英文:
is it possible validate keycloak token on a header different than Authorization?
问题
我正在实现Keycloak,目前进展非常顺利。我根据文档进行了基本配置,大致如下所示:
@Primary
public class AuthConfig extends KeycloakWebSecurityConfigurerAdapter {
@Primary
@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
public SimpleAuthorityMapper grantedAuthority() {
SimpleAuthorityMapper mapper = new SimpleAuthorityMapper();
return mapper;
}
@Primary
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(grantedAuthority());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Primary
@Bean
public AuthenticationProvider authenticationProvider() {
return keycloakAuthenticationProvider();
}
@Primary
@Bean
public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
KeycloakPreAuthActionsFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
return registrationBean;
}
@Primary
@Bean
public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(
KeycloakAuthenticatedActionsFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Primary
@Bean
public FilterRegistrationBean keycloakSecurityContextRequestFilterBean(
KeycloakSecurityContextRequestFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
return registrationBean;
}
@Primary
@Bean
@Override
@ConditionalOnMissingBean(HttpSessionManager.class)
protected HttpSessionManager httpSessionManager() {
return new HttpSessionManager();
}
}
可能存在重复的配置,但重点是在验证 API 到 API 令牌时效果良好(这就是为什么我将其设置为不创建会话),以及在验证用户令牌时......
因此,当我发送用户令牌时,我可以执行类似于以下的操作:
public foo getUser(Principal userPrincipal) {
// ...
}
然后,我将能够访问令牌的所有者用户,并从 JWT 令牌中获取信息。
我的问题是,在发送标头 Authentication 时发生的所有这些情况,此时我需要发送一个与验证用户时的 Authentication 标头不同的标头,以便我可以接收 API 令牌和用户令牌,并根据 JWT 信息和其他逻辑决定稍后用于调用另一个服务的令牌。
是否可以为我的用户令牌创建自己的Keycloak "会话",然后从其中创建UserPrincipal?
有什么想法吗?
英文:
I am implementing keycloak and so far works very nice. I did a basic configuration based on the documentation that looks sort of like this:
@Primary
public class AuthConfig extends KeycloakWebSecurityConfigurerAdapter {
@Primary
@Bean
public KeycloakConfigResolver KeycloakConfigResolver() {
return new KeycloakSpringBootConfigResolver();
}
public SimpleAuthorityMapper grantedAuthority() {
SimpleAuthorityMapper mapper = new SimpleAuthorityMapper();
return mapper;
}
@Primary
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) {
KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(grantedAuthority());
auth.authenticationProvider(keycloakAuthenticationProvider);
}
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
return new NullAuthenticatedSessionStrategy();
}
@Primary
@Bean
public AuthenticationProvider authenticationProvider() {
return keycloakAuthenticationProvider();
}
@Primary
@Bean
public FilterRegistrationBean keycloakPreAuthActionsFilterRegistrationBean(
KeycloakPreAuthActionsFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
return registrationBean;
}
@Primary
@Bean
public FilterRegistrationBean keycloakAuthenticatedActionsFilterBean(
KeycloakAuthenticatedActionsFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
registrationBean.setEnabled(false);
return registrationBean;
}
@Primary
@Bean
public FilterRegistrationBean keycloakSecurityContextRequestFilterBean(
KeycloakSecurityContextRequestFilter filter) {
FilterRegistrationBean registrationBean = new FilterRegistrationBean(filter);
return registrationBean;
}
@Primary
@Bean
@Override
@ConditionalOnMissingBean(HttpSessionManager.class)
protected HttpSessionManager httpSessionManager() {
return new HttpSessionManager();
}
might have duplicated configuration but the point is that works fine when authenticating api to api tokens (thats why I set it to create no session) and when authenticating user tokens ...
So, when I send a user token I can do something like this:
public foo getUser(Principal userPrincipal) {
...
}
and then I will be able to access the user owner of the token and get info from the JWT token.
My question is, all this happens when sending the header Authentication and at this moment and I need to send a different header than Authentication when validating the user so I can receive API token and user token and decide (in based of JWT info and other logic) which token I will use to later call another service.
Is it possible to create my own Keycloak "session" for my user token and then create the UserPrincipal from that?
Any idea?
专注分享java语言的经验与见解,让所有开发者获益!
评论