在节点js中使用keycloak访问令牌(从来自前端的HTTP GET请求中的Authorization头接收)对rest api进行身份验证

Question

var loadData = function () {

var url = 'http://localhost:3000/users';

var req = new XMLHttpRequest();
req.open('GET', url, true);
req.setRequestHeader('Accept', 'application/json');
req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token);

req.onreadystatechange = function () {
    if (req.readyState == 4) {
        if (req.status == 200) {
            console.log('Success');
        } else if (req.status == 403) {
            console.log('Forbidden');
        }
    }
}

req.send();  
};

上面是我的前端代码，请求REST API并在authorization头中传递keycloak令牌，这是在节点js服务器端进行身份验证所需的。

现在，我想知道如何使用Keycloak保护我的Rest Api，并根据从前端收到的令牌对其进行身份验证，并判断可信用户是否正在请求rest api资源。

我已经在node js中创建了rest api，并使用了keycloak-connect npm包。我已经将nodejs中间件与keycloak中间件进行了映射。

var express = require('express');
var router = express.Router();
var app = express();
var Keycloak = require('keycloak-connect');
var keycloak =new Keycloak();

app.use( keycloak.middleware( {
logout: '/logout',
admin: '/',
} ));

router.get('/users',function(req, res, next) {
var token=req.headers['authorization']; //Access token received from front end

//Now how to authenticate this token with keycloak???

});

我还在项目的根文件夹中包含了keycloak.json文件。

Answer 1

看看keycloak.protect()函数。使用它来验证您的路由。

router.get('/users',keycloak.protect(),function(req, res, next) {

});

Answer 2

看看my answer here，它概述了如何通过将令牌发送到Keycloak的userinfo路由来验证令牌(由客户端请求提供)在您的节点REST API中是否有效。

此解决方案建议：

实现了一个函数，该函数检查每个请求的持有者令牌，并在将令牌传递给您的api的路由处理程序之前，将令牌发送给用户信息端点上的Keycloak服务器进行验证。

使用Node.js/Express的代码示例：

const express = require("express");
const request = require("request");

const app = express();

/*
 * additional express app config
 * app.use(bodyParser.json());
 * app.use(bodyParser.urlencoded({ extended: false }));
 */

const keycloakHost = 'your keycloak host';
const keycloakPort = 'your keycloak port';
const realmName = 'your keycloak realm';

// check each request for a valid bearer token
app.use((req, res, next) => {
  // assumes bearer token is passed as an authorization header
  if (req.headers.authorization) {
    // configure the request to your keycloak server
    const options = {
      method: 'GET',
      url: `https://${keycloakHost}:${keycloakPort}/auth/realms/${realmName}/protocol/openid-connect/userinfo`,
      headers: {
        // add the token you received to the userinfo request, sent to keycloak
        Authorization: req.headers.authorization,
      },
    };

    // send a request to the userinfo endpoint on keycloak
    request(options, (error, response, body) => {
      if (error) throw new Error(error);

      // if the request status isn't "OK", the token is invalid
      if (response.statusCode !== 200) {
        res.status(401).json({
          error: `unauthorized`,
        });
      }
      // the token is valid pass request onto your next function
      else {
        next();
      }
    });
  } else {
    // there is no token, don't process request further
    res.status(401).json({
    error: `unauthorized`,
  });
});

// configure your other routes
app.use('/some-route', (req, res) => {
  /*
  * api route logic
  */
});


// catch 404 and forward to error handler
app.use((req, res, next) => {
  const err = new Error('Not Found');
  err.status = 404;
  next(err);
});

Answer 3

看起来NodeJS4.0.0.1测试版中间件需要一个名为request.kauth的完整对象，该对象包含完整的有效负载。

http://lists.jboss.org/pipermail/keycloak-user/2017-February/009719.html

return function protect (request, response, next) {
    if (request.kauth && request.kauth.grant) {*   // Line 2*
      if (!guard || guard(request.kauth.grant.access_token, request,
response)) {
        return next();
      }

      return keycloak.accessDenied(request, response, next);
    }

我不确定编码解码发生在哪里，或者是什么。看起来像是在文档里不见了。

https://issues.jboss.org/browse/KEYCLOAK-4687