我有一个JHipster单片应用程序,oauth2在本地运行Keycloak。我不知道jhipster究竟应该如何使用oauth2 ...首先我认为它会自动创建用户,但它没有,所以我配置了keycloak:我创建了jhipster
域,web_app
客户端,客户端角色ROLE_ADMIN
和ROLE_USER
,以及用户admin
和user
及其正确的角色。问题是,当我以管理员身份登录时,它不被识别为ROLE_ADMIN
,因此我无法访问管理员菜单。所以我开始查看代码,试图了解Jhipster如何从Keycloak获得凭证,我意识到OAuth2Authentication
中的AccountResource.java
对象不会带来ROLE_ADMIN
,但ROLE_USER
我不明白为什么。 json中的OAuth2Authentication
对象如下所示:
{
"authorities": [
{
"authority": "ROLE_USER"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "rkkveY_Xa5zFFd0SKu9Of_FLGRnbdiTPHdnpj4gc",
"tokenValue": "eyJhbGciOiJSUzI1...",
"tokenType": "bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_USER"
}
],
"details": {
"sub": "f348bbbb-9441-4543-9940-9da31e50d877",
"email _verified": true,
"name": "Admin Administrator",
"preferred_username": "admin",
"given_name": "Admin",
"family_name": "Administrator",
"email": "admin@localhost"
},
"authenticated": true,
"principal": "Admin Administrator",
"credentials": "N/A",
"name": "Admin Administrator"
},
"clientO nly": false,
"principal": "Admin Administrator",
"oauth2Request": {
"clientId": "web_app",
"scope": [
],
"requestParameters": {
},
"resourceIds": [
],
"authorities": [
],
"approved": true,
"refresh": false,
"redirectUri": null,
"responseTypes": [
],
"extensions": {
},
"grantType": null,
"refreshTok enRequest": null
},
"credentials": "",
"name": "Admin Administrator"
}
这是yo-rc.json:
{
"generator-jhipster": {
"promptValues": {
"packageName": "xxxxxxxxxxx"
},
"jhipsterVersion": "5.7.2",
"applicationType": "monolith",
"baseName": "XXXXXXXXXX",
"packageName": "xxxxxxxxxxxxxx",
"packageFolder": "xxxxxxxxxxxxxx",
"serverPort": "8080",
"authenticationType": "oauth2",
"cacheProvider": "ehcache",
"enableHibernateCache": true,
"websocket": false,
"databaseType": "sql",
"devDatabaseType": "h2Disk",
"prodDatabaseType": "mysql",
"searchEngine": false,
"messageBroker": false,
"serviceDiscoveryType": false,
"buildTool": "maven",
"enableSwaggerCodegen": false,
"clientFramework": "angularX",
"useSass": false,
"clientPackageManager": "npm",
"testFrameworks": [],
"jhiPrefix": "jhi",
"otherModules": [],
"enableTranslation": false
}
}
我怎样才能解决这个问题?
我有同样的问题,我想这是因为Keycloak在另一个声明“resource_access”中提供客户端角色,而Spring Boot Security Oauth2库不会在此处读取角色。
我已经修改了UserService.java,首先尝试通过解码JWT令牌来读取此声明和与clientId对应的子值,这是更清晰的,因为它只读取客户端角色。
public UserDTO getUserFromAuthentication(OAuth2Authentication authentication) {
OAuth2AuthenticationDetails oauth2AuthenticationDetails = (OAuth2AuthenticationDetails) authentication
.getDetails(); // should be an OAuth2AuthenticationDetails
Map<String, Object> details = (Map<String, Object>) authentication.getUserAuthentication().getDetails();
User user = getUser(details);
String tokenValue = oauth2AuthenticationDetails.getTokenValue();
DecodedJWT jwt = JWT.decode(tokenValue);
Map<String, Object> resourceAccessClaim = jwt.getClaim("resource_access").asMap();
String clientId = authentication.getOAuth2Request().getClientId();
if (resourceAccessClaim.containsKey(clientId)) {
((Map<String, Object>) resourceAccessClaim.get(clientId)).values().forEach(rn -> {
user.setAuthorities(extractAuthorities((List<String>) rn));
});
}
if (user.getAuthorities() == null || user.getAuthorities().size() == 0) {
user.setAuthorities(extractAuthorities(authentication, details));
}
// convert Authorities to GrantedAuthorities
Set<GrantedAuthority> grantedAuthorities = user.getAuthorities().stream().map(Authority::getName)
.map(SimpleGrantedAuthority::new).collect(Collectors.toSet());
...
在keycloak管理中,转到客户端>> YOUR_CLIENT >> Mappers - >添加新映射器 - >将映射器类型设置为“用户客户端角色”和“令牌声明名称”设置为“权限”并将JSON类型声明为字符串。