paulwong

使用REST API与KEYCLOAK进行OUATH2协议的登录认证

KEYCLOAK是一套用户、WEB API登录管理，授权管理的WEB应用。
如果要访问受KEYCLOAK保护的REST API服务，则需要夹带一个ACCESS_TOKEN。

前端页面：

前端页面一般是给用户使用的，则需要用户输入在KEYCLOAK中有效的用户名和密码，并提供CALL BAK的URL，提交给KEYCLOAK
http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/auth?client_id=app-springboot-confidential&redirect_uri=http://10.80.27.69:8183/&response_type=code&scope=openid
如果KEYCLOAK验证通过，则通知页面重导向回调的URL，并附上code=xxx，此code则是AUTHORIZATION_CODE
http://10.80.27.69:8183/?session_state=2ad9ab98-6c39-43a8-872f-2112c27b74df&code=3f48ce19-58f9-45d9-8c09-30d492bf4b24.2ad9ab98-6c39-43a8-872f-2112c27b74df.bd7526ef-b1bf-447f-baef-b7dfd6f0df93
回调的URL对应的SERVELET，取得AUTHORIZATION_CODE，并加上client_id和client_secrect，调用KEYLOAK的取ACCESS_TOKEN的HTTP API，取得ACCESS_TOKEN，返回给页面
http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token
client_id=app-springboot-confidential&client_secret=3acf7692-49cb-4c45-9943-6f3dba512dae&redirect_uri=http://10.80.27.69:8183/&grant_type=authorization_code&code=cc7ac566-90f9-404e-b88e-fa28037b07d1.591311e1-5380-46a2-9363-834f17337922.bd7526ef-b1bf-447f-baef-b7dfd6f0df93
页面保存此ACCESS_TOKEN，就可以调用后台的各种API获取数据
{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGSjg2R2NGM2pUYk5MT2NvNE52WmtVQ0lVbWZZQ3FvcXRPUWVNZmJoTmxFIn0.eyJleHAiOjE2MzQwMjA4ODksImlhdCI6MTYzNDAyMDU4OSwianRpIjoiNDAwOTQ4ZmQtMGU0MS00YWRjLTlhY2MtMzczZWM2NDVhNzM5IiwiaXNzIjoiaHR0cDovLzEwLjgwLjI3LjY5OjgxODAvYXV0aC9yZWFsbXMvcXVpY2tzdGFydCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJkZGVkMDA2YS0xY2QxLTRjODUtOTQ1MS0wMjFlZmY3OTFiMmUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhcHAtc3ByaW5nYm9vdC1jb25maWRlbnRpYWwiLCJzZXNzaW9uX3N0YXRlIjoiYzRlN2QzYTgtMDg2My00OTAwLTkxZmEtMGExYmFmYmRlNGU3IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYXBwLXNwcmluZ2Jvb3QtY29uZmlkZW50aWFsIjp7InJvbGVzIjpbInVtYV9wcm90ZWN0aW9uIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudElkIjoiYXBwLXNwcmluZ2Jvb3QtY29uZmlkZW50aWFsIiwiY2xpZW50SG9zdCI6IjEwLjEwLjIwLjU3IiwidXNlcl9uYW1lIjoic2VydmljZS1hY2NvdW50LWFwcC1zcHJpbmdib290LWNvbmZpZGVudGlhbCIsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1hcHAtc3ByaW5nYm9vdC1jb25maWRlbnRpYWwiLCJjbGllbnRBZGRyZXNzIjoiMTAuMTAuMjAuNTcifQ.Ut6aZ6E1d4Esz0gRv2ubxdvrxmGvZLHHZepD5pnGxlqb_yZ4Q82TdGTG0iL4JJn2NH3QAU501dhzzuv6-OT9BUBKP-4ufyKv2DxSvt3GgdN30au5JsATHFyOWuuZGRBd3iWcynf9u3OJnSkHEnrIwRYatgndLzy8dy3AeqF12CI",
    "expires_in": 300,
    "refresh_expires_in": 600,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI2MTlhMmJjOS0yMWIwLTRmNGMtODI4OC1kNTJmMjA3OWEzY2EifQ.eyJleHAiOjE2MzQwMjExODksImlhdCI6MTYzNDAyMDU4OSwianRpIjoiYTM0NTQ1MTYtMzc3NC00YmRlLTgzOTMtN2QyMTdkZjdkZmJkIiwiaXNzIjoiaHR0cDovLzEwLjgwLjI3LjY5OjgxODAvYXV0aC9yZWFsbXMvcXVpY2tzdGFydCIsImF1ZCI6Imh0dHA6Ly8xMC44MC4yNy42OTo4MTgwL2F1dGgvcmVhbG1zL3F1aWNrc3RhcnQiLCJzdWIiOiJkZGVkMDA2YS0xY2QxLTRjODUtOTQ1MS0wMjFlZmY3OTFiMmUiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiYXBwLXNwcmluZ2Jvb3QtY29uZmlkZW50aWFsIiwic2Vzc2lvbl9zdGF0ZSI6ImM0ZTdkM2E4LTA4NjMtNDkwMC05MWZhLTBhMWJhZmJkZTRlNyIsInNjb3BlIjoicHJvZmlsZSBlbWFpbCJ9.QhjkJBGz5UvwBF7xHM7_V_yjfF0lrA_EWzAVdFf-BRI",
    "token_type": "bearer",
    "not-before-policy": 0,
    "session_state": "c4e7d3a8-0863-4900-91fa-0a1bafbde4e7",
    "scope": "profile email"
}
这就是authorization_code流程

后端服务：

如果是在一个API中要请求另外一个API的数据，不存在具体用户的情况
需提供如下参数：client_id、client_secrect和grant_type，且grant_type=client_credentials，调用KEYLOAK的取ACCESS_TOKEN的HTTP API，取得ACCESS_TOKEN
http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token
client_id=app-springboot-confidential&client_secret=3acf7692-49cb-4c45-9943-6f3dba512dae&grant_type=client_credentials
再将此ACCESS_TOKEN以Bearer TOKEN的方式调用别的的API
这就是client_credentials流程

验证Access Token和获取Token元信息：

http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token/introspect
client_id=app-springboot-confidential&client_secret=3acf7692-49cb-4c45-9943-6f3dba512dae
Access Token无效时返回：
{
"active": false
}

刷新Token：

http://10.80.27.69:8180/auth/realms/quickstart/protocol/openid-connect/token
client_id=app-springboot-confidential&client_secret=3acf7692-49cb-4c45-9943-6f3dba512dae&grant_type=refresh_token&refresh_token=asdfasd
返回
{
    "access_token": "eyJhbGciOiJSUzI1NiIsIn",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOi",
    "token_type": "Bearer",
    "not-before-policy": 1610728470,
    "session_state": "c1273eb5-f922-420c-b23a-854be9735c1d",
    "scope": "profile email"
}

Reference:
https://blog.csdn.net/nklinsirui/article/details/112706006

https://www.baeldung.com/?s=keycloak

https://www.doag.org/formes/pubfiles/11143470/2019-NN-Sebastien_Blanc-Easily_Secure_your_Microservices_with_Keycloak-Praesentation.pdf

posted @ 2021-10-12 14:40 paulwong 阅读(766) | 评论 (0) | 编辑收藏

Enterprise Architect VS Solution Architect VS Software Architect

Enterprise Architect
定义企业的大概方向

Solution Architect
定义系统使用哪些框架技术

Software Architect
定义系统行为

Technical Architect
定义有关部署所使用服务器

https://stackoverflow.com/questions/524941/whats-the-difference-between-solutions-architect-and-applications-architect

https://www.youtube.com/watch?v=zB9WuYE1REI

posted @ 2021-10-11 15:29 paulwong 阅读(161) | 评论 (0) | 编辑收藏

SPRING CLOUD CONFIG有界面的配置管理中心

https://dyc87112.github.io/spring-cloud-config-admin/

posted @ 2021-10-07 16:55 paulwong 阅读(284) | 评论 (0) | 编辑收藏

开源流程引擎哪个好，如何选型？

https://zhuanlan.zhihu.com/p/369761832

posted @ 2021-09-27 11:05 paulwong 阅读(227) | 评论 (0) | 编辑收藏

Camunda流程引擎

http://shaochenfeng.com/camunda/

posted @ 2021-09-27 10:55 paulwong 阅读(169) | 评论 (0) | 编辑收藏

Camunda/Flowable/Activiti技术发展史

https://blog.csdn.net/qq_30739519/article/details/86583765

posted @ 2021-09-27 10:45 paulwong 阅读(326) | 评论 (0) | 编辑收藏

package org.springframework.integration.stackoverflow.enricher;

import java.util.List;
import java.util.Map;
import java.util.function.Function;
import java.util.stream.Collectors;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpMethod;
import org.springframework.integration.dsl.IntegrationFlow;
import org.springframework.integration.dsl.IntegrationFlows;
import org.springframework.integration.dsl.Transformers;
import org.springframework.integration.http.dsl.Http;
import org.springframework.web.client.RestTemplate;

@SpringBootApplication
public class SpringIntegrationEnricherApplication {

    public static void main(String[] args) {
        SpringApplication.run(SpringIntegrationEnricherApplication.class, args);
    }

    @Bean
    public IntegrationFlow jsonEnricherFlow(RestTemplate restTemplate) {
        return IntegrationFlows.from(Function.class)
                .transform(Transformers.fromJson(Map.class))
                .enrich((enricher) -> enricher
                        .<Map<String, ?>>requestPayload((message) ->
                                ((List<?>) message.getPayload().get("attributeIds"))
                                        .stream()
                                        .map(Object::toString)
                                        .collect(Collectors.joining(",")))
                        .requestSubFlow((subFlow) ->
                                subFlow.handle(
                                        Http.outboundGateway("/attributes?id={ids}", restTemplate)
                                                .httpMethod(HttpMethod.GET)
                                                .expectedResponseType(Map.class)
                                                .uriVariable("ids", "payload")))
                        .propertyExpression("attributes", "payload.attributes"))
                .<Map<String, ?>, Map<String, ?>>transform(
                        (payload) -> {
                            payload.remove("attributeIds");
                            return payload;
                        })
                .transform(Transformers.toJson())
                .get();
    }

}

https://stackoverflow.com/questions/58205432/spring-integration-enrich-transform-message-using-rest-call

https://www.tabnine.com/web/assistant/code/rs/5c781b6ae70f87000197ab9f#L312

posted @ 2021-09-21 13:40 paulwong 阅读(261) | 评论 (0) | 编辑收藏

Java9之HttpClient

Java9之HttpClientAPI实战详解
https://blog.csdn.net/u014042066/article/details/78153653

Java 9 揭秘（14. HTTP/2 Client API）
https://www.cnblogs.com/IcanFixIt/p/7229611.html

Java JDK11(Java11)中设置HttpClient允许不安全的HTTPS连接
https://www.cjavapy.com/article/84/

posted @ 2021-09-03 14:04 paulwong 阅读(207) | 评论 (0) | 编辑收藏

Java 9 Flow API 学习

https://mrbird.cc/Java-9-Flow-API-Learn.html

posted @ 2021-09-02 15:39 paulwong 阅读(195) | 评论 (0) | 编辑收藏

httpClient连接自制SSL证书的rest服务

通常如果rest服务支持https，需申请收费的ssl证书，但也可自制这种证书。
httpClient进行链接时要进行相应的设置，主要是设置SSLContext中的TrustSelfSignedStrategy：

import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.util.concurrent.TimeUnit;

import javax.net.ssl.SSLContext;

import org.apache.http.client.config.RequestConfig;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.http.ssl.SSLContexts;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class HttpClientConfiguration {


    @Bean
    public PoolingHttpClientConnectionManager poolingHttpClientConnectionManager(AbstractProperties kycProperties) {
        PoolingHttpClientConnectionManager result =
                new PoolingHttpClientConnectionManager(
                        kycProperties.getHttpConnectionTimeToLiveMinu(),
                        TimeUnit.MINUTES
                    );
        result.setMaxTotal(200);
        result.setDefaultMaxPerRoute(20);
        return result;
    }

    @Bean
    public RequestConfig requestConfig(AbstractProperties kycProperties) {
        return RequestConfig
                    .custom()
                  .setConnectionRequestTimeout(kycProperties.getHttpConnectionTimeout())
                  .setConnectTimeout(kycProperties.getHttpConnectionTimeout())
                  .setSocketTimeout(kycProperties.getHttpConnectionTimeout())
                  .build();
    }

    @Bean
    public SSLContext sslContext() throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException {

        return SSLContexts
                    .custom()
                    .loadTrustMaterial(null, new TrustSelfSignedStrategy())
                    .build()
                    ;
    }

    @Bean
    public CloseableHttpClient httpClient(AbstractProperties kycProperties) throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException {
        return HttpClients
                  .custom()
//                  .setConnectionManager(poolingHttpClientConnectionManager(null))
                  .setDefaultRequestConfig(requestConfig(null))
                  .setKeepAliveStrategy(
                          new MyConnectionKeepAliveStrategy(
                                  kycProperties.getHttpConnectionTimeToLiveMinu(),
                                  TimeUnit.MINUTES
                              )
                   )
                  .setMaxConnTotal(200)
                  .setMaxConnPerRoute(20)
//                  .setConnectionTimeToLive(
//                          kycProperties.getHttpConnectionTimeToLiveMinu(),
//                          TimeUnit.MINUTES
//                   )
                  .setSSLContext(sslContext())
                  .build();
    }

}

相应设置

http-connection-timeout: 30000
http-connection-time-to-live-minu: 5

posted @ 2021-09-01 14:24 paulwong 阅读(366) | 评论 (0) | 编辑收藏

My Links

Blog Stats

常用链接

留言簿(63)

随笔分类(1350)

随笔档案(1112)

文章分类(7)

文章档案(10)

相册

收藏夹(2)

AI

Develop

E-BOOK

Other

养生

微服务

搜索

最新评论

阅读排行榜

评论排行榜