2018-05-27 12:32:09.484 DEBUG 2607 --- [nio-8081-exec-1] o.keycloak.adapters.KeycloakDeployment   : resolveUrls
2018-05-27 12:32:09.486 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.KeycloakDeploymentBuilder   : Use authServerUrl: http://localhost:8084/auth, tokenUrl: http://localhost:8084/auth/realms/soccer-system/protocol/openid-connect/token, relativeUrls: NEVER
2018-05-27 12:32:09.486 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler       : checkCorsPreflight http://localhost:8081/league
2018-05-27 12:32:09.487 DEBUG 2607 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler       : Preflight request returning
2018-05-27 12:32:09.495 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.PreAuthActionsHandler       : adminRequest http://localhost:8081/league
2018-05-27 12:32:09.496 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.PreAuthActionsHandler       : checkCorsPreflight http://localhost:8081/league
2018-05-27 12:32:09.593 TRACE 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator        : --> authenticate()
2018-05-27 12:32:09.593 TRACE 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator        : try bearer
2018-05-27 12:32:09.594 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator    : Verifying access_token
2018-05-27 12:32:09.637 TRACE 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator    :     access_token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5LV92RjRCM21PS0JjQVdhSFlGc3VlVGthRzNEVHBqUThHS2NqTGpqY0pnIn0.eyJqdGkiOiI1ZWMyYmU0YS04YmRlLTQ0OTEtYjRjMC04YzY5ZDIxMmVkZmIiLCJleHAiOjE1Mjc0MzkwMzYsIm5iZiI6MCwiaWF0IjoxNTI3NDM4NzM2LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODQvYXV0aC9yZWFsbXMvc29jY2VyLXN5c3RlbSIsImF1ZCI6ImxlYWd1ZS1vcmdhbml6ZXItYXBwIiwic3ViIjoiNTRiNzBlYjYtNzMxZC00Y2RiLTk1MzAtMTRjYTQxMWI3OGY4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibGVhZ3VlLW9yZ2FuaXplci1hcHAiLCJub25jZSI6IjRiYjgzZDVhLTg5ZDktNDNkNy1hMWExLWJjZDdlYTQ0Y2Q3YiIsImF1dGhfdGltZSI6MTUyNzQzODczNSwic2Vzc2lvbl9zdGF0ZSI6ImQwNmI0NGQ2LTljYTgtNGYzYy1iYTBlLTY5NDhmYzAzYWY0YyIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiKiJdLCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJ2aWV3LXByb2ZpbGUiXX19LCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJyLmJhcmFiZUBnbWFpbC5jb20ifQ.signature
2018-05-27 12:32:09.697 TRACE 2607 --- [nio-8081-exec-2] o.k.a.rotation.JWKPublicKeyLocator       : Going to send request to retrieve new set of realm public keys for client league-service
2018-05-27 12:32:09.822 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.rotation.JWKPublicKeyLocator       : Realm public keys successfully retrieved for client league-service. New kids: [9-_vF4B3mOKBcAWaHYFsueTkaG3DTpjQ8GKcjLjjcJg]
2018-05-27 12:32:09.823 DEBUG 2607 --- [nio-8081-exec-2] o.k.a.BearerTokenRequestAuthenticator    : successful authorized
2018-05-27 12:32:09.826 TRACE 2607 --- [nio-8081-exec-2] o.k.a.RefreshableKeycloakSecurityContext : checking whether to refresh.
2018-05-27 12:32:09.827 TRACE 2607 --- [nio-8081-exec-2] org.keycloak.adapters.AdapterUtils       : use realm role mappings
2018-05-27 12:32:09.827 TRACE 2607 --- [nio-8081-exec-2] org.keycloak.adapters.AdapterUtils       : Setting roles: 
2018-05-27 12:32:09.830 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator        : User '54b70eb6-731d-4cdb-9530-14ca411b78f8' invoking 'http://localhost:8081/league' on client 'league-service'
2018-05-27 12:32:09.830 DEBUG 2607 --- [nio-8081-exec-2] o.k.adapters.RequestAuthenticator        : Bearer AUTHENTICATED
2018-05-27 12:32:09.839  INFO 2607 --- [nio-8081-exec-2] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring FrameworkServlet 'dispatcherServlet'
2018-05-27 12:32:09.839  INFO 2607 --- [nio-8081-exec-2] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization started
2018-05-27 12:32:09.866  INFO 2607 --- [nio-8081-exec-2] o.s.web.servlet.DispatcherServlet        : FrameworkServlet 'dispatcherServlet': initialization completed in 27 ms

在调试模式下,我设法获得了从 keycloak 收到的令牌(解码),这里是:


    "jti": "c9d8ebd4-1ea6-4191-ac03-32b047d6f80c",
    "exp": 1527441347,
    "nbf": 0,
    "iat": 1527441047,
    "iss": "http://localhost:8084/auth/realms/soccer-system",
    "aud": "league-organizer-app",
    "sub": "54b70eb6-731d-4cdb-9530-14ca411b78f8",
    "typ": "Bearer",
    "azp": "league-organizer-app",
    "nonce": "ac3e1024-9ce0-4a45-806b-8ec245905a3c",
    "auth_time": 1527440521,
    "session_state": "4df9e22b-141a-4970-98cc-cff57894814a",
    "acr": "0",
    "allowed-origins": [
        "*"
    ],
    "resource_access": 
        "account": 
            "roles": [
                "view-profile"
            ]
        
    ,
    "preferred_username": "thaUser"

更新 1:

我尝试使用 keycloak 服务器版本 4.0.0.Beta2 来匹配适配器之一。不幸的是,这没有帮助。

更新 2:

按照评论中的建议,我尝试将 ** 作为角色限制在配置中,但这并没有帮助:

security-constraints:
    0:
      auth-roles:
      - '**'
      security-collections:
        0:
          patterns:
          - /*

编辑 1:

添加了控制台输出。似乎没有设置任何角色。但我在我的领域中确实有这些角色,分配给我的用户。

编辑 2:

添加了适配器在调试中看到的访问令牌。

【问题讨论】:

第一点:为什么你为keycloak使用不同的客户端和服务器版本?您提到服务器版本为 3.4.3,但客户端版本(来自您的 pom)是 4.0.0.Beta2 其次,为了确定错误是因为角色不匹配,您可以尝试提供 any(即通配符)角色。阅读这篇文章了解更多详情:***.com/a/50503576/2458858 感谢您的建议。我更新了问题,但这没有帮助。我一定是做错了什么。 【参考方案1】:

我终于成功了。 问题是我没有在前端应用程序客户端配置中将任何角色映射到范围。 当我这样做时它起作用了。在客户端配置(用户进行身份验证的配置)中,选项卡“范围”。之后激活“允许的全范围”选项,或选择您希望 keycloak 映射的领域角色。所选角色将映射到用户角色并包含在令牌中。

我只是不知道我必须这样做。不过,感谢您的 cmets,它很有用。

【讨论】:

以上是关于403 spring-boot-2-keycloak-适配器的主要内容,如果未能解决你的问题,请参考以下文章

如何解决安装IIS时出现HTTP错误403禁止访问?

打开网页显示403-forbidden啥意思啊

403 forbidden啥意思,怎么修复解决403 forbidden

vue跨域请求时报403

403 错误怎么解决?

403 forbidden nginx怎么解决