logo标签列表

如何在Node.js应用程序中启用Keycloak的策略强制执行?

node.jsredhatkeycloak
4

我需要将node.js应用与keycloak集成。这个应用是基于express的。但是策略没有生效,所有用户都被授予访问所有api的权限。

对于/test api:

只有拥有“chief”角色的用户才能访问。我已经在keycloak管理控制台中给出了这些策略。但是这些策略并没有反映出来。为什么?

没有“chief”角色的用户也可以访问/test。

app.js:

'use strict';

const Keycloak = require('keycloak-connect');
const express = require('express');
const session = require('express-session');
const expressHbs = require('express-handlebars');
const app = express();
app.engine('hbs', expressHbs({extname:'hbs',
 defaultLayout:'layout.hbs',
 relativeTo: __dirname}));
app.set('view engine', 'hbs');
var memoryStore = new session.MemoryStore();
var keycloak = new Keycloak({ store: memoryStore });
app.use(session({
 secret:'thisShouldBeLongAndSecret',
 resave: false,
 saveUninitialized: true,
 store: memoryStore
}));
app.use(keycloak.middleware()); 
app.get('/*', keycloak.protect('user'), function(req, res){
     res.send("User has base permission");
    });

app.get('/test', keycloak.protect(), function(req, res){
     res.send("access granted");
    });
app.get('/',function(req,res){
 res.send("hello world");
});
app.use( keycloak.middleware( { logout: '/'} ));
app.listen(3000, function () {
 console.log('Listening at http://localhost:3000');
});

keycloak.json:

{
  "realm": "nodejs-example",
  "auth-server-url": "http://localhost:8180/auth",
  "ssl-required": "external",
  "resource": "nodejs-connect",
  "credentials": {
    "secret": "451317a2-09a1-48b8-b036-e578051687dd"
  },
  "use-resource-role-mappings": true,
  "confidential-port": 0,
  "policy-enforcer": {
      "enforcement-mode":"PERMISSIVE",

  }
}
2个回答
3

您的keycloak.json中enforcement-mode设置为PERMISSIVE,应该改为ENFORCE。

2
在JSON中添加以下行:"verify-token-audience": true

var Keycloak = require('keycloak-connect');
var hogan = require('hogan-express');
var express = require('express');
var session = require('express-session');

const app = express();

var server = app.listen(3000, function () {
      var host = server.address().address;
      var port = server.address().port;
      console.log('Example app listening at http://%s:%s', host, port);
    });

app.set('view engine', 'html');
app.set('views', require('path').join(__dirname, '/view'));
app.engine('html', hogan);

var memoryStore = new session.MemoryStore();
var keycloak = new Keycloak({ 
    store: memoryStore });

// session
app.use(session({
 secret:'thisShouldBeLongAndSecret',
 resave: false,
 saveUninitialized: true,
 store: memoryStore
}));

app.use(keycloak.middleware({
      admin: '/',
      protected: '/protected/resourcea'
    }));
app.get('/leads/assign',keycloak.enforcer(['leads:assign'],{
    claims: function(request){
    return {
        "location":["chennai"]
    }
    }
    } ), function (req, res) {
        res.send("granted");
    });
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接