keycloak~巧用client-scope实现token字段和userinfo接口的授权
keycloak中的client-scope答应你为每个客户端分配scope,而scope就是授权范围,它直接影响了token中的内容,及userinfo端点可以获取到的用户信息,这块我们可以通过自定义scope/mapper,来实现粒度的控制,并且这个mapper可以控制添加到token,或者添加到userinfo端点,这两块配置也是独立的,下面我们通过一个登录IP地址的mapper,来实现将登录ip添加到token和userinfo端点。添加Mapper对象
public class ExtensionLoginIpMapper
extends AbstractOIDCProtocolMapper
implements OIDCAccessTokenMapper, OIDCIDTokenMapper, UserInfoTokenMapper {
public static final String CONFIG_NAME = "ExtensionLoginIp";//配置里的名称
public static final String PROVIDER_ID = "oidc-extension-login-ip-mapper";
private static final List<ProviderConfigProperty> configProperties = new ArrayList<ProviderConfigProperty>();
private static final String LOGIN_IP = "loginIp";
static {
configProperties.add(createConfigProperty(CONFIG_NAME, "Token申请名", "在jwt中的属性名称,默认loginIp"));
OIDCAttributeMapperHelper.addIncludeInTokensConfig(configProperties, ExtensionLoginIpMapper.class);
}
protected static ProviderConfigProperty createConfigProperty(String claimName, String label, String help) {
ProviderConfigProperty property = new ProviderConfigProperty();
property.setName(claimName);
property.setLabel(label);
property.setHelpText(help);
property.setType(ProviderConfigProperty.STRING_TYPE);
return property;
}
@Override
protected void setClaim(IDToken token, ProtocolMapperModel mappingModel, UserSessionModel userSession,
KeycloakSession keycloakSession, ClientSessionContext clientSessionCtx) {
try {
String key = LOGIN_IP;
if (mappingModel.getConfig().containsKey(CONFIG_NAME)) {
key = mappingModel.getConfig().get(CONFIG_NAME);
}
if (userSession.getNotes().containsKey(LOGIN_IP)) {
String val = userSession.getNote(LOGIN_IP);
token.setOtherClaims(key, val);
}
} catch (Exception e) {
e.printStackTrace();
}
}
public List<ProviderConfigProperty> getConfigProperties() {
return configProperties;
}
@Override
public String getId() {
return PROVIDER_ID;
}
@Override
public String getDisplayType() {
return CONFIG_NAME;
}
@Override
public String getDisplayCategory() {
return TOKEN_MAPPER_CATEGORY;
}
@Override
public String getHelpText() {
return "Maps Extension Login Ip Address.";
}
}将Mapper添加到Client Scope
[*]添加 client scope
https://img2024.cnblogs.com/blog/118538/202501/118538-20250113172359049-641106816.png
[*]在client scope中添加mapper
https://img2024.cnblogs.com/blog/118538/202501/118538-20250113172442323-2007563503.png
设置access_token可见和userinfo可见
[*]Add to ID token
[*]Add to access token
[*]Add to access token
https://img2024.cnblogs.com/blog/118538/202501/118538-20250113172530951-1281675118.png
为客户端指定scope
[*]这对于根据客户端来控制token和userinfo端点是非常必要的功能
[*]这是oauth2授权的重要组成部分
https://img2024.cnblogs.com/blog/118538/202501/118538-20250113172656338-1684870705.png
通过oauth2中的密码认证时的注意点
[*]客户端不能是同意必选的,这种客户端需要通过浏览器认证,由用户自己确认它公开的信息
https://img2024.cnblogs.com/blog/118538/202501/118538-20250113173332481-577005223.png
https://img2024.cnblogs.com/blog/118538/202501/118538-20250113173731905-826432875.png
通过token获取用户信息
[*]userinfo端点:/auth/realms/{realms}/protocol/openid-connect/userinfo
[*]获取到时的用户信息中的字段,是通过scope来控制的
https://img2024.cnblogs.com/blog/118538/202501/118538-20250113173430168-1575008566.png
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]