有一个Spring-boot REST API,需要由Keycloak保护,应用程序使用的是Keycloak-Spring-Security适配器(6.0.1(。
对 API 端点的调用,带有从 Keycloak(目前通过邮递员(获取的持有者令牌。
我能够执行成功的 REST 端点调用,但其他事情困扰着我 - 我是否应该根据公钥显式验证令牌?
1 - 适配器是针对公钥执行令牌验证,还是应该实现它?
2 - 如果适配器正在执行此操作 - 您能否指出这是在哪些类中完成的?
3 - 如果 - 不是 - 应如何实施此验证?是否有任何可用于验证令牌的 Keycloak 库?
好吧,经过几天在网上搜索答案 - 我明白了。 我查看了Keycloak-spring-security-adapter的代码并找到了它。
首先,我得到了钥匙斗篷的日志记录杆来调试:
logging.level.org.keycloak=DEBUG
然后我尝试使用错误的令牌访问我的端点(我预计这将产生异常,即更明显的跟踪;它确实如此(:
2019-10-17 10:18:57,905 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.PreAuthActionsHandler | adminRequest http://localhost:8081/error
2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Request is to process authentication
2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Attempting Keycloak authentication
2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.BearerTokenRequestAuthenticator | Found [1] values in authorization header, selecting the first value for Bearer.
2019-10-17 10:18:57,906 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.BearerTokenRequestAuthenticator | Verifying access_token
2019-10-17 10:18:57,908 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.BearerTokenRequestAuthenticator | Failed to verify token
2019-10-17 10:18:57,908 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.RequestAuthenticator | Bearer FAILED
2019-10-17 10:18:57,908 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Auth outcome: FAILED
2019-10-17 10:18:57,925 | 30860 | http-nio-8081-exec-2 | | | | | DEBUG | | org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter | Authentication request failed: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:158)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
.....
从那时起,很明显令牌正在被验证,如果您查看参与的类,您会发现它在某些情况下正在根据公钥进行验证。
参与此身份验证和验证的类,就我而言(bearer-only(是:
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter
org.keycloak.adapters.BearerTokenRequestAuthenticator
希望这可以帮助像我这样的其他人在Keycloak中找到自己的方式。