Keycloak 使用不同的客户端重新验证经过身份验证的用户
Keycloak reauthenticate an Authenticated user with a different client
如果我有一个用户已经通过 keycloak 与领域 R 下的 public 客户端 C1 进行了身份验证,是否有一个端点我可以在 keycloak 中命中,它将为不同的 public 生成一个新的访问令牌同一领域 R 下的客户端 C2?
[更新#1]
我尝试使用刷新令牌为 C2 客户端获取新的访问令牌,但出现以下错误:
Invalid refresh token. Token client and authorized client don't match
[更新#2]
所以,上面的内容让我想到了尝试使用交换令牌授权类型,现在我已经开始工作了。
curl --request POST \
'https://myhost.com.au/auth/realms/<my realm>/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token=<c1 access token>' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:refresh_token' \
--data-urlencode 'client_id=<c2 client id>'
你的问题很有道理。不幸的是,角色范围映射文档难以说明如何在切换到不同的客户端时生成新的访问令牌。
有一个 Oauth2 RFC about token exchange. As of Keycloak 11.0.2 token exchange is documented as a technology preview 并且必须使用 -Dkeycloak.profile.feature.token_exchange=enabled
启用
可以这样兑换代币(实际取自问题):
Method: POST
URL: https://<keycloak.host>/auth/realms/myrealm/protocol/openid-connect/token
Body type: x-www-form-urlencoded
Form fields:
. grant_type: urn:ietf:params:oauth:grant-type:token-exchange
. subject_token: <C1-access-token>
. subject_token_type: urn:ietf:params:oauth:token-type:access_token
. requested_token_type=urn:ietf:params:oauth:token-type:refresh_token
. client_id: <C2-client-id>
这里是 "role scope mapping" documentation 供其他读者使用的一些上下文。
When an OIDC access token or SAML assertion is created, all the user
role mappings of the user are, by default, added as claims within the
token or assertion. [...] access tokens are digitally signed and can
actually be re-used by the application to invoke on other remotely
secured REST services. This means that if an application gets
compromised or there is a rogue client registered with the realm,
attackers can get access tokens that have a broad range of permissions
and your whole network is compromised. This is where role scope
mappings becomes important.
Role Scope Mappings is a way to limit the roles that get declared
inside an access token. When a client requests that a user be
authenticated, the access token they receive back will only contain
the role mappings you’ve explicitly specified for the client’s scope.
[...] To change this default behavior, you must explicitly turn off
the Full Scope Allowed switch and declare the specific roles you want
in each individual client. Alternatively, you can also use client
scopes to define the same role scope mappings for a whole set of
clients.
如果我有一个用户已经通过 keycloak 与领域 R 下的 public 客户端 C1 进行了身份验证,是否有一个端点我可以在 keycloak 中命中,它将为不同的 public 生成一个新的访问令牌同一领域 R 下的客户端 C2?
[更新#1] 我尝试使用刷新令牌为 C2 客户端获取新的访问令牌,但出现以下错误:
Invalid refresh token. Token client and authorized client don't match
[更新#2] 所以,上面的内容让我想到了尝试使用交换令牌授权类型,现在我已经开始工作了。
curl --request POST \
'https://myhost.com.au/auth/realms/<my realm>/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token=<c1 access token>' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:access_token' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:refresh_token' \
--data-urlencode 'client_id=<c2 client id>'
你的问题很有道理。不幸的是,角色范围映射文档难以说明如何在切换到不同的客户端时生成新的访问令牌。
有一个 Oauth2 RFC about token exchange. As of Keycloak 11.0.2 token exchange is documented as a technology preview 并且必须使用 -Dkeycloak.profile.feature.token_exchange=enabled
可以这样兑换代币(实际取自问题):
Method: POST
URL: https://<keycloak.host>/auth/realms/myrealm/protocol/openid-connect/token
Body type: x-www-form-urlencoded
Form fields:
. grant_type: urn:ietf:params:oauth:grant-type:token-exchange
. subject_token: <C1-access-token>
. subject_token_type: urn:ietf:params:oauth:token-type:access_token
. requested_token_type=urn:ietf:params:oauth:token-type:refresh_token
. client_id: <C2-client-id>
这里是 "role scope mapping" documentation 供其他读者使用的一些上下文。
When an OIDC access token or SAML assertion is created, all the user role mappings of the user are, by default, added as claims within the token or assertion. [...] access tokens are digitally signed and can actually be re-used by the application to invoke on other remotely secured REST services. This means that if an application gets compromised or there is a rogue client registered with the realm, attackers can get access tokens that have a broad range of permissions and your whole network is compromised. This is where role scope mappings becomes important.
Role Scope Mappings is a way to limit the roles that get declared inside an access token. When a client requests that a user be authenticated, the access token they receive back will only contain the role mappings you’ve explicitly specified for the client’s scope.
[...] To change this default behavior, you must explicitly turn off the Full Scope Allowed switch and declare the specific roles you want in each individual client. Alternatively, you can also use client scopes to define the same role scope mappings for a whole set of clients.