如何与keycloak和next一起使用RBAC

我目前正在尝试使用Keycloak对下一个应用程序进行身份验证和授权。我能够将所有身份验证指向Keycloak并获得OIDC JWT令牌作为响应。下一个应用程序能够解析响应并授予访问权限。

但是，似乎并非来自OIDC JWT令牌的所有信息都可用于我的下一个应用程序。我想知道用户具有哪些角色，以及令牌的其他属性。

看this.$auth.user，我只得到这个信息:

{ 
"sub": "af52eefc-377e-4fd4-8da7-e1c15118acb8", 
"email_verified": true, 
"name": "Kenneth Larsen", 
"preferred_username": "xyz", 
"given_name": "Kenneth", 
"family_name": "Larsen", 
"email": "xyz@mail.com" 
}

我能够从this.$auth.strategy.token.get()获得完整的令牌，如果我在jwt解码它。我得到这样的东西:

{
"exp": 1615519947,  
"iat": 1615519647,
"auth_time": 1615519285,
"jti": "054ef275-fe50-40b8-b283-087f544b3afc",
"iss": "https://example.com/auth/realms/testrealm",
"aud": "account",
"sub": "af52eefc-377e-4fd4-8da7-e1c15118acb8",
"typ": "Bearer",
"azp": "example.com",
"session_state": "98f74bbd-a626-4757-96de-4d860bdd45d1",
"acr": "1",
"allowed-origins": [
"https://example.com",
],
"realm_access": {
"roles": [
"offline_access",
"myrole01",
"myrole02",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid email profile",
"email_verified": true,
"name": "Kenneth Larsen",
"preferred_username": "xyz",
"given_name": "Kenneth",
"family_name": "Larsen",
"email": "xyz@email.com"

}

我知道我可以解析令牌，但我希望这已经完成了。只是到处都找不到。

感谢

在配置中定义作用域，如下所示

keycloak: {
scheme: 'oauth2',
endpoints: {
authorization: `${process.env.KEYCLOAK_REMOTE_HOST}/auth/realms/${process.env.KEYCLOAK_REALM}/protocol/openid-connect/auth`,
token: `${process.env.KEYCLOAK_REMOTE_HOST}/auth/realms/${process.env.KEYCLOAK_REALM}/protocol/openid-connect/token`,
logout: `${process.env.KEYCLOAK_REMOTE_HOST}/auth/realms/${process.env.KEYCLOAK_REALM}/protocol/openid-connect/logout?redirect_uri=` + encodeURIComponent(String(process.env.REMOTE_API))
},
token: {
property: 'access_token',
type: 'Bearer',
name: 'Authorization',
maxAge: 1800 // Can be dynamic ?
},
refreshToken: {
property: 'refresh_token',
maxAge: 60 * 60 * 24 * 30 // Can be dynamic ? 
},
responseType: 'code',
grantType: 'authorization_code',
clientId: process.env.KEYCLOAK_CLIENT_ID,
scope: ["openid","address","roles","microprofile-jwt","email","phone","profile"],
codeChallengeMethod: 'S256',
}
}

然后，您将从下一个权限获得角色列表。下面是一个示例代码

// get role list
const roles = this.$auth.user.groups;
// check role exists or not. Here 'user' is a custom role
const hasUserRole = roles.includes('user');

相关内容

最新更新

热门标签：