使用spring-boot-starter-oauth2-client时如何配置bearer-only = true

编程问答 2022-06-11

问题描述

我正在尝试使用keycloak在Spring Cloud Gateway中为我的其余api设置auth2身份验证。 keyclcoak将我的请求重定向登录页面,同时将访问令牌作为承载令牌传递。在很多地方,我发现解决方案是在keycloak适配器中设置bearer-only = true。使用spring-boot-starter-oauth2-client时在何处进行设置。我无法使用keycloak-spring-boot-starter在application.yml中设置

谢谢

解决方法

我和你有同样的问题。没有找到答案,我开发了一个带有轻型 keycloak 客户端的过滤器,它调用 keycloak 的端点自省来验证令牌

客户:

public class KeycloakClient {

private final KeycloakConfigurationProperties kcProperties;
private final WebClient client;

public KeycloakClient(final KeycloakConfigurationProperties keycloakConfigurationProperties) {
    this.kcProperties = keycloakConfigurationProperties;
    this.client = WebClient.builder()
                           .baseUrl(keycloakConfigurationProperties.getAuth_server_url())
                           .filter(logRequest())
                           .build();
}

public Mono<Boolean> validateBearerToken(String bearerToken) {
    //todo: improve error management
    return prepareAndRunRequest(bearerToken).retrieve()
                                            .bodyToMono(KeycloakValidationResponse.class)
                                            .flatMap(response -> Mono.just(response.getActive()))
                                            .onErrorResume(WebClientResponseException.class,ex -> Mono.just(false));
}

private WebClient.RequestHeadersSpec<?> prepareAndRunRequest(String bearerToken) {

    return client.post()
                 .uri(uriBuilder -> uriBuilder.path("/auth/realms/")
                                              .path(kcProperties.getRealm())
                                              .path("/protocol/openid-connect/token/introspect")
                                              .build())
                 .contentType(MediaType.APPLICATION_JSON)
                 .body(BodyInserters.fromFormData("client_id",kcProperties.getResource())
                                    .with("client_secret",kcProperties.getCredentials_secret())

过滤器:

public class ValidationTokenGatewayFilterFactory extends AbstractGatewayFilterFactory<ValidationTokenGatewayFilterFactory.Config> {

private final KeycloakClient client;

public ValidationTokenGatewayFilterFactory(KeycloakClient client) {
    super(Config.class);
    this.client = client;
}

@Override
public GatewayFilter apply(Config config) {
    return (exchange,chain) -> {

        String token = exchange.getRequest()
                               .getHeaders()
                               .get(AUTHORIZATION)
                               .get(0);

        token = token.substring(7);

        log.trace("-- ValidationToken(): token={}",token);

        return client.validateBearerToken(token)
                     .flatMap(validated -> {
                         if (validated) {
                             log.debug("-- ValidationToken(): Token valid");
                             return chain.filter(exchange);
                         } else {
                             log.debug("-- ValidationToken(): Token invalid");
                             exchange.getResponse()
                                     .setStatusCode(HttpStatus.UNAUTHORIZED);

                             return exchange.getResponse()
                                            .setComplete();
                         }
                     });
    };
}

public static class Config {
}

}

您可以在此处找到完整示例:https://gitlab.com/-/snippets/2105967

api-gatewaykeycloakspring-bootspring-security