在@ dmitri-algazin之后,您可以实现工作流,基本上有两个选择:
- 如果您想涵盖Keycloak之外的其他IDM,该解决方案以某种方式解决了“ 单一职责”原则,我会使用
RestTemplate
。在下面可以找到变量://Constants@Value("${keycloak.url}")private String keycloakUrl;@Value("${keycloak.realm}")private String keycloakRealm;@Value("${keycloak.client_id}")private String keycloakClientId;RestTemplate restTemplate = new RestTemplate();private static final String BEARER = "BEARER ";
首先,您需要生成访问令牌:
@Override public AccessTokenResponse login(KeycloakUser user) throws NotAuthorizedException { try { String uri = keycloakUrl + "/realms/" + keycloakRealm + "/protocol/openid-connect/token"; String data = "grant_type=password&username="+ user.getUsername()+"&password="+user.getPassword()+"&client_id="+ keycloakClientId; HttpHeaders headers = new HttpHeaders(); headers.set("Content-Type", "application/x-www-form-urlenpred"); HttpEntity<String> entity = new HttpEntity<String>(data, headers); ResponseEntity<AccessTokenResponse> response = restTemplate.exchange(uri, HttpMethod.POST, entity, AccessTokenResponse.class); if (response.getStatusCode().value() != HttpStatus.SC_OK) { log.error("Unauthorised access to protected resource", response.getStatusCode().value()); throw new NotAuthorizedException("Unauthorised access to protected resource"); } return response.getBody(); } catch (Exception ex) { log.error("Unauthorised access to protected resource", ex); throw new NotAuthorizedException("Unauthorised access to protected resource"); } }然后,使用令牌可以从用户检索信息:
@Override public String user(String authToken) throws NotAuthorizedException { if (! authToken.toUpperCase().startsWith(BEARER)) { throw new NotAuthorizedException("Invalid OAuth Header. Missing Bearer prefix"); } HttpHeaders headers = new HttpHeaders(); headers.set("Authorization", authToken); HttpEntity<String> entity = new HttpEntity<>(headers); ResponseEntity<AccessToken> response = restTemplate.exchange( keycloakUrl + "/realms/" + keycloakRealm + "/protocol/openid-connect/userinfo", HttpMethod.POST, entity, AccessToken.class); if (response.getStatusCode().value() != HttpStatus.SC_OK) { log.error("OAuth2 Authentication failure. " + "Invalid OAuth Token supplied in Authorization Header on Request. Code {}", response.getStatusCode().value()); throw new NotAuthorizedException("OAuth2 Authentication failure. " + "Invalid OAuth Token supplied in Authorization Header on Request."); } log.debug("User info: {}", response.getBody().getPreferredUsername()); return response.getBody().getPreferredUsername(); }您可以将该URL替换为@ dimitri-algazin提供的URL,以检索所有用户信息。
- 可以使用Keycloak依赖项:
<!-- keycloak --> <dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-admin-client</artifactId> <version>3.4.3.Final</version> </dependency> <dependency> <groupId>org.jboss.resteasy</groupId> <artifactId>resteasy-client</artifactId> <version>3.1.4.Final</version> </dependency>
并使用这些类来生成令牌:
Keycloak keycloak = KeycloakBuilder .builder() .serverUrl(keycloakUrl) .realm(keycloakRealm) .username(user.getUsername()) .password(user.getPassword()) .clientId(keycloakClientId) .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()) .build(); return keycloak.tokenManager().getAccessToken();
例子摘自这里。我们还将映像上传到Docker
Hub,以促进与Keycloak的交互。因此,我们从选项2)开始。目前,我们正在涵盖其他IdM,我们选择了选项1),以避免包括额外的依赖项。结论:
如果您坚持使用Keycloak,我会 选择选项2 ,因为类包含Keycloak工具的额外功能。我会 选择选项1
进行进一步介绍,并使用其他OAuth 2.0工具。
