keycloak~账号密码认证和授权码认证

用户名密码登录

  • POST /auth/realms/demo/protocol/openid-connect/token
  • 请求体 x-www-form-urlencoded
grant_type:password
username:test
password:123456
client_secret:ec0fd1c6-68b0-4c39-a9fa-c3be25c8ef01
client_id:democlient
  • 响应
{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJFXzZpaDM1eVRMSk1pZUkwdnFnOU1tVFFySjZSY1VTeGlYZU5kY01hb1lrIn0.eyJleHAiOjE2MTk2NjEyODgsImlhdCI6MTYxOTY1ODI4OCwianRpIjoiMjE4NTliMjEtNzE1Mi00NDIzLWI5ZWMtNTQ4NDE0OTMxOTRiIiwiaXNzIjoiaHR0cDovLzE5Mi4xNjguNC4yNjo4MDgwL2F1dGgvcmVhbG1zL2ZhYmFvIiwiYXVkIjpbInJlYWxtLW1hbmFnZW1lbnQiLCJhY2NvdW50Il0sInN1YiI6IjAwNjcyOThkLTk3N2YtNGVkMy1hOTBjLTAxNWM1YzRjYTAwYyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImRlbW9jbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiNzY1OTY5ZWMtOTRkYS00ZWRiLTlkY2ItZTE1ZWEzZTBhZDNiIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyLns7vnu5_nrqHnkIYiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInF1ZXJ5LXJlYWxtcyIsInZpZXctYXV0aG9yaXphdGlvbiIsInF1ZXJ5LWNsaWVudHMiLCJxdWVyeS11c2VycyIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIiwicXVlcnktZ3JvdXBzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1hcHBsaWNhdGlvbnMiLCJ2aWV3LWNvbnNlbnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsIm1hbmFnZS1jb25zZW50IiwiZGVsZXRlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InJvbGVzIGVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiLmtbcgc2FuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdCIsImdpdmVuX25hbWUiOiLmtbciLCJmYW1pbHlfbmFtZSI6InNhbiIsImVtYWlsIjoidGVzdEBzaW5hLmNvbSJ9.w2z5a2OY069aQoB4uov9nHtCJL3dwqVH6rHRkyPP9CdU3iP2gFJa10-XqgOUr747PGiTKlaHHn-MO7nW7WYneJKZ0sw-SlaJjOc0zqVBZo26hBUO-JpXrnu26nmoAznpUyWM3P3enXMeW6mkTYwTuAAoaDlgJZcuFxknEjX7vGz0fClHZv60_G77yRInCy8hl9z1aNXGq9BME6ZSXXtGcgU9sLhQT6EqumegdLq7CaxKKLJgmD1hjmQhuhaBep3MkgJiLFmjM7zzLbpPEJ7b8mTeoydCOdqg0xFIZSV9pYQ6bEXC9JSRzGBC4VCeDVSMhVkOCozvgy-8-fPSgbIurQ",
    "expires_in": 3000,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJkNzg3MGJjNi0yMDY3LTQ3MjAtYWNmNC04MjRhZTIzMWFiZDAifQ.eyJleHAiOjE2MTk2NjAwODgsImlhdCI6MTYxOTY1ODI4OCwianRpIjoiYmJjNDY3NjAtMWE2NS00ODA4LWIyMmQtYzAyMDQ4NzA5YTQyIiwiaXNzIjoiaHR0cDovLzE5Mi4xNjguNC4yNjo4MDgwL2F1dGgvcmVhbG1zL2ZhYmFvIiwiYXVkIjoiaHR0cDovLzE5Mi4xNjguNC4yNjo4MDgwL2F1dGgvcmVhbG1zL2ZhYmFvIiwic3ViIjoiMDA2NzI5OGQtOTc3Zi00ZWQzLWE5MGMtMDE1YzVjNGNhMDBjIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImRlbW9jbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiNzY1OTY5ZWMtOTRkYS00ZWRiLTlkY2ItZTE1ZWEzZTBhZDNiIiwic2NvcGUiOiJyb2xlcyBlbWFpbCBwcm9maWxlIn0.gXRGH6WgzykH9c4WTCS00G3w8gLZtk_0Bb3ziLNFUl0",
    "token_type": "bearer",
    "not-before-policy": 1619512543,
    "session_state": "765969ec-94da-4edb-9dcb-e15ea3e0ad3b",
    "scope": "roles email profile"
}

授权码登录

请求code

对于没有认证的接口,将会返回401,即没有登录,这时keycloak会将我们的请求重定向到keycloak的登录而,这时有几个参数将被发到keycloak服务端,用来获取code信息。
主要包括以下几个参数 :
Response_type:表示响应类型,这里我们是code
Client_id:表示为你这个客户端颁发的唯一标识
Redirect_uri:表示从keycloak服务端注册的合法的回调地址,支持通配符
Scope:表示认证范围,表示用户的openid方式

  • GET /auth/realms/demo/protocol/openid-connect/auth
  • QUERY
client_id:democlient
scope:openid
response_type:code
client_secret:ec0fd1c6-68b0-4c39-a9fa-c3be25c8ef01
redirect_uri:http://localhost:9090/callback
  • 跳转到kc的登录页,完成用户名和密码的登录
  • 登录成功之后,跳回callback删除,在url参数上带上了code

请求token

  • POST /auth/realms/fabao/protocol/openid-connect/token
  • 请求体 x-www-form-urlencoded
grant_type:authorization_code
code:68058719-add6-4b40-ab96-8e71af03827a.7a31b1a9-c3e8-46d4-b8cc-345012fcf4a2.25e52f60-5991-43dd-9108-873f60af385d
client_id:democlient
client_secret:ec0fd1c6-68b0-4c39-a9fa-c3be25c8ef01
scope:openid
redirect_uri:http://localhost:9090/callback
  • 响应
{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJFXzZpaDM1eVRMSk1pZUkwdnFnOU1tVFFySjZSY1VTeGlYZU5kY01hb1lrIn0.eyJleHAiOjE2MTk2NjMzMzQsImlhdCI6MTYxOTY2MDMzNCwiYXV0aF90aW1lIjoxNjE5NjYwMzIyLCJqdGkiOiI0ZTMxYzI0My0yOTAzLTQyZDQtYWE2Ny1hYmE0MzUzMTE5ZWQiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC40LjI2OjgwODAvYXV0aC9yZWFsbXMvZmFiYW8iLCJhdWQiOlsicmVhbG0tbWFuYWdlbWVudCIsImFjY291bnQiXSwic3ViIjoiMDA2NzI5OGQtOTc3Zi00ZWQzLWE5MGMtMDE1YzVjNGNhMDBjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZGVtb2NsaWVudCIsInNlc3Npb25fc3RhdGUiOiIxNDgxMmY1MC1iOWY3LTRjZWUtYmU1Ni1iZjliZWY1Yzk2MWEiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIuezu-e7n-euoeeQhiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhbG0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJxdWVyeS1ncm91cHMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LWFwcGxpY2F0aW9ucyIsInZpZXctY29uc2VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwibWFuYWdlLWNvbnNlbnQiLCJkZWxldGUtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIHJvbGVzIGVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiLmtbcgc2FuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdCIsImdpdmVuX25hbWUiOiLmtbciLCJmYW1pbHlfbmFtZSI6InNhbiIsImVtYWlsIjoidGVzdEBzaW5hLmNvbSJ9.Xx9ndq1dtgHgqZNLsOYXYqB31_QmPvb30PqwZBJ5jq-mVB2-FxYQhH-u4g0L4wJIPRABBJ_bppcEgtwdIAo45isODmmhz-VYOB47vbLw44seGXnRvsZDAhImLm-p_fccfUcGdFfceZs3a3Tzz-mv7p-tQ64dMIS9DWCWTfJuOpoSOEDRvEvnGzOxWY9EqIk5fL2Y-ys7J2QAcOPCvZJNnE_mYPXV8vu5c0wGB9Pt7JYISX8IbizCHhXZHCd20h5maM44VDPCV9MSxsP8KQa_emdILT8HT_3uy1E1KmdXqde_S82IZsE-CPMZC6QjuTYf15Fh-umo0ncYqjTwX8piTQ",
    "expires_in": 3000,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJkNzg3MGJjNi0yMDY3LTQ3MjAtYWNmNC04MjRhZTIzMWFiZDAifQ.eyJleHAiOjE2MTk2NjIxMzQsImlhdCI6MTYxOTY2MDMzNCwianRpIjoiYzFlZWU4ZDEtYmEwZC00OWJmLWJhOWMtZjk5Nzk4ZWNkNGZlIiwiaXNzIjoiaHR0cDovLzE5Mi4xNjguNC4yNjo4MDgwL2F1dGgvcmVhbG1zL2ZhYmFvIiwiYXVkIjoiaHR0cDovLzE5Mi4xNjguNC4yNjo4MDgwL2F1dGgvcmVhbG1zL2ZhYmFvIiwic3ViIjoiMDA2NzI5OGQtOTc3Zi00ZWQzLWE5MGMtMDE1YzVjNGNhMDBjIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImRlbW9jbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiMTQ4MTJmNTAtYjlmNy00Y2VlLWJlNTYtYmY5YmVmNWM5NjFhIiwic2NvcGUiOiJvcGVuaWQgcm9sZXMgZW1haWwgcHJvZmlsZSJ9.y718VaUJ3Z8_ZSWquOubB5AcQtsRoYlaKrbqQPVLV_o",
    "token_type": "bearer",
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJFXzZpaDM1eVRMSk1pZUkwdnFnOU1tVFFySjZSY1VTeGlYZU5kY01hb1lrIn0.eyJleHAiOjE2MTk2NjMzMzQsImlhdCI6MTYxOTY2MDMzNCwiYXV0aF90aW1lIjoxNjE5NjYwMzIyLCJqdGkiOiI5ODIyMDExMS1kMjVmLTQwYTAtYjNlZi1hZDlhNjk2YjhlYjAiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC40LjI2OjgwODAvYXV0aC9yZWFsbXMvZmFiYW8iLCJhdWQiOiJkZW1vY2xpZW50Iiwic3ViIjoiMDA2NzI5OGQtOTc3Zi00ZWQzLWE5MGMtMDE1YzVjNGNhMDBjIiwidHlwIjoiSUQiLCJhenAiOiJkZW1vY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjE0ODEyZjUwLWI5ZjctNGNlZS1iZTU2LWJmOWJlZjVjOTYxYSIsImF0X2hhc2giOiJjWjBaN2tlay1ONWlsN3ZRaWFtVTNRIiwiYWNyIjoiMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6Iua1tyBzYW4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0IiwiZ2l2ZW5fbmFtZSI6Iua1tyIsImZhbWlseV9uYW1lIjoic2FuIiwiZW1haWwiOiJ0ZXN0QHNpbmEuY29tIn0.sIRpNtEbHKTcxCTAP5DaF-uK0jCO4atQvvFwPs3QrPxkcFq7oE3E1veyKuxfQo5oZfzEeKGAWsLshwZbng-idF6EKTIs_FeEcLJxiwsK1XiDzdRFfyr-rcCgM7assJx7Muah3xT-DgSdO9MzxW7Vfr_qauWbNeXyWzHCqO8sAUNxREVZZyVcFoqxD9JPIlrrCZQzAyEmvYtnNpF95uwUu0UgmHywLyg3drIqF8C5-kBxxWFUo4Z46YYmu4me3lmDzaohu26sSs2mHNfadTLxme3ir5kB23aeVpKplzr4ZVcO70HfZ6RU2Is8W__FRakB5XDhKLiRf_l4unaTtzbyKQ",
    "not-before-policy": 1619660302,
    "session_state": "14812f50-b9f7-4cee-be56-bf9bef5c961a",
    "scope": "openid roles email profile"
}

JWT token解析

PAYLOAD数据载体主要包括用户ID,用户名,用户角色,过期时间等信息
Sub:用户ID
preferred_username:账号名称
Name:用户姓名
Email:电子邮件
realm_access:领域角色
resource_access:客户端(资源服务)角色
Azp:授权客户端
Typ:token的类型
Aud:被授权的客户端列表
Exp:过期时间
Iss: 当前领域的开放API

Scope对jwt的影响

我们可以配置域的scope,或者对指定的client配置 scope,如图

图中,我们把客户端democlient的scope里的roles移除后,在返回的token里将不会出现和角色有关的信息,即realm_access和resource_access将被移除。

posted @ 2021-04-29 10:12  张占岭  阅读(2762)  评论(2编辑  收藏  举报