问题描述
我正在开发一些SpringBoot微服务,通过WSO2 APIM公开REST。
微服务本身不实现任何形式的身份验证或授权机制,而是委托给APIM。
如果我按照here所述将API设置为使用密码授予,则前端应用程序可以进行身份验证并生成JWT令牌。
现在的问题是,我无法从JWT有效负载中获取用户角色,因为APIM没有添加它。此信息非常重要,因为前端渲染菜单和按钮基于用户角色。
但是生成的JWT令牌不包含有关角色的任何信息。这是一个示例令牌:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5UZG1aak00WkRrM05qWTBZemm1TW1abU9EZ3dNVEUzTVdZd05ERTVNV1JsWkRnNE56YzRaQT09In0.eyJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9hcHBsaWNhdGlvbnRpZXIiOiJVbmxpbWl0ZWQiLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC92ZXJzaW9uIjoidjEiLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9rZXl0eXBlIjoiUFJPRFVDVElPTiIsImlzcyI6IndzbzIub3JnXC9wcm9kdWN0c1wvYW0iLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9hcHBsaWNhdGlvbm5hbWUiOiJDYWRhc3RybyBkZSBDbGllbnRlcyIsImtleXR5cGUiOiJTQU5EQk9YIiwiaHR0cDpcL1wvd3NvMi5vcmdcL2NsYWltc1wvZW5kdXNlciI6ImVtaWxpb0BjYXjib24uc3VwZXIiLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9lbmR1c2VyVGVuYW50SWQiOiItMTIzNCIsImh0dHA6XC9cL3dzbzIub3JnXC9jbGFpbXNcL3N1YnNjcmliZXIiOiJhZG1pbiIsImh0dHA6XC9cL3dzbzIub3JnXC9jbGFpbXNcL3RpZXIiOiJVbmxpbWl0ZWQiLCJzY29wZSI6ImRlZmF1bHQiLCJleHAiOiIxNTk5NTYyOTQ4MDI4IiwiaHR0cDpcL1wvd3NvMi5vcmdcL2NsYWltc1wvYXBwbGljYXRpb25pZCI6IjIiLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC91c2VydhlwZSI6IkFwcGxpY2F0aW9uX1VzZXIiLCJjb25zdW1lcktleSI6IktJaTdnUk1RYmg1OWZGbmpVOFhNbnhGcm9pNGEiLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9hcGljb250ZXh0IjoiXC9ia25nXC92MSJ9.km4w2V7dGmogl8f4_ZqKHvdofAPLOOw__GPjWKrpjYelbi7IjdipRODEZNn8hE1krRdDTSjKRviJ-NBvXtTXIiLdfPh1p-zNtX26vrS77ZcSZ2WsQA7Ku21YMqcm6cyZvEhZ99qfTxOtbJfkwt6Yt8itkyr-aqk83pNp85LTnwtNboib9VOOvh37zNEJUImzKw4WvENp4SgluHO978FriHyHPN9vibzPjpItW5DOXTFNdN4rP6RK_vcOH6hpuZHwivJpTHxf9qMB3Gd2yTig-Hkr-sZGbx89pQf8kqtCLWbhRG5jOtcEJNf2CSNLB0Glg_e4F6LfhVD5JUCz15jdlg
当我在https://jwt.io/中提取它时,得到以下有效负载:
{
"http://wso2.org/claims/applicationtier": "Unlimited","http://wso2.org/claims/version": "v1","http://wso2.org/claims/keytype": "PRODUCTION","iss": "wso2.org/products/am","http://wso2.org/claims/applicationname": "Cadastro de Clientes","keytype": "SANDBox","http://wso2.org/claims/enduser": "emilio@carbon.super","http://wso2.org/claims/enduserTenantId": "-1234","http://wso2.org/claims/subscriber": "admin","http://wso2.org/claims/tier": "Unlimited","scope": "default","exp": "1599562948028","http://wso2.org/claims/applicationid": "2","http://wso2.org/claims/usertype": "Application_User","consumerKey": "KIi7gRMQbh59fFnjU8XMnxFroi4a","http://wso2.org/claims/apicontext": "/bkng/v1"
}
如何为JWT有效负载添加用户角色?是否需要按照here的描述实现自定义生成器?
谢谢!
解决方法
获得包含在auth JWT中的角色声明的最简单方法是在服务提供商级别添加声明映射,并请求具有OpenID范围的令牌。为此,请尝试以下步骤。
-
登录到管理控制台
https://<host>:<port>/carbon -
在左侧菜单中列出服务提供商
-
转到所需的服务提供商上进行编辑(开发人员门户中的每个应用程序都有一个地图服务提供商)
-
将声明映射添加到
role声明中,如下所示
-
使用
scope=openid参数发送令牌请求curl -k -X POST https://localhost:8243/token -d "grant_type=password&username=<Username>&password=<Password>&scope=openid" -H "Authorization: Basic <Credentials>" -
响应访问令牌将包含此格式的角色
{ "sub": "admin@carbon.super","iss": "https://localhost:9443/oauth2/token","groups": [ "Internal/subscriber","Internal/creator","Application/apim_devportal","Application/admin_NewApp_PRODUCTION","Internal/publisher","Internal/everyone","Internal/analytics",],... }