我有一个angular2客户端连接到由Play Framework实现的web api。客户端被重定向到keycloak服务器以获取令牌。我在他们的github项目中跟踪了Keycloak样本,客户端正在工作并获得令牌。不幸的是,我找不到适用于Play Framework的适配器。到目前为止,我有以下代码来检查用户是否有权访问请求的资源。Keycloak资源没有适配器的授权
val authzClient = AuthzClient.create()
val request = new EntitlementRequest
val permissions = new PermissionRequest
permissions.setResourceSetName(resourceName)
request.addPermission(permissions)
val entitlementResponse = authzClient.entitlement(token)
.get(resourceServer, request)
我假设服务器是否返回禁止的代码,令牌用户无权访问资源。我在正确的轨道上吗?谢谢。
更新:
我开发了一个自定义操作,检查头和验证授权托克:
import pdi.jwt.{JwtAlgorithm, JwtJson}
import play.api.libs.json.{JsValue, Json}
import play.api.mvc.{ActionRefiner, Request, Result, Results}
import scala.concurrent.Future
import scala.concurrent.ExecutionContext.Implicits.global
import scala.util.{Failure, Success}
case class UserRequest[A](user: User, request: Request[A])
object UserAction extends ActionRefiner[Request, UserRequest] {
private val secret = "xxxxxx"
private val algorithm = JwtAlgorithm.RS256
override protected def refine[A](request: Request[A]): Future[Either[Result, UserRequest[A]]] = Future {
request.headers.get("Authorization") match {
case Some(headerToken) => {
val token = headerToken.substring(7)
JwtJson.decode(token, secret, Seq(algorithm)) match {
case Success(validToken) => {
val tokenJson = Json.parse(validToken.content)
val user = extractUser(tokenJson)
Right(UserRequest(user, request))
}
case Failure(ex) =>
Left(Results.Unauthorized)
}
}
case None => Left(Results.Unauthorized)
}
}
private def extractUser(token: JsValue): User = {
val username = (token \ "preferred_username").as[String]
val firstName = (token \ "given_name").asOpt[String]
val familyName = (token \ "family_name").asOpt[String]
val name = (token \ "name").asOpt[String]
User(username, firstName, familyName, name)
}
}
您是否找到了缺少Play Framework适配器的解决方案? – Atropo
我最终使用jwt-play来验证播放服务器端的令牌。如果有帮助,我可以发布代码。 –
是的,这将是有益的,谢谢! – Atropo