spring oauth2 接入 keycloak

依赖包

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

启动类

启动类

@SpringBootApplication
@EnableWebSecurity
public class KeycloakDemoApplication extends WebSecurityConfigurerAdapter {


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
                .authorizeRequests(a -> a
                        .antMatchers("/", "/error", "/webjars/**").permitAll()
                        .anyRequest().authenticated()
                )
                .exceptionHandling(e -> e
                        .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
                )
                .logout(l -> l
                        .logoutSuccessUrl("/").permitAll()
                )
                .csrf(c -> c
                        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                )
                .oauth2Login();
        // @formatter:on
    }

    public static void main(String[] args) {
        SpringApplication.run(KeycloakDemoApplication.class, args);
    }

}

resources/static/index.html

<div class="container unauthenticated">
    With GitHub: <a href="/oauth2/authorization/keycloak">click here</a>
</div>

spring 配置

核心路径

  • 执行首次跳转地址模板: /oauth2/authorization/{registrationId}
  • redirectUri: 默认的模板 {baseUrl}/login/oauth2/code/{registrationId}

配置样本

spring:
  security:
    oauth2:
      client:
        registration:
          keycloak:
            clientId: test
            clientSecret: zwd2yOiUqn0jowH2hrPYJvFsCGWnVZvL
            authorizationGrantType: authorization_code
            redirectUri: http://localhost:8082/login/oauth2/code/keycloak
        provider:
          keycloak:
            authorizationUri: http://localhost:8080/realms/test/protocol/openid-connect/auth
            tokenUri: http://localhost:8080/realms/test/protocol/openid-connect/token
            userInfoUri: http://localhost:8080/realms/test/protocol/openid-connect/userinfo
            userNameAttribute: preferred_username

代码跟踪

  • DefaultOAuth2AuthorizationRequestResolver: 用于读取当前 provider 配置, 并执行跳转逻辑
  • OAuth2LoginAuthenticationFilter: 用于处理callback 的地址, 执行 code 换 open id token 的操作
  • OAuth2AuthorizationCodeAuthenticationProvider: 用于code 交换 access token, refresh token
  • DefaultOAuth2UserService: 用于用户信息加载
  • AuthorizationGrantType: 定义授权类型

遇到的问题

  1. 配置 userNameAttribute: preferred_username 遗漏, 会导致Missing required "user name" attribute name in UserInfoEndpoint for Client Registration

文档

©著作权归作者所有,转载或内容合作请联系作者
【社区内容提示】社区部分内容疑似由AI辅助生成,浏览时请结合常识与多方信息审慎甄别。
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

相关阅读更多精彩内容

友情链接更多精彩内容