授权客户端Java API
根据您的要求,资源服务器应能够远程管理资源,甚至以编程方式检查权限。如果您使用Java,则可以使用授权客户端API访问Keycloak授权服务。
它是针对希望访问服务器提供的不同API的资源服务器,如保护,授权和授权API。
Maven Dependency
<dependencies>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-authz-client</artifactId>
<version>${KEYCLOAK_VERSION}</version>
</dependency>
</dependencies>
Configuration
客户端配置在keycloak.json文件中定义如下:
{
"realm": "hello-world-authz",
"auth-server-url" : "http://localhost:8080/auth",
"resource" : "hello-world-authz-service",
"credentials": {
"secret": "secret"
}
}
- realm(required)
这个领域的名称。
- auth-server-url(required)
Keycloak服务器的基本URL。所有其他的Keycloak页面和REST服务端点都是源于此。它通常是https://host:port/auth的形式。
- resource(required)
应用程序的client-id。每个应用程序都有一个用于标识应用程序的client-id。
- credentials(required)
指定应用程序的凭据。这是一个对象符号,其中密钥是凭证类型,该值是凭证类型的值。配置文件通常位于应用程序的类路径中,即从客户端尝试找到一个keycloak.json文件的默认位置。
创建授权客户端
考虑到您的类路径中有一个keycloak.json文件,您可以如下创建一个新的AuthzClient实例:
// create a new instance based on the configuration defined in a keycloak.json located in your classpath
AuthzClient authzClient = AuthzClient.create();
获取用户权利
以下是说明如何获取用户权利的示例:
// create a new instance based on the configuration defined in keycloak-authz.json
AuthzClient authzClient = AuthzClient.create();
// obtain an Entitlement API Token to get access to the Entitlement API.
// this token is an access token issued to a client on behalf of an user
// with a uma_authorization scope
String eat = getEntitlementAPIToken(authzClient);
// send the entitlement request to the server to
// obtain an RPT with all permissions granted to the user
EntitlementResponse response = authzClient.entitlement(eat).getAll("hello-world-authz-service");
String rpt = response.getRpt();
// now you can use the RPT to access protected resources on the resource server
以下是一个示例,说明如何获取一个或多个资源组的用户权利:
// create a new instance based on the configuration defined in keycloak-authz.json
AuthzClient authzClient = AuthzClient.create();
// obtain an Entitlement API Token to get access to the Entitlement API.
// this token is an access token issued to a client on behalf of an user
// with a uma_authorization scope
String eat = getEntitlementAPIToken(authzClient);
// create an entitlement request
EntitlementRequest request = new EntitlementRequest();
PermissionRequest permission = new PermissionRequest();
permission.setResourceSetName("Hello World Resource");
request.addPermission(permission);
// send the entitlement request to the server to obtain an RPT
// with all permissions granted to the user
EntitlementResponse response = authzClient.entitlement(eat).get("hello-world-authz-service", request);
String rpt = response.getRpt();
// now you can use the RPT to access protected resources on the resource server
使用Protection API创建资源
// create a new instance based on the configuration defined in keycloak-authz.json
AuthzClient authzClient = AuthzClient.create();
// create a new resource representation with the information we want
ResourceRepresentation newResource = new ResourceRepresentation();
newResource.setName("New Resource");
newResource.setType("urn:hello-world-authz:resources:example");
newResource.addScope(new ScopeRepresentation("urn:hello-world-authz:scopes:view"));
ProtectedResource resourceClient = authzClient.protection().resource();
Set<String> existingResource = resourceClient.findByFilter("name=" + newResource.getName());
if (!existingResource.isEmpty()) {
resourceClient.delete(existingResource.iterator().next());
}
// create the resource on the server
RegistrationResponse response = resourceClient.create(newResource);
String resourceId = response.getId();
// query the resource using its newly generated id
ResourceRepresentation resource = resourceClient.findById(resourceId).getResourceDescription();
自检 RPT
AuthzClient authzClient = AuthzClient.create();
String rpt = getRequestingPartyToken(authzClient);
TokenIntrospectionResponse requestingPartyToken = authzClient.protection().introspectRequestingPartyToken(rpt);
if (requestingPartyToken.getActive()) {
for (Permission granted : requestingPartyToken.getPermissions()) {
// iterate over the granted permissions
}
}