如何在Spring Boot Be&#x2B中配置OAuth2; Spring Boot Fe+ KeyCloak
我是oauth2东西的新手,我正在尝试理解。
我正在尝试设置以下内容:
- Spring后端作为资源服务器。基本上是用JWT令牌确保的API,并根据Token
- Spring Boot前端中的用户角色使用Thymeleaf提供数据库内容,该thymeleaf应执行授权代码流登录,获得访问令牌并使用该令牌向后端进行API调用。
我应该如何配置两种服务以实现我想要的东西?
我已经尝试过:
- 在KeyCloak中配置2个客户端,一个用于BE,一个用于
- 使用Spring.security.oauth2.Resource Server属性配置BE Spring Boot并进行了测试,实际上JWT机制正常工作,我可以看到我在KeyCloak Auth Server中设置的角色并将其解析为当局
security:
oauth2:
resourceserver:
jwt:
issuer-uri: baseurl/auth/realms/realmname
jwk-set-uri: baseurl/auth/realms/realmname/protocol/openid-connect/certs
- 配置Fe Like:
security:
oauth2:
client:
registration:
keycloak:
client-id: id
client-secret: secret
scope: openid, profile, roles
authorization-grant-type: authorization_code
redirect-uri: http://localhost:8082/login/oauth2/code/service-name
provider:
keycloak:
issuer-uri: baseurl/auth/realms/realmname
有效的作用,它触发了KeyCloak的登录页面,我将用户和密码放在表单中,然后我不知道如何获得holdhold访问令牌以对BE进行API调用。在FE I中的SecurityContexTholder Bean中,只能找到ID令牌,而不能找到访问令牌。
我很确定我完全理解了整个概念完全错误的,所以请提供帮助。我应该怎么做?我出了什么问题?
提前致谢!
I am new to the oauth2 stuff and I am trying to understand.
I am trying to set up the following:
- spring backend as a resource server. Basically an API that is secured with JWT token and serves database stuff based on user roles in the token
- spring boot frontend with thymeleaf that should perform authorization code flow login, obtain an access token and make API calls to the backend with that token.
How should I configure the 2 services to achieve what I want?
I have already tried:
- configuring 2 clients in keycloak, one for the BE, one for FE
- configuring the BE spring boot with spring.security.oauth2.resource server property and tested it and indeed the JWT mechanism is working as expected, I can see the roles that I set up in the keycloak auth server and parse them as authorities
security:
oauth2:
resourceserver:
jwt:
issuer-uri: baseurl/auth/realms/realmname
jwk-set-uri: baseurl/auth/realms/realmname/protocol/openid-connect/certs
- configuring the FE like:
security:
oauth2:
client:
registration:
keycloak:
client-id: id
client-secret: secret
scope: openid, profile, roles
authorization-grant-type: authorization_code
redirect-uri: http://localhost:8082/login/oauth2/code/service-name
provider:
keycloak:
issuer-uri: baseurl/auth/realms/realmname
Which works, it triggers the login page of keycloak, I put the user and password in the form and then I dont know how to get ahold of the access token to make api calls to the BE. In the SecurityContextHolder bean in the FE I can only find the ID token, but not the access token.
I am pretty sure I understood the whole concept completely wrong so please help. How should I do this? What am I getting wrong?
Thanks in advance!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我猜找到了解决方案。一个人可以如下所示访问访问令牌: https://docs.spring.io/spring-security/site/site/docs/5.1.5.5.5.release/reference/reference/htmlsingle/#oauth2client-authoried-authorized-repo-service-repo-service
我们基本上可以从OAuth2适配器和OAuth2Authentication token自动自动化客户端服务,然后我们可以轻松提取访问令牌!
Found the solution I guess. One can access the access token as documented here: https://docs.spring.io/spring-security/site/docs/5.1.5.RELEASE/reference/htmlsingle/#oauth2Client-authorized-repo-service
We can basically autowire the Client Service from Oauth2 adapter and the Oauth2AuthenticationToken from which we can then easily extract the access token!