如何配置Spring来检索OIDC用户?

d7v8vwbk  于 12个月前  发布在  Spring
关注(0)|答案(1)|浏览(106)

我需要做什么来获取用户的OIDC或有关当前会话的一些信息?
在我的程序中,我使用Keycloak作为授权提供程序。
我的安全配置:

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http)
            throws Exception {
        http.csrf(AbstractHttpConfigurer::disable);
        http.addFilterAfter(createPolicyEnforcerFilter(),
                BearerTokenAuthenticationFilter.class);

        http.sessionManagement(
                t -> t.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        );
        return http.build();
    }

    private ServletPolicyEnforcerFilter createPolicyEnforcerFilter() {
        return new ServletPolicyEnforcerFilter(new ConfigurationResolver() {
            @Override
            public PolicyEnforcerConfig resolve(HttpRequest request) {
                try {
                    return JsonSerialization.
                            readValue(getClass().getResourceAsStream("/policy-enforcer.json"),
                                    PolicyEnforcerConfig.class);
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
        });
    }
}

字符串
policy-enforcer.json:

{
  "realm": "kasia",
  "auth-server-url": "http://localhost:9090",
  "resource": "kasia-security",
  "credentials": {
    "secret": "fHW7Vm6lnNUp3Cmm4IcYbnHlIq5CZ69Z"
  },
  "paths" : [
    {
      "path": "/test/api/public",
      "enforcement-mode": "DISABLED"
    },{
      "path": "/swagger-ui/*",
      "enforcement-mode": "DISABLED"
    },{
      "path": "/v3/api-docs/*",
      "enforcement-mode": "DISABLED"
    }
  ]
}


我的控制器是我应该获取用户的OIDC的地方:

@GetMapping("/api/v1/user")
public ResponseEntity<?> testUser(@AuthenticationPrincipal OidcUser user) {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    return ResponseEntity.ok("You have accessed the resource and you have the USER role");
}


目前我的用户为空,身份验证包含以下数据(无论我使用哪个帐户登录):

AnonymousAuthenticationToken [
Principal="anonymousUser",
Credentials=[PROTECTED],
Authenticated=true,
Details=WebAuthenticationDetails [
    RemoteIpAddress=0:0:0:0:0:0:0:0:0:0:0:0:1,
    SessionId=null
],
Granted Authorities=[ROLE_ANONYMOUS]
]


UPD.我还在请求中发送了JWT令牌:

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ6eTdPbVN1b3NTVGJCUlhEYnRzZFBtOUtDV3FBQWZhQy1iMzh6RHBVOTlVIn0.eyJleHAiOjE3MDM4MTMyNDgsImlhdCI6MTcwMzgxMjM0OCwiYXV0aF90aW1lIjoxNzAzODEwNDIzLCJqdGkiOiIyODA4NjA0Mi05NjU2LTRhNzktYjNjMy05MjYyMDc4OWE0YWMiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjkwOTAvcmVhbG1zL2thc2lhIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjMwMWVlZDdlLWFmOTYtNDRjMC05MDc1LWVjZjBiNDY2NDVkMSIsInR5cCI6IkJlYXJlciIsImF6cCI6Imthc2lhLXNlY3VyaXR5Iiwibm9uY2UiOiI5YmI0Y2ZmOS1jMmNkLTQ5MTQtOGY2MS02MDUyNDFkYzE2YmIiLCJzZXNzaW9uX3N0YXRlIjoiYTE1NWNmMGEtYmQwYi00MGUxLTkxMWUtYmZiZWQ1OTU1MTRlIiwiYWNyIjoiMCIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vbG9jYWxob3N0OjgwODAiLCIqIiwiaHR0cDovL2xvY2FsaG9zdDozMDAwLyIsImh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC8iLCJodHRwOi8vbG9jYWxob3N0OjMwMDAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMta2FzaWEiLCJST0xFX1VTRVIiLCJvZmZsaW5lX2FjY2VzcyIsIlJPTEVfQURNSU4iLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUiLCJzaWQiOiJhMTU1Y2YwYS1iZDBiLTQwZTEtOTExZS1iZmJlZDU5NTUxNGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInJvbGVzIjpbImRlZmF1bHQtcm9sZXMta2FzaWEiLCJST0xFX1VTRVIiLCJvZmZsaW5lX2FjY2VzcyIsIlJPTEVfQURNSU4iLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJuYW1lIjoiQXJ0ZW0gRHViZW5rbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFydGVtLmR1YmVua28wMzA4QGdtYWlsLmNvbSIsImdpdmVuX25hbWUiOiJBcnRlbSIsImZhbWlseV9uYW1lIjoiRHViZW5rbyIsImVtYWlsIjoiYXJ0ZW0uZHViZW5rbzAzMDhAZ21haWwuY29tIn0.Uy26DtYh_d3vRXqSOosNxIp8qVKPKQtUiId6DqTPVAzO-YmDyDgx0QjdTtDEH9mZbA06qKSeRTgbaBkINAZG5I9GvAgFMrAyw1VJ-1cOu-sIr1JZHJDan4uDB2gn2CpOFC2OkXfu3RbrI6hrH7_POUN4v70oWeG1lb4oHMfXVwiAMMduaoNiMXDTNojB3O_3bd4L5DqgQYsvq5sB-FAqqe-XpqhUGLvQ8c26AYRyocDg5wG_9QsK1JaN4MljRqcGHXEYcKYJsc7R3kDDRjzjP-by_NR4ooTxdUkyInq4iAVZXTimrmP_RU4eTQWxfVowhs3BvFjllSHemJYTdyT63A

bqucvtff

bqucvtff1#

在你的问题中:“关于当前会话的一些信息” 和在你的conf中:sessionCreationPolicy(SessionCreationPolicy.STATELESS)。你得到不一致的地方了吗?
OidcUser是OIDC环境中带有oauth2Login()的OAuth2客户端上的OAuth2AthenticationToken的主体(通过会话授权),当您显然试图配置资源服务器(通过JWT授权的REST API)时。
此外,您的ServletPolicyEnforcerFilter可能是两年前弃用的Keycloak适配器的一部分,而which aren't compatible with Spring Security 6 / Spring Boot 3

相关问题