通过 Keycloak API 添加用户时忽略“realmRoles”参数

【问题标题】:The "realmRoles" parameter is ignored when adding a user via the Keycloak API通过 Keycloak API 添加用户时忽略“realmRoles”参数
【发布时间】:2019-12-14 20:29:52
【问题描述】:

我正在尝试通过 Keycloak API 创建用户,并且我想在首次添加用户时为其分配领域级角色。但是,它似乎不像文档所说的那样工作。

我知道我可以简单地在初始创建用户请求之后发出第二个添加角色到用户 API 请求,但是:

  • 文档表明我不需要这样做。
  • 第二个 API 请求可能会失败,使用户处于“不完整”状态。
  • 这会使我正在编写的代码比它需要的更复杂。

为了在irb 中进行测试,使用keycloak Ruby gem,我首先从Keycloak 请求访问令牌:

require 'keycloak'
json = Keycloak::Client.get_token_by_client_credentials
access_token = JSON.parse(json)['access_token']

以下所有内容都会在 Keycloak 中创建一个用户,但没有“所有者”角色:

Keycloak::Admin.generic_post('users', nil, { username: 'someone', realmRoles: ['owner'] }, access_token)
Keycloak::Admin.generic_post('users', nil, { username: 'someone', realmRoles: ['1fff5f5f-7357-4f73-b45d-65ccd01f3bc8'] }, access_token)
Keycloak::Admin.generic_post('users', nil, { username: 'someone', realmRoles: ['{"id":"1fff5f5f-7357-4f73-b45d-65ccd01f3bc8","name":"owner","description":"Indicates that a user is the owner of an organisation.","composite":false,"clientRole":false,"containerId":"MyRealmName"}'] }, access_token)

尝试使用角色哈希而不是字符串会导致错误:

Keycloak::Admin.generic_post('users', nil, { username: 'someone', realmRoles: [{"id"=>"1fff5f5f-7357-4f73-b45d-65ccd01f3bc8", "name"=>"owner", "description"=>"Indicates that a user is the owner of an organisation.", "composite"=>false, "clientRole"=>false, "containerId"=>"MyRealmName"}] }, access_token)

Traceback (most recent call last):
      16: from /home/thomas/.rvm/rubies/ruby-2.6.3/lib/ruby/gems/2.6.0/gems/irb-1.0.0/exe/irb:11:in `<top (required)>'
      15: from (irb):8
      14: from /home/thomas/.rvm/gems/ruby-2.6.3/gems/keycloak-3.0.0/lib/keycloak.rb:541:in `generic_post'
      13: from /home/thomas/.rvm/gems/ruby-2.6.3/gems/keycloak-3.0.0/lib/keycloak.rb:943:in `generic_request'
      12: from /home/thomas/.rvm/gems/ruby-2.6.3/gems/keycloak-3.0.0/lib/keycloak.rb:915:in `block in generic_request'
      11: from /home/thomas/.rvm/gems/ruby-2.6.3/gems/rest-client-2.0.2/lib/restclient.rb:71:in `post'
      10: from /home/thomas/.rvm/gems/ruby-2.6.3/gems/rest-client-2.0.2/lib/restclient/request.rb:52:in `execute'
        9: from /home/thomas/.rvm/gems/ruby-2.6.3/gems/rest-client-2.0.2/lib/restclient/request.rb:145:in `execute'
        8: from /home/thomas/.rvm/gems/ruby-2.6.3/gems/rest-client-2.0.2/lib/restclient/request.rb:715:in `transmit'
        7: from /home/thomas/.rvm/rubies/ruby-2.6.3/lib/ruby/2.6.0/net/http.rb:920:in `start'
        6: from /home/thomas/.rvm/gems/ruby-2.6.3/gems/rest-client-2.0.2/lib/restclient/request.rb:725:in `block in transmit'
        5: from /home/thomas/.rvm/gems/ruby-2.6.3/gems/rest-client-2.0.2/lib/restclient/request.rb:807:in `process_result'
        4: from /home/thomas/.rvm/gems/ruby-2.6.3/gems/keycloak-3.0.0/lib/keycloak.rb:916:in `block (2 levels) in generic_request'
        3: from /home/thomas/.rvm/gems/ruby-2.6.3/gems/keycloak-3.0.0/lib/keycloak.rb:958:in `rescue_response'
        2: from /home/thomas/.rvm/gems/ruby-2.6.3/gems/rest-client-2.0.2/lib/restclient/abstract_response.rb:103:in `return!'
        1: from /home/thomas/.rvm/gems/ruby-2.6.3/gems/rest-client-2.0.2/lib/restclient/abstract_response.rb:223:in `exception_with_response'
RestClient::InternalServerError (500 Internal Server Error)

Keycloak 打印以下内容,表明 - 正如预期的那样 - 角色应该是字符串数组,而不是哈希:

08:53:27,889 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-22) Uncaught server error: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize instance of `java.lang.String` out of START_OBJECT token
at [Source: (io.undertow.servlet.spec.ServletInputStreamImpl); line: 1, column: 37] (through reference chain: org.keycloak.representations.idm.UserRepresentation["realmRoles"]->java.util.ArrayList[0])

如果我传递单个字符串而不是数组,也会发生同样的事情,例如:

Keycloak::Admin.generic_post('users', nil, { username: 'someone', realmRoles: 'owner' }, access_token)

我做错了什么,还是这只是 Keycloak API 中的一个错误?

参考

类似问题

【问题讨论】:

    标签: ruby keycloak


    【解决方案1】:

    你没有做错任何事。这是 Keycloak API 中的错误。

    这个请求应该有效:

    Keycloak::Admin.generic_post('users', nil, { username: 'someone', realmRoles: ['owner'] }, access_token)

    很遗憾,API 文档有误,因为“realmRoles”属性在尝试创建/更新用户/组时不起作用。

    您可以在 Keycloak 的官方错误跟踪器上找到有关该行为的更多信息:

    目前唯一的解决方案是在 API 上发出多个请求,使用 RoleMappers 将角色映射到用户。

    有关这些操作的文档:https://www.keycloak.org/docs-api/6.0/rest-api/index.html#_role_mapper_resource

    【讨论】:

    • 不幸的是,链接似乎已损坏,并且功能仍然无法正常工作。
    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 2021-07-31
    • 2020-12-21
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2018-03-23
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode