问题描述

后端服务器有一个端点，该端点在ping时给出JSON响应，并受 Apigee Edge Proxy 保护.当前，此端点没有安全性，我们希望为发出请求的所有客户端实施仅承载令牌认证.向API发出请求的所有客户端都将在 Authorization Bearer 中发送该JWT令牌，并且Apigee Edge将用于验证JWT令牌.

There is an Endpoint to a backend server which gives a JSON response on pinging and is protected by an Apigee Edge Proxy. Currently, this endpoint has no security and we want to implement Bearer only token authentication for all the clients making the request.All the clients making the requests to API will send that JWT token in Authorization Bearer and Apigee Edge will be used to verify the JWT Token.

如何使用Keycloak生成此JWT令牌?

How do I use Keycloak to generate this JWT token?

此外，Apigee需要一个 JWT令牌的来源的公钥(该公钥是在JWT令牌上签名的服务器，在这种情况下，我认为是Keycloak) .因此，我的第二个疑问是，当我使用Keycloak生成JWT令牌时，如何获取服务器用来验证令牌是否有效的公共密钥?

Also, Apigee needs a public key of the origin of the JWT token (the server which signed the JWT token, in this case, I believe that is Keycloak).So my second doubt is, while I use Keycloak to generate the JWT token, how to get the public key using which the server will verify if the token is valid?

推荐答案

在这篇中等文章.我在下面提到的所有步骤在文章中都有详细的描述(有关令牌部分，请参阅步骤1至9，其他步骤与Spring Boot应用程序有关)，但是我想概述一下这些问题.

This got figured out with the help of this medium article. All the steps I have mentioned below have a detailed description in the article (Refer step 1 to 9 for token part, other steps are related to Spring Boot application) but I would like to give a overview of those in reference to my question.

1. 安装并运行KeyCloak服务器并转到端点(例如 http://localhost:8080/auth ) .使用初始管理员登录名和密码(用户名= admin，密码= admin)登录.
2. 使用openid-connect作为Client Protocol创建一个领域和一个客户端.
3. 创建用户，角色并将客户端角色映射到用户.
4. 假定服务器在localhost上，请访问 http: //localhost:8080/auth/realms/dev/.well-known/openid-configuration 提供有关所有安全端点的详细信息
5. http://localhost:8080/auth/realms/dev/协议/openid-connect/token 向此URL发送具有有效详细信息的POST请求，即可提供JWTtoken.

1. Install and run KeyCloak server and go to the endpoint (e.g http://localhost:8080/auth). Log in with an initial admin login and password (username=admin, password=admin).
2. Create a Realm and a Client with openid-connect as the Client Protocol.
3. Create users, roles and map Client Role To User.
4. Assuming the server being on localhost, visiting the http://localhost:8080/auth/realms/dev/.well-known/openid-configuration gives details about all security endpoints
5. http://localhost:8080/auth/realms/dev/protocol/openid-connect/token sending a POST request with valid details to this URL gives the JWTtoken with.

获取KeyCloak服务器的公钥

• 转到Realm Settings并单击Public key，将弹出该Realm的服务器公钥.请参阅此图像以便更好地理解.
• 添加-----BEGIN PUBLIC KEY-----并将-----END PUBLIC KEY-----附加到此复制的公共密钥以在任何地方使用它来验证JWTtoken.您的公钥最终应该看起来像这样:

Getting the public key of the KeyCloak server

• Going to Realm Settings and click on Public key pops up with the Public key of the server for that Realm. Refer to this image for better understanding.
• Add -----BEGIN PUBLIC KEY----- and append -----END PUBLIC KEY----- to this copied public key to use it anywhere to verify the JWTtoken. You public key should finally look something like this:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhAj9OCZd0XjzOIad2VbUPSMoVK1X8hdD2Ad+jUXCzhZJf0RaN6B+79AW5jSgceAgyAtLXiBayLlaqSjZM6oyti9gc2M2BXzoDKLye+Tgpftd72Zreb4HpwKGpVrJ3H3Ip5DNLSD4a1ovAJ6Sahjb8z34T8c1OCnf5j70Y7i9t3y/j076XIUU4vWpAhI9LRAOkSLqDUE5L/ZdPmwTgK91Dy1fxUQ4d02Ly4MTwV2+4OaEHhIfDSvakLBeg4jLGOSxLY0y38DocYzMXe0exJXkLxqHKMznpgGrbps0TPfSK0c3q2PxQLczCD3n63HxbN8U9FPyGeMrz59PPpkwIDAQAB
-----END PUBLIC KEY-----

在第三方平台上验证令牌

• jwt.io 是用于验证JWTtokens的绝佳网站.全部我们要做的就是粘贴令牌和公钥.在此处阅读网站的介绍，以了解有关验证令牌的更多信息.

Validating the token on a third party platform

• jwt.io is a great website for validating JWTtokens. Allwe have to do is paste the token and public key. Read the introduction of the website here to know more about validating the tokens.

这篇关于在Keycloak中生成JWT令牌并获取公共密钥以在第三方平台上验证JWT令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！