用戶名密碼登錄
- POST /auth/realms/demo/protocol/openid-connect/token
- 請求體 x-www-form-urlencoded
grant_type:password
username:test
password:123456
client_secret:ec0fd1c6-68b0-4c39-a9fa-c3be25c8ef01
client_id:democlient
- 響應
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJFXzZpaDM1eVRMSk1pZUkwdnFnOU1tVFFySjZSY1VTeGlYZU5kY01hb1lrIn0.eyJleHAiOjE2MTk2NjEyODgsImlhdCI6MTYxOTY1ODI4OCwianRpIjoiMjE4NTliMjEtNzE1Mi00NDIzLWI5ZWMtNTQ4NDE0OTMxOTRiIiwiaXNzIjoiaHR0cDovLzE5Mi4xNjguNC4yNjo4MDgwL2F1dGgvcmVhbG1zL2ZhYmFvIiwiYXVkIjpbInJlYWxtLW1hbmFnZW1lbnQiLCJhY2NvdW50Il0sInN1YiI6IjAwNjcyOThkLTk3N2YtNGVkMy1hOTBjLTAxNWM1YzRjYTAwYyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImRlbW9jbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiNzY1OTY5ZWMtOTRkYS00ZWRiLTlkY2ItZTE1ZWEzZTBhZDNiIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyLns7vnu5_nrqHnkIYiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInF1ZXJ5LXJlYWxtcyIsInZpZXctYXV0aG9yaXphdGlvbiIsInF1ZXJ5LWNsaWVudHMiLCJxdWVyeS11c2VycyIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIiwicXVlcnktZ3JvdXBzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1hcHBsaWNhdGlvbnMiLCJ2aWV3LWNvbnNlbnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsIm1hbmFnZS1jb25zZW50IiwiZGVsZXRlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InJvbGVzIGVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiLmtbcgc2FuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdCIsImdpdmVuX25hbWUiOiLmtbciLCJmYW1pbHlfbmFtZSI6InNhbiIsImVtYWlsIjoidGVzdEBzaW5hLmNvbSJ9.w2z5a2OY069aQoB4uov9nHtCJL3dwqVH6rHRkyPP9CdU3iP2gFJa10-XqgOUr747PGiTKlaHHn-MO7nW7WYneJKZ0sw-SlaJjOc0zqVBZo26hBUO-JpXrnu26nmoAznpUyWM3P3enXMeW6mkTYwTuAAoaDlgJZcuFxknEjX7vGz0fClHZv60_G77yRInCy8hl9z1aNXGq9BME6ZSXXtGcgU9sLhQT6EqumegdLq7CaxKKLJgmD1hjmQhuhaBep3MkgJiLFmjM7zzLbpPEJ7b8mTeoydCOdqg0xFIZSV9pYQ6bEXC9JSRzGBC4VCeDVSMhVkOCozvgy-8-fPSgbIurQ",
"expires_in": 3000,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJkNzg3MGJjNi0yMDY3LTQ3MjAtYWNmNC04MjRhZTIzMWFiZDAifQ.eyJleHAiOjE2MTk2NjAwODgsImlhdCI6MTYxOTY1ODI4OCwianRpIjoiYmJjNDY3NjAtMWE2NS00ODA4LWIyMmQtYzAyMDQ4NzA5YTQyIiwiaXNzIjoiaHR0cDovLzE5Mi4xNjguNC4yNjo4MDgwL2F1dGgvcmVhbG1zL2ZhYmFvIiwiYXVkIjoiaHR0cDovLzE5Mi4xNjguNC4yNjo4MDgwL2F1dGgvcmVhbG1zL2ZhYmFvIiwic3ViIjoiMDA2NzI5OGQtOTc3Zi00ZWQzLWE5MGMtMDE1YzVjNGNhMDBjIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImRlbW9jbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiNzY1OTY5ZWMtOTRkYS00ZWRiLTlkY2ItZTE1ZWEzZTBhZDNiIiwic2NvcGUiOiJyb2xlcyBlbWFpbCBwcm9maWxlIn0.gXRGH6WgzykH9c4WTCS00G3w8gLZtk_0Bb3ziLNFUl0",
"token_type": "bearer",
"not-before-policy": 1619512543,
"session_state": "765969ec-94da-4edb-9dcb-e15ea3e0ad3b",
"scope": "roles email profile"
}
授權碼登錄
請求code
對於沒有認證的接口,將會返回401,即沒有登錄,這時keycloak會將我們的請求重定向到keycloak的登錄而,這時有幾個參數將被發到keycloak服務端,用來獲取code信息。
主要包括以下幾個參數 :
Response_type:表示響應類型,這里我們是code
Client_id:表示為你這個客戶端頒發的唯一標識
Redirect_uri:表示從keycloak服務端注冊的合法的回調地址,支持通配符
Scope:表示認證范圍,表示用戶的openid方式
- GET /auth/realms/demo/protocol/openid-connect/auth
- QUERY
client_id:democlient
scope:openid
response_type:code
client_secret:ec0fd1c6-68b0-4c39-a9fa-c3be25c8ef01
redirect_uri:http://localhost:9090/callback
- 跳轉到kc的登錄頁,完成用戶名和密碼的登錄
- 登錄成功之后,跳回callback刪除,在url參數上帶上了code
請求token
- POST /auth/realms/fabao/protocol/openid-connect/token
- 請求體 x-www-form-urlencoded
grant_type:authorization_code
code:68058719-add6-4b40-ab96-8e71af03827a.7a31b1a9-c3e8-46d4-b8cc-345012fcf4a2.25e52f60-5991-43dd-9108-873f60af385d
client_id:democlient
client_secret:ec0fd1c6-68b0-4c39-a9fa-c3be25c8ef01
scope:openid
redirect_uri:http://localhost:9090/callback
- 響應
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJFXzZpaDM1eVRMSk1pZUkwdnFnOU1tVFFySjZSY1VTeGlYZU5kY01hb1lrIn0.eyJleHAiOjE2MTk2NjMzMzQsImlhdCI6MTYxOTY2MDMzNCwiYXV0aF90aW1lIjoxNjE5NjYwMzIyLCJqdGkiOiI0ZTMxYzI0My0yOTAzLTQyZDQtYWE2Ny1hYmE0MzUzMTE5ZWQiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC40LjI2OjgwODAvYXV0aC9yZWFsbXMvZmFiYW8iLCJhdWQiOlsicmVhbG0tbWFuYWdlbWVudCIsImFjY291bnQiXSwic3ViIjoiMDA2NzI5OGQtOTc3Zi00ZWQzLWE5MGMtMDE1YzVjNGNhMDBjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZGVtb2NsaWVudCIsInNlc3Npb25fc3RhdGUiOiIxNDgxMmY1MC1iOWY3LTRjZWUtYmU1Ni1iZjliZWY1Yzk2MWEiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIuezu-e7n-euoeeQhiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhbG0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJxdWVyeS1ncm91cHMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LWFwcGxpY2F0aW9ucyIsInZpZXctY29uc2VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwibWFuYWdlLWNvbnNlbnQiLCJkZWxldGUtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIHJvbGVzIGVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiLmtbcgc2FuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdCIsImdpdmVuX25hbWUiOiLmtbciLCJmYW1pbHlfbmFtZSI6InNhbiIsImVtYWlsIjoidGVzdEBzaW5hLmNvbSJ9.Xx9ndq1dtgHgqZNLsOYXYqB31_QmPvb30PqwZBJ5jq-mVB2-FxYQhH-u4g0L4wJIPRABBJ_bppcEgtwdIAo45isODmmhz-VYOB47vbLw44seGXnRvsZDAhImLm-p_fccfUcGdFfceZs3a3Tzz-mv7p-tQ64dMIS9DWCWTfJuOpoSOEDRvEvnGzOxWY9EqIk5fL2Y-ys7J2QAcOPCvZJNnE_mYPXV8vu5c0wGB9Pt7JYISX8IbizCHhXZHCd20h5maM44VDPCV9MSxsP8KQa_emdILT8HT_3uy1E1KmdXqde_S82IZsE-CPMZC6QjuTYf15Fh-umo0ncYqjTwX8piTQ",
"expires_in": 3000,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJkNzg3MGJjNi0yMDY3LTQ3MjAtYWNmNC04MjRhZTIzMWFiZDAifQ.eyJleHAiOjE2MTk2NjIxMzQsImlhdCI6MTYxOTY2MDMzNCwianRpIjoiYzFlZWU4ZDEtYmEwZC00OWJmLWJhOWMtZjk5Nzk4ZWNkNGZlIiwiaXNzIjoiaHR0cDovLzE5Mi4xNjguNC4yNjo4MDgwL2F1dGgvcmVhbG1zL2ZhYmFvIiwiYXVkIjoiaHR0cDovLzE5Mi4xNjguNC4yNjo4MDgwL2F1dGgvcmVhbG1zL2ZhYmFvIiwic3ViIjoiMDA2NzI5OGQtOTc3Zi00ZWQzLWE5MGMtMDE1YzVjNGNhMDBjIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImRlbW9jbGllbnQiLCJzZXNzaW9uX3N0YXRlIjoiMTQ4MTJmNTAtYjlmNy00Y2VlLWJlNTYtYmY5YmVmNWM5NjFhIiwic2NvcGUiOiJvcGVuaWQgcm9sZXMgZW1haWwgcHJvZmlsZSJ9.y718VaUJ3Z8_ZSWquOubB5AcQtsRoYlaKrbqQPVLV_o",
"token_type": "bearer",
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJFXzZpaDM1eVRMSk1pZUkwdnFnOU1tVFFySjZSY1VTeGlYZU5kY01hb1lrIn0.eyJleHAiOjE2MTk2NjMzMzQsImlhdCI6MTYxOTY2MDMzNCwiYXV0aF90aW1lIjoxNjE5NjYwMzIyLCJqdGkiOiI5ODIyMDExMS1kMjVmLTQwYTAtYjNlZi1hZDlhNjk2YjhlYjAiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC40LjI2OjgwODAvYXV0aC9yZWFsbXMvZmFiYW8iLCJhdWQiOiJkZW1vY2xpZW50Iiwic3ViIjoiMDA2NzI5OGQtOTc3Zi00ZWQzLWE5MGMtMDE1YzVjNGNhMDBjIiwidHlwIjoiSUQiLCJhenAiOiJkZW1vY2xpZW50Iiwic2Vzc2lvbl9zdGF0ZSI6IjE0ODEyZjUwLWI5ZjctNGNlZS1iZTU2LWJmOWJlZjVjOTYxYSIsImF0X2hhc2giOiJjWjBaN2tlay1ONWlsN3ZRaWFtVTNRIiwiYWNyIjoiMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6Iua1tyBzYW4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0IiwiZ2l2ZW5fbmFtZSI6Iua1tyIsImZhbWlseV9uYW1lIjoic2FuIiwiZW1haWwiOiJ0ZXN0QHNpbmEuY29tIn0.sIRpNtEbHKTcxCTAP5DaF-uK0jCO4atQvvFwPs3QrPxkcFq7oE3E1veyKuxfQo5oZfzEeKGAWsLshwZbng-idF6EKTIs_FeEcLJxiwsK1XiDzdRFfyr-rcCgM7assJx7Muah3xT-DgSdO9MzxW7Vfr_qauWbNeXyWzHCqO8sAUNxREVZZyVcFoqxD9JPIlrrCZQzAyEmvYtnNpF95uwUu0UgmHywLyg3drIqF8C5-kBxxWFUo4Z46YYmu4me3lmDzaohu26sSs2mHNfadTLxme3ir5kB23aeVpKplzr4ZVcO70HfZ6RU2Is8W__FRakB5XDhKLiRf_l4unaTtzbyKQ",
"not-before-policy": 1619660302,
"session_state": "14812f50-b9f7-4cee-be56-bf9bef5c961a",
"scope": "openid roles email profile"
}
JWT token解析
PAYLOAD數據載體主要包括用戶ID,用戶名,用戶角色,過期時間等信息
Sub:用戶ID
preferred_username:賬號名稱
Name:用戶姓名
Email:電子郵件
realm_access:領域角色
resource_access:客戶端(資源服務)角色
Azp:授權客戶端
Typ:token的類型
Aud:被授權的客戶端列表
Exp:過期時間
Iss: 當前領域的開放API
Scope對jwt的影響
我們可以配置域的scope,或者對指定的client配置 scope,如圖
圖中,我們把客戶端democlient的scope里的roles移除后,在返回的token里將不會出現和角色有關的信息,即realm_access和resource_access將被移除。
