OAuth2客户端凭据通过Spring Boot Keycloak集成进行流动

OAuth2客户端凭据通过Spring Boot Keycloak集成进行流动

在@ dmitri-algazin之后，您可以实现工作流，基本上有两个选择：

1. 如果您想涵盖Keycloak之外的其他IDM，该解决方案以某种方式解决了“ 单一职责”原则，我会使用

   RestTemplate

   。在下面可以找到变量：

   //Constants@Value("${keycloak.url}")private String keycloakUrl;@Value("${keycloak.realm}")private String keycloakRealm;@Value("${keycloak.client_id}")private String keycloakClientId;RestTemplate restTemplate = new RestTemplate();private static final String BEARER = "BEARER ";

首先，您需要生成访问令牌：

    @Override    public AccessTokenResponse login(KeycloakUser user) throws NotAuthorizedException {        try { String uri = keycloakUrl + "/realms/" + keycloakRealm +          "/protocol/openid-connect/token"; String data = "grant_type=password&username="+         user.getUsername()+"&password="+user.getPassword()+"&client_id="+         keycloakClientId; HttpHeaders headers = new HttpHeaders(); headers.set("Content-Type", "application/x-www-form-urlenpred"); HttpEntity<String> entity = new HttpEntity<String>(data, headers); ResponseEntity<AccessTokenResponse> response = restTemplate.exchange(uri,          HttpMethod.POST, entity, AccessTokenResponse.class); if (response.getStatusCode().value() != HttpStatus.SC_OK) {     log.error("Unauthorised access to protected resource", response.getStatusCode().value());     throw new NotAuthorizedException("Unauthorised access to protected resource"); } return response.getBody();        } catch (Exception ex) { log.error("Unauthorised access to protected resource", ex); throw new NotAuthorizedException("Unauthorised access to protected resource");        }     }

然后，使用令牌可以从用户检索信息：

    @Override    public String user(String authToken) throws NotAuthorizedException {        if (! authToken.toUpperCase().startsWith(BEARER)) { throw new NotAuthorizedException("Invalid OAuth Header. Missing Bearer prefix");        }        HttpHeaders headers = new HttpHeaders();        headers.set("Authorization", authToken);        HttpEntity<String> entity = new HttpEntity<>(headers);        ResponseEntity<AccessToken> response = restTemplate.exchange(     keycloakUrl + "/realms/" + keycloakRealm + "/protocol/openid-connect/userinfo",      HttpMethod.POST,      entity,      AccessToken.class);        if (response.getStatusCode().value() != HttpStatus.SC_OK) { log.error("OAuth2 Authentication failure. "         + "Invalid OAuth Token supplied in Authorization Header on Request. Code {}", response.getStatusCode().value()); throw new NotAuthorizedException("OAuth2 Authentication failure. "         + "Invalid OAuth Token supplied in Authorization Header on Request.");        }        log.debug("User info: {}", response.getBody().getPreferredUsername());        return response.getBody().getPreferredUsername();    }

您可以将该URL替换为@ dimitri-algazin提供的URL，以检索所有用户信息。

1. 可以使用Keycloak依赖项：

       <!-- keycloak -->    <dependency>        <groupId>org.keycloak</groupId>        <artifactId>keycloak-admin-client</artifactId>        <version>3.4.3.Final</version>    </dependency>    <dependency>        <groupId>org.jboss.resteasy</groupId>        <artifactId>resteasy-client</artifactId>        <version>3.1.4.Final</version>    </dependency>

并使用这些类来生成令牌：

 Keycloak keycloak = KeycloakBuilder         .builder()         .serverUrl(keycloakUrl)         .realm(keycloakRealm)         .username(user.getUsername())         .password(user.getPassword())         .clientId(keycloakClientId)         .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build())         .build(); return keycloak.tokenManager().getAccessToken();

例子摘自这里。我们还将映像上传到Docker
Hub，
以促进与Keycloak的交互。因此，我们从选项2）开始。目前，我们正在涵盖其他IdM，我们选择了选项1），以避免包括额外的依赖项。结论：

如果您坚持使用Keycloak，我会 选择选项2 ，因为类包含Keycloak工具的额外功能。我会 选择选项1
进行进一步介绍，并使用其他OAuth 2.0工具。