9.2. 声明信息点
申索信息点(CIP)负责解决这些声明并将这些声明推送到红帽单点登录服务器,以提供访问上下文到策略的更多信息。它们可以定义为 policy-enforcer 的配置选项,以便解析来自不同来源的声明,例如:
- HTTP 请求(参数、标头、正文等)
- 外部 HTTP 服务
- 配置中定义的静态值
- 实施 Claim Information Provider SPI
在向 Red Hat Single Sign-On 服务器推送声明时,策略只能针对用户是谁,也可以通过将上下文和内容纳入帐户,具体取决于什么人、原因、何时以及给定事务。它们都是基于上下文的授权,以及如何使用运行时信息来支持精细的授权决策。
9.2.1. 从 HTTP 请求获取信息
下面是几个示例演示了如何从 HTTP 请求中提取声明:
keycloak.json
"policy-enforcer": {
"paths": [
{
"path": "/protected/resource",
"claim-information-point": {
"claims": {
"claim-from-request-parameter": "{request.parameter['a']}",
"claim-from-header": "{request.header['b']}",
"claim-from-cookie": "{request.cookie['c']}",
"claim-from-remoteAddr": "{request.remoteAddr}",
"claim-from-method": "{request.method}",
"claim-from-uri": "{request.uri}",
"claim-from-relativePath": "{request.relativePath}",
"claim-from-secure": "{request.secure}",
"claim-from-json-body-object": "{request.body['/a/b/c']}",
"claim-from-json-body-array": "{request.body['/d/1']}",
"claim-from-body": "{request.body}",
"claim-from-static-value": "static value",
"claim-from-multiple-static-value": ["static", "value"],
"param-replace-multiple-placeholder": "Test {keycloak.access_token['/custom_claim/0']} and {request.parameter['a']} "
}
}
}
]
}
9.2.2. 从外部 HTTP 服务获取信息
下面是几个示例演示了如何从外部 HTTP 服务提取声明:
keycloak.json
"policy-enforcer": {
"paths": [
{
"path": "/protected/resource",
"claim-information-point": {
"http": {
"claims": {
"claim-a": "/a",
"claim-d": "/d",
"claim-d0": "/d/0",
"claim-d-all": ["/d/0", "/d/1"]
},
"url": "http://mycompany/claim-provider",
"method": "POST",
"headers": {
"Content-Type": "application/x-www-form-urlencoded",
"header-b": ["header-b-value1", "header-b-value2"],
"Authorization": "Bearer {keycloak.access_token}"
},
"parameters": {
"param-a": ["param-a-value1", "param-a-value2"],
"param-subject": "{keycloak.access_token['/sub']}",
"param-user-name": "{keycloak.access_token['/preferred_username']}",
"param-other-claims": "{keycloak.access_token['/custom_claim']}"
}
}
}
}
]
}
9.2.3. 静态声明
keycloak.json
"policy-enforcer": {
"paths": [
{
"path": "/protected/resource",
"claim-information-point": {
"claims": {
"claim-from-static-value": "static value",
"claim-from-multiple-static-value": ["static", "value"],
}
}
}
]
}
9.2.4. 声明信息供应商 SPI
如果任何内置供应商都足够满足要求,则开发人员可使用 Claim Information Provider SPI 来支持不同的声明信息点。
例如,要实施新的 CIP 提供程序,您需要实施 org.keycloak.adapters.authorization.ClaimInformationPointProvidery 和 ClaimInformationPointProvider,同时还在应用程序类的 META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory.
org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory 示例:
public class MyClaimInformationPointProviderFactory implements ClaimInformationPointProviderFactory<MyClaimInformationPointProvider> {
@Override
public String getName() {
return "my-claims";
}
@Override
public void init(PolicyEnforcer policyEnforcer) {
}
@Override
public MyClaimInformationPointProvider create(Map<String, Object> config) {
return new MyClaimInformationPointProvider(config);
}
}
每个 CIP 供应商必须与一个名称关联,如 MyClaimInformationPointProviderFactory.getName 方法所定义。name 将用于从 policy-enforcer 配置的 claim-information-point 部分映射到实施。
在处理请求时,策略 enforcer 将调用 MyClaimInformationPointProviderFactory.create 方法来获取 MyClaimInformationPointProvider 实例。调用时,为这个特定 CIP 提供程序(通过 claim-information-point)定义的配置都会作为映射传递。
ClaimInformationPointProvider 示例:
public class MyClaimInformationPointProvider implements ClaimInformationPointProvider {
private final Map<String, Object> config;
public MyClaimInformationPointProvider(Map<String, Object> config) {
this.config = config;
}
@Override
public Map<String, List<String>> resolve(HttpFacade httpFacade) {
Map<String, List<String>> claims = new HashMap<>();
// put whatever claim you want into the map
return claims;
}
}