13.4. 在 Keycloak 中使用 HawtIO 和 OpenID Connect 身份验证
运行 Keycloak 实例的最简单方法是使用容器:
podman run -d --name keycloak \ -p 18080:8080 \ -e KEYCLOAK_ADMIN=admin \ -e KEYCLOAK_ADMIN_PASSWORD=admin \ quay.io/keycloak/keycloak:latest start-dev
启动后,浏览 http://localhost:18080/admin/master/console/ 并创建新域:
在域创建屏幕中,上传 hawtio-demo-realm.json,它定义了带有预先配置的 hawtio-client 客户端和 3 用户的新的 hawtio-demo 域:
-
带有角色
管理器
、管理员、查看器
和用户的
admin
/admin -
带有角色查看器和
用户的
viewer
/viewer -
Jdoe/jdoe 带有
用户角色
13.4.1. 检查 JWT 令牌问题
要检查已授予访问令牌的内容,我们可以使用 Keycloak 接口。导航到"客户端",选择"hawtio-client",并使用"客户端范围"选项卡和"Evaluate"子选项卡:
然后,在"Users"字段中,如 "admin",然后单击"Generated access token"。然后,我们可以检查示例令牌:
{ "exp": 1709552728, "iat": 1709552428, "jti": "0f33971f-c4f7-4a5c-a240-c18ba3f97aa1", "iss": "http://localhost:18080/realms/hawtio-demo", "aud": "account", "sub": "84d156fa-e4cc-4785-91c1-4e0bda4b8ed9", "typ": "Bearer", "azp": "hawtio-client", "session_state": "181a30ac-fce1-4f4f-aaee-110304ccb0e6", "acr": "1", "allowed-origins": [ "http://0.0.0.0:8181", "http://localhost:8080", "http://localhost:8181", "http://0.0.0.0:10001", "http://0.0.0.0:8080", "http://localhost:10001", "http://localhost:10000", "http://0.0.0.0:10000" ], "realm_access": { "roles": [ "viewer", "manager", "admin", "user" ] }, "resource_access": { "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } }, "scope": "openid profile email", "sid": "181a30ac-fce1-4f4f-aaee-110304ccb0e6", "email_verified": false, "name": "Admin Hawtio", "preferred_username": "admin", "given_name": "Admin", "family_name": "Hawtio", "email": "admin@hawt.io" }
了解 JWT 访问令牌的结构,我们可以检查角色路径是否正确:
# example for Keycloak with use-resource-role-mappings=false oidc.rolesPath = realm_access.roles