Keycloak如何获得RPT
Keycloak how to obtain RPT
我正在尝试从 Keycloak 获取所有权限,即用户有权访问的所有资源和范围。
基本上,我想从 Keycloak 获取一个 RPT,其权限如 Keycloak REST API docs 和下图
所示
不幸的是,文档要么令人困惑,要么没有显示请求 RPT 的方式。这个例子都在 RPT 下,继续,文档只是解释如何进一步内省令牌。
如何从 Keycloak 获取此令牌(实际上包含示例令牌中的权限的任何东西)?
您可能想尝试这样的事情:
USER=test
PASS=test
CLIENT_ID=test
CLIENT_SECRET=your-client-secret
RESULT=`curl -s --data "grant_type=password&client_id=${CLIENT}&client_secret=${CLIENT_SECRET}&username=${USER}&password=${PASS}" http://localhost:8080/realms/master/protocol/openid-connect/token`
ACCESS_TOKEN=`echo $RESULT | jq -r .access_token`
RPT_RESULT=`curl -s -H "Authorization: Bearer ${ACCESS_TOKEN}" --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&client_id=${CLIENT}&audience=${CLIENT}" http://localhost:8080/realms/master/protocol/openid-connect/token`
echo $RPT_RESULT | jq -r .access_token | cut -d "." -f2 | base64 -d | jq
这首先检索访问令牌,然后查询 RPT。
这应该给你这样的输出:
{
"exp": 1643134734,
"iat": 1643134674,
"jti": "f60caba8-8f20-43f0-9054-6389f998032c",
"iss": "http://localhost:8080/realms/master",
"aud": "test",
"sub": "18cce3e6-e3a0-4be9-a1ff-6635adf5928b",
"typ": "Bearer",
"azp": "test",
"session_state": "539a81bf-aa27-4ce4-911a-405f5a2c90ac",
"acr": "1",
"realm_access": {
"roles": [
"create-realm",
"default-roles-master",
"offline_access",
"admin",
"uma_authorization"
]
},
"resource_access": {
"master-realm": {
"roles": [
"view-identity-providers",
"view-realm",
"manage-identity-providers",
"impersonation",
"create-client",
"manage-users",
"query-realms",
"view-authorization",
"query-clients",
"query-users",
"manage-events",
"manage-realm",
"view-events",
"view-users",
"view-clients",
"manage-authorization",
"manage-clients",
"query-groups"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
},
"test-realm-realm": {
"roles": [
"view-identity-providers",
"view-realm",
"manage-identity-providers",
"impersonation",
"create-client",
"manage-users",
"query-realms",
"view-authorization",
"query-clients",
"query-users",
"manage-events",
"manage-realm",
"view-events",
"view-users",
"view-clients",
"manage-authorization",
"manage-clients",
"query-groups"
]
}
},
"authorization": {
"permissions": [
{
"rsid": "9f708183-5aa3-4a8a-96fd-5be9aef5427d",
"rsname": "Default Resource"
}
]
},
"scope": "profile email",
"sid": "539a81bf-aa27-4ce4-911a-405f5a2c90ac",
"email_verified": false,
"preferred_username": "admin"
}
我正在尝试从 Keycloak 获取所有权限,即用户有权访问的所有资源和范围。
基本上,我想从 Keycloak 获取一个 RPT,其权限如 Keycloak REST API docs 和下图
所示不幸的是,文档要么令人困惑,要么没有显示请求 RPT 的方式。这个例子都在 RPT 下,继续,文档只是解释如何进一步内省令牌。
如何从 Keycloak 获取此令牌(实际上包含示例令牌中的权限的任何东西)?
您可能想尝试这样的事情:
USER=test
PASS=test
CLIENT_ID=test
CLIENT_SECRET=your-client-secret
RESULT=`curl -s --data "grant_type=password&client_id=${CLIENT}&client_secret=${CLIENT_SECRET}&username=${USER}&password=${PASS}" http://localhost:8080/realms/master/protocol/openid-connect/token`
ACCESS_TOKEN=`echo $RESULT | jq -r .access_token`
RPT_RESULT=`curl -s -H "Authorization: Bearer ${ACCESS_TOKEN}" --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&client_id=${CLIENT}&audience=${CLIENT}" http://localhost:8080/realms/master/protocol/openid-connect/token`
echo $RPT_RESULT | jq -r .access_token | cut -d "." -f2 | base64 -d | jq
这首先检索访问令牌,然后查询 RPT。
这应该给你这样的输出:
{
"exp": 1643134734,
"iat": 1643134674,
"jti": "f60caba8-8f20-43f0-9054-6389f998032c",
"iss": "http://localhost:8080/realms/master",
"aud": "test",
"sub": "18cce3e6-e3a0-4be9-a1ff-6635adf5928b",
"typ": "Bearer",
"azp": "test",
"session_state": "539a81bf-aa27-4ce4-911a-405f5a2c90ac",
"acr": "1",
"realm_access": {
"roles": [
"create-realm",
"default-roles-master",
"offline_access",
"admin",
"uma_authorization"
]
},
"resource_access": {
"master-realm": {
"roles": [
"view-identity-providers",
"view-realm",
"manage-identity-providers",
"impersonation",
"create-client",
"manage-users",
"query-realms",
"view-authorization",
"query-clients",
"query-users",
"manage-events",
"manage-realm",
"view-events",
"view-users",
"view-clients",
"manage-authorization",
"manage-clients",
"query-groups"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
},
"test-realm-realm": {
"roles": [
"view-identity-providers",
"view-realm",
"manage-identity-providers",
"impersonation",
"create-client",
"manage-users",
"query-realms",
"view-authorization",
"query-clients",
"query-users",
"manage-events",
"manage-realm",
"view-events",
"view-users",
"view-clients",
"manage-authorization",
"manage-clients",
"query-groups"
]
}
},
"authorization": {
"permissions": [
{
"rsid": "9f708183-5aa3-4a8a-96fd-5be9aef5427d",
"rsname": "Default Resource"
}
]
},
"scope": "profile email",
"sid": "539a81bf-aa27-4ce4-911a-405f5a2c90ac",
"email_verified": false,
"preferred_username": "admin"
}