我将使用keycloak保护我的golang应用程序,但keycloak本身不支持go语言.有一些go适配器作为
github中的一个开放项目,已经实现了openId connect协议作为提供者服务,但它们没有提供有关如何将库与应用程序集成的示例或文档.由于我是这个领域的新手,我很困惑如何在自己的应用程序中使用这些库.有关此问题的任何帮助或文档?非常感谢.
正如您所指出的,golang没有官方的keycloak适配器.
但实施它是非常简单的.这里有一点点走过.
原文链接:/go/186852.html但实施它是非常简单的.这里有一点点走过.
Keycloak服务器
对于此示例,我将使用官方keycloak docker镜像来启动服务器.
使用的版本是4.1.0.Final.我认为这也适用于较旧的KeyCloak版本.
docker run -d -p 8080:8080 -e KEYCLOAK_USER=keycloak -e KEYCLOAK_PASSWORD=k --name keycloak jboss/keycloak:4.1.0.Final
服务器启动并运行后,您可以在浏览器中打开localhost:8080 / auth,导航到管理控制台并使用用户名keycloak和k作为相应的密码登录.
我不会完成创建领域/客户/用户的完整过程.你可以查看下
https://www.keycloak.org/docs/latest/server_admin/index.html#admin-console
这里只是我为重现这个例子所做的工作的大纲:
>创建一个名为demo的领域
>为这个领域关闭ssl的要求(realmsettings – > login – > require ssl)
>创建一个名为demo-client的客户端
>创建一个名为demo的用户密码demo(用户 – >添加用户).确保激活并模拟此用户.
>将demo-client配置为机密,并使用http:// localhost:8181 / demo / callback作为有效的重定向URI.
生成的keycloak.json(从安装选项卡获取)如下所示:
{
"realm": "demo","auth-server-url": "http://localhost:8080/auth","ssl-required": "none","resource": "demo-client","credentials": {
"secret": "cbfd6e04-a51c-4982-a25b-7aaba4f30c81"
},"confidential-port": 0
}
请注意,你的秘密会有所不同.
Go服务器
让我们回到go服务器.我使用github.com/coreos/go-oidc包进行繁重的工作:
package main
import (
"context"
"encoding/json"
"log"
"net/http"
"strings"
oidc "github.com/coreos/go-oidc"
"golang.org/x/oauth2"
)
func main() {
configURL := "http://localhost:8080/auth/realms/demo"
ctx := context.Background()
provider,err := oidc.NewProvider(ctx,configURL)
if err != nil {
panic(err)
}
clientID := "demo-client"
clientSecret := "cbfd6e04-a51c-4982-a25b-7aaba4f30c81"
redirectURL := "http://localhost:8181/demo/callback"
// Configure an OpenID Connect aware OAuth2 client.
oauth2Config := oauth2.Config{
ClientID: clientID,ClientSecret: clientSecret,RedirectURL: redirectURL,// Discovery returns the OAuth2 endpoints.
Endpoint: provider.Endpoint(),// "openid" is a required scope for OpenID Connect flows.
Scopes: []string{oidc.ScopeOpenID,"profile","email"},}
state := "somestate"
oidcConfig := &oidc.Config{
ClientID: clientID,}
verifier := provider.Verifier(oidcConfig)
http.HandleFunc("/",func(w http.ResponseWriter,r *http.Request) {
rawAccessToken := r.Header.Get("Authorization")
if rawAccessToken == "" {
http.Redirect(w,r,oauth2Config.AuthCodeURL(state),http.StatusFound)
return
}
parts := strings.Split(rawAccessToken," ")
if len(parts) != 2 {
w.WriteHeader(400)
return
}
_,err := verifier.Verify(ctx,parts[1])
if err != nil {
http.Redirect(w,http.StatusFound)
return
}
w.Write([]byte("hello world"))
})
http.HandleFunc("/demo/callback",r *http.Request) {
if r.URL.Query().Get("state") != state {
http.Error(w,"state did not match",http.StatusBadRequest)
return
}
oauth2Token,err := oauth2Config.Exchange(ctx,r.URL.Query().Get("code"))
if err != nil {
http.Error(w,"Failed to exchange token: "+err.Error(),http.StatusInternalServerError)
return
}
rawIDToken,ok := oauth2Token.Extra("id_token").(string)
if !ok {
http.Error(w,"No id_token field in oauth2 token.",http.StatusInternalServerError)
return
}
idToken,rawIDToken)
if err != nil {
http.Error(w,"Failed to verify ID Token: "+err.Error(),http.StatusInternalServerError)
return
}
resp := struct {
OAuth2Token *oauth2.Token
IDTokenClaims *json.RawMessage // ID Token payload is just JSON.
}{oauth2Token,new(json.RawMessage)}
if err := idToken.Claims(&resp.IDTokenClaims); err != nil {
http.Error(w,err.Error(),http.StatusInternalServerError)
return
}
data,err := json.MarshalIndent(resp,""," ")
if err != nil {
http.Error(w,http.StatusInternalServerError)
return
}
w.Write(data)
})
log.Fatal(http.ListenAndServe("localhost:8181",nil))
}
该程序启动带有两个端点的常规http服务器.第一个(“/”)是您处理的常规端点
应用逻辑.在这种情况下,它只向您的客户返回“hello world”.
第二个端点(“/ demo / callback”)用作keycloak的回调.此端点需要在您的帐户上注册
keycloak服务器.在成功进行用户身份验证后,Keycloak将向此回调URL发出重定向.重定向包含一些其他查询参数.这些参数包含可用于获取访问/ id令牌的代码.
验证您的设置
为了测试此设置,您可以打开webbrowser并navitage到http:// localhost:8181.
请求应该到达您的go服务器,该服务器会尝试对您进行身份验证.由于您没有发送令牌,因此转到服务器
将重定向到keycloak进行身份验证.
你应该看到keycloak的登录界面.使用您为此领域创建的演示用户登录(演示/演示).
如果您已正确配置了keycloak,它将对您进行身份验证并将您重定向到您的go服务器回调.
最终的结果应该是像这样的json
{
"OAuth2Token": {
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJsc1hHR2VxSmx3UUZweWVYR0x6b2plZXBYSEhXUngtTHVJTVVLdDBmNmlnIn0.eyJqdGkiOiI5ZjAxNjM2OC1lYmEwLTRiZjMtYTU5Ni1kOGU1MzdmNTNlZGYiLCJleHAiOjE1MzIxNzM2NTIsIm5iZiI6MCwiaWF0IjoxNTMyMTczMzUyLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImRlbW8tY2xpZW50Iiwic3ViIjoiMzgzMzhjOGItYWQ3Zi00NjlmLTgzOTgtMTc5ODk1ODFiYTEyIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZGVtby1jbGllbnQiLCJhdXRoX3RpbWUiOjE1MzIxNzMzNTIsInNlc3Npb25fc3RhdGUiOiJjZTg2NWFkZC02N2I4LTQ5MDUtOGYwMy05YzE2MDNjMWJhMGQiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByZWZlcnJlZF91c2VybmFtZSI6ImRlbW8iLCJlbWFpbCI6ImRlbW9AZGVtby5jb20ifQ.KERz8rBddxM9Qho3kgigX-fClWqbKY-3JcWT3JOQDoLa-prkorfa40BWlyf9ULVgjzT2d8FLJpqQIQYvucKU7Q7vFBVIjTGucUZaE7b6JGMea5H34A1i-MNm7L2CzDJ2GnBONhNwLKoftTSl0prbzwkzcVrps-JAZ6L2gssSa5hBBGJYBKAUfm1OIb57Jq0vzro3vLghZ4Ay7iNunwfcHUrxiFJfUjaU6PQwzrA5pnItOPuavJFUgso7-3JLtn3X9GQuyyZKrkDo6-gzU0JZmkQQzAXXgt43NxooryImuacwSB5xbIKY6qFkedldoOPehld1-oLv0Yy_FIwEad3uLw","token_type": "bearer","refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJsc1hHR2VxSmx3UUZweWVYR0x6b2plZXBYSEhXUngtTHVJTVVLdDBmNmlnIn0.eyJqdGkiOiI0MjdmMTlhYy1jMTkzLTQ2YmQtYWFhNi0wY2Q1OTI5NmEwMGQiLCJleHAiOjE1MzIxNzUxNTIsIm5iZiI6MCwiaWF0IjoxNTMyMTczMzUyLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImRlbW8tY2xpZW50Iiwic3ViIjoiMzgzMzhjOGItYWQ3Zi00NjlmLTgzOTgtMTc5ODk1ODFiYTEyIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImRlbW8tY2xpZW50IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiY2U4NjVhZGQtNjdioC00OTA1LThmMDMtOWMxNjAzYzFiYTBkIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIn0.FvvDW6ZSH8mlRR2zgaN1zesX14SmkCs9RrIVU4Jn1-SHVdKEA6YKur0-RUAFTObQDMLVhFFJ05AjGVGWpBrgVDcAwW2pI9saM-OHlyTJ3VfFoylgfzakVOIpbIDnHO12UaJrkOI9NWPAJdbBOzBHfsDhKbxhjg4ZX8SwlKr42rV4WWuSRcNu4_YDVO19SiXSCKXVldZ1_2S-qPvViq7VZfaoRLHuYyDvma_ByMsmib9JUkevJ8dxsYxVQ5FWaAfFanh1a1f8HxNRI-Cl180oPn1_Tqq_SYwxzBCw7Q_ENkMirwRS1a4cX9yMVEDW2uvKz2D-OiNAUK8d_ONuPEkTGQ","expiry": "2018-07-21T13:47:28.986686385+02:00"
},"IDTokenClaims": {
"jti": "f4d56526-37d9-4d32-b99d-81090e92d3a7","exp": 1532173652,"nbf": 0,"iat": 1532173352,"iss": "http://localhost:8080/auth/realms/demo","aud": "demo-client","sub": "38338c8b-ad7f-469f-8398-17989581ba12","typ": "ID","azp": "demo-client","auth_time": 1532173352,"session_state": "ce865add-67b8-4905-8f03-9c1603c1ba0d","acr": "1","email_verified": true,"preferred_username": "demo","email": "demo@demo.com"
}
}
您可以复制访问令牌并使用curl验证服务器是否能够接受您的令牌:
# use your complete access token here export TOKEN="eyJhbG..." curl -H "Authorization: Bearer $TOKEN" localhost:8181 # output hello world
您可以在令牌过期后再次尝试 – 或者使用令牌进行调整.如果你这样做,你应该重定向到你的keycloak服务器了.
