使用java keycloak-admin-client,如何开启客户端身份验证和授权?

问题描述 投票:0回答:1

我正在尝试以编程方式创建一个 Keycloak 领域,并使用以下库在 Keycloak 

24.0.0
上关联客户端:
org.keycloak:keycloak-admin-client:24.0.0

我想为客户端打开 

Client authentication
Authorization

我正在创建一个客户端,然后将其更新为具有

authorizationServicesEnabled(true);
,如下所示:

ClientRepresentation clientRepresentation = getClientRepresentation(realm);
ClientResource clientResource = getClientResource(realm, clientRepresentation);
clientRepresentation.setAuthorizationServicesEnabled(true);
clientRepresentation.setStandardFlowEnabled(true);
clientRepresentation.setDirectAccessGrantsEnabled(true);
clientRepresentation.setPublicClient(true);
clientRepresentation.setEnabled(true);
clientRepresentation.setServiceAccountsEnabled(true);
clientRepresentation.setAlwaysDisplayInConsole(true);
clientRepresentation.setAttributes(Map.of(
    "oauth2.device.authorization.grant.enabled", "false",
    "oidc.ciba.grant.enabled", "false",
    "login_theme", "base",
    "display.on.consent.screen", "false",
    "backchannel.logout.url", "",
    "backchannel.logout.session.required", "true",
    "backchannel.logout.revoke.offline.tokens", "false"
));
clientRepresentation.setRedirectUris(List.of(publicUrl + "/*"));
clientResource.update(clientRepresentation);

这是我在调试中单步执行该过程时发送的 PUT 正文:

{
    "id": "de890c6a-7695-4cce-b512-87989059860c",
    "clientId": "my-client",
    "name": "my-client",
    "description": null,
    "rootUrl": null,
    "adminUrl": null,
    "baseUrl": null,
    "surrogateAuthRequired": false,
    "enabled": true,
    "alwaysDisplayInConsole": true,
    "clientAuthenticatorType": "client-secret",
    "secret": null,
    "registrationAccessToken": null,
    "defaultRoles": null,
    "redirectUris": [
        "http://localhost:8080/*"
    ],
    "webOrigins": [],
    "notBefore": 0,
    "bearerOnly": false,
    "consentRequired": false,
    "standardFlowEnabled": true,
    "implicitFlowEnabled": false,
    "directAccessGrantsEnabled": true,
    "serviceAccountsEnabled": true,
    "authorizationServicesEnabled": true,
    "directGrantsOnly": null,
    "publicClient": true,
    "frontchannelLogout": false,
    "protocol": "openid-connect",
    "attributes": {
        "oidc.ciba.grant.enabled": "false",
        "client.secret.creation.time": "1709725705",
        "backchannel.logout.session.required": "true",
        "login_theme": "base",
        "display.on.consent.screen": "false",
        "oauth2.device.authorization.grant.enabled": "false",
        "backchannel.logout.revoke.offline.tokens": "false"
    },
    "authenticationFlowBindingOverrides": {},
    "fullScopeAllowed": true,
    "nodeReRegistrationTimeout": -1,
    "registeredNodes": null,
    "protocolMappers": [
        {
            "id": "a939828f-f524-4d06-aacf-490ea0e2e105",
            "name": "Client IP Address",
            "protocol": "openid-connect",
            "protocolMapper": "oidc-usersessionmodel-note-mapper",
            "consentRequired": false,
            "consentText": null,
            "config": {
                "user.session.note": "clientAddress",
                "introspection.token.claim": "true",
                "id.token.claim": "true",
                "access.token.claim": "true",
                "claim.name": "clientAddress",
                "jsonType.label": "String"
            }
        },
        {
            "id": "b62609d1-330f-445e-ab73-edf78b16f396",
            "name": "Client ID",
            "protocol": "openid-connect",
            "protocolMapper": "oidc-usersessionmodel-note-mapper",
            "consentRequired": false,
            "consentText": null,
            "config": {
                "user.session.note": "client_id",
                "introspection.token.claim": "true",
                "id.token.claim": "true",
                "access.token.claim": "true",
                "claim.name": "client_id",
                "jsonType.label": "String"
            }
        },
        {
            "id": "1d78e050-38eb-4da5-950e-fe5112471ddf",
            "name": "Client Host",
            "protocol": "openid-connect",
            "protocolMapper": "oidc-usersessionmodel-note-mapper",
            "consentRequired": false,
            "consentText": null,
            "config": {
                "user.session.note": "clientHost",
                "introspection.token.claim": "true",
                "id.token.claim": "true",
                "access.token.claim": "true",
                "claim.name": "clientHost",
                "jsonType.label": "String"
            }
        }
    ],
    "clientTemplate": null,
    "useTemplateConfig": null,
    "useTemplateScope": null,
    "useTemplateMappers": null,
    "defaultClientScopes": [
        "web-origins",
        "acr",
        "roles",
        "profile",
        "email"
    ],
    "optionalClientScopes": [
        "address",
        "phone",
        "offline_access",
        "microprofile-jwt"
    ],
    "authorizationSettings": null,
    "access": {
        "view": true,
        "configure": true,
        "manage": true
    },
    "origin": null
}

我可以看到 

"authorizationServicesEnabled": true
在那里,但在管理控制台中,它在“客户端设置”选项卡的“功能配置”部分下仍未打开:

当您在 Keycloak 管理控制台中打开这两个开关时,它会显示一个“凭据”选项卡,其中包含 

Client Id and Secret
客户端身份验证器和客户端密钥。我认为我需要以编程方式创建这些并将它们与
ClientRepresentation
相关联,但我不相信,因为我在管理控制台中使用相同的设置创建了一个客户端,并检查了发送到api的请求负载及其和上面一样。

所以我的问题是:

如何复制以编程方式在 UI 中打开这两个开关时发生的情况?

任何/所有帮助表示赞赏。

java keycloak keycloak-admin-client
1个回答
0
投票

检查管理控制台 UI 代码后,我可以看到客户端需要不是成为公共客户端才能按预期工作。

拆除线路:

clientRepresentation.setPublicClient(true);

使一切按预期工作。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.