透過 REST 介面取得客戶端時,Keycloak 傳回 {"error":"Bearer token format error"}

tag-icon tag-icon windows-10 security docker curl oauth2
透過 REST 介面取得客戶端時,Keycloak 傳回 {"error":"Bearer token format error"}

尋找一種方法來設定 keycloak 環境,建立一個新領域並填充客戶端/用戶,以使用 REST/CURL 介面取得最小 OAuth 端點。

Keycloak 回傳 {"error":"承載令牌格式錯誤"}

我使用的是 Windows 10 Pro + Docker

我甚至沒有從大師領域獲取客戶名單。

我按照以下記錄進行操作:

“keycloak-documentation/server_development/topics/admin-rest-api.adoc”

還有:

“取得屬於該領域的客戶端 (GET /{realm}/clients)”

“授權:持有者 eyJhbGciOiJSUz...”

“Keycloak 角色是如何管理的?”

作為達到的方式:

透過 REST /auth/admin/realms 建立領域

腳本本身:

    mkdir test
    cd test
    npm install -g underscore-cli
    docker run --name keyclk01 -e KEYCLOAK_USER=admuser -e KEYCLOAK_PASSWORD=admpass -p 8444:8443 -p 8081:8080 -p 9991:9990 jboss/keycloak
    docker restart keyclk01
    docker inspect --format "{{.NetworkSettings.IPAddress}}" keyclk01
    curl --proxy 127.0.0.1:8888 -k --url https://127.0.0.1:8444/auth/realms/master/protocol/openid-connect/token -d "username=admuser&password=admpass&client_id=admin-cli&grant_type=password" > 01Raw.json
    type 01Raw.json | underscore pretty
    type 01Raw.json | underscore select ".access_token" | underscore reduce 0 > 02RawToken
    echo|set /p="Authorization: Bearer " > 03HeaderTpl
    type 03HeaderTpl 02RawToken > 04Header
    findstr "." 04Header > 05HeaderFix
    curl --proxy 127.0.0.1:8888 -k --url "https://127.0.0.1:8444/auth/admin/realms/master/clients" -H @05HeaderFix
    curl --proxy 127.0.0.1:8888 -k --url "https://127.0.0.1:8444/auth/admin/realms/master" -H @05HeaderFix
    curl --proxy 127.0.0.1:8888 -k --url "http://127.0.0.1:8444/auth/admin/realms/master/clients" -H @05HeaderFix -o responseFile01.txt
    curl --proxy 127.0.0.1:8888 -k --url "http://127.0.0.1:8444/auth/admin/realms/master" -H @05HeaderFix -o responseFile02.txt
    curl -k --url "http://127.0.0.1:8444/auth/admin/realms/master/clients" -H @05HeaderFix -o responseFile01.txt
    powerShell: Format-Hex responseFile01.txt ==>   0x15 0x03 0x03 0x00 0x02 0x02 0x50
    curl -k --url "http://127.0.0.1:8444/auth/admin/realms/master" -H @05HeaderFix -o responseFile02.txt
    powerShell: Format-Hex responseFile02.txt ==>   0x15 0x03 0x03 0x00 0x02 0x02 0x50

使用 Fiddler 取得的 http 訊息:(
「這個有問題的伺服器沒有回傳標頭」看起來來自 Fiddler 代理)

------------------------------------------------------------------------------------------------------------
POST https://127.0.0.1:8444/auth/realms/master/protocol/openid-connect/token HTTP/1.1
Host: 127.0.0.1:8444
User-Agent: curl/7.55.1
Accept: */*
Content-Length: 73
Content-Type: application/x-www-form-urlencoded

username=admuser&password=admpass&client_id=admin-cli&grant_type=password
------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Connection: keep-alive
Cache-Control: no-store
Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/master/; HttpOnly
Pragma: no-cache
Content-Type: application/json
Content-Length: 1783
Date: Wed, 06 Nov 2019 17:28:52 GMT

{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ0RF9JNHY2dHJtWnBMQTg4aFU2V1ZXb0dCcVdwSm0xRW51ajVEWjVuQWE4In0.eyJqdGkiOiI0MTQ4MzgyNi1kOGMyLTQ5ZmEtOWQ1My0xNjY3NjIwM2IzMmIiLCJleHAiOjE1NzMwNjEzOTIsIm5iZiI6MCwiaWF0IjoxNTczMDYxMzMyLCJpc3MiOiJodHRwczovLzEyNy4wLjAuMTo4NDQ0L2F1dGgvcmVhbG1zL21hc3RlciIsInN1YiI6IjA2ODRjZDJmLWU4YWItNDEzNy1hNDMzLTAyNWE1OTcyOTdjOCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFkbWluLWNsaSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjYwNWVkZTE1LWU4Y2EtNDQ1OS1iYjQ0LTliMzQ5NzA3NzUwZSIsImFjciI6IjEiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbXVzZXIifQ.I-snNpKcCFBmhbF5pQox_FZx9SVVhxZppYz3xe0mVgBRIysc8q80T1hpwU15D_mhSQ4UxA875dwYtmq6UHVEG5qbPpCmAqV3YZXfCm2MtSyXiQflibIf6JemoON3QL645N--Y3nFI3mTu5CN9IUyvlXKR4f-AwmxJW1OhyjoyGiVLhJ3MMSKdp2x7MCPBQyuSKdIQLEyeCpWuGj6bviG2jm44xlsigKjGkW7X13bs-CqNwODPdOISX_4cxNnQhClmI6mpoXFW9fhYwLpOdx8vG3gi_5P-IuX6oCNUTyFnkpfOTmbacfG7bqUUwcPeUcjHkQdm9QuJWYmqffWTiJN-w","expires_in":60,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzOGFmYTg4OC01ZWQ4LTRhZTQtYTU3My00OGNmODRlNDA4YTEifQ.eyJqdGkiOiJlZTE4NGNhYy0xZmY0LTRiNTMtYTBmNy1mYWQ5N2FjZDgwZjIiLCJleHAiOjE1NzMwNjMxMzIsIm5iZiI6MCwiaWF0IjoxNTczMDYxMzMyLCJpc3MiOiJodHRwczovLzEyNy4wLjAuMTo4NDQ0L2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6Imh0dHBzOi8vMTI3LjAuMC4xOjg0NDQvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiMDY4NGNkMmYtZThhYi00MTM3LWE0MzMtMDI1YTU5NzI5N2M4IiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImFkbWluLWNsaSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjYwNWVkZTE1LWU4Y2EtNDQ1OS1iYjQ0LTliMzQ5NzA3NzUwZSIsInNjb3BlIjoicHJvZmlsZSBlbWFpbCJ9.j9-VpOQ8qEmz8KfctOz6tKdlUmOuuUFgeR6unbhdjOc","token_type":"bearer","not-before-policy":0,"session_state":"605ede15-e8ca-4459-bb44-9b349707750e","scope":"profile email"}
------------------------------------------------------------------------------------------------------------
============================================================================================================
------------------------------------------------------------------------------------------------------------
GET https://127.0.0.1:8444/auth/admin/realms/master/clients HTTP/1.1
Host: 127.0.0.1:8444
User-Agent: curl/7.55.1
Accept: */*
Authorization: Bearer "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ0RF9JNHY2dHJtWnBMQTg4aFU2V1ZXb0dCcVdwSm0xRW51ajVEWjVuQWE4In0.eyJqdGkiOiI0MTQ4MzgyNi1kOGMyLTQ5ZmEtOWQ1My0xNjY3NjIwM2IzMmIiLCJleHAiOjE1NzMwNjEzOTIsIm5iZiI6MCwiaWF0IjoxNTczMDYxMzMyLCJpc3MiOiJodHRwczovLzEyNy4wLjAuMTo4NDQ0L2F1dGgvcmVhbG1zL21hc3RlciIsInN1YiI6IjA2ODRjZDJmLWU4YWItNDEzNy1hNDMzLTAyNWE1OTcyOTdjOCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFkbWluLWNsaSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjYwNWVkZTE1LWU4Y2EtNDQ1OS1iYjQ0LTliMzQ5NzA3NzUwZSIsImFjciI6IjEiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbXVzZXIifQ.I-snNpKcCFBmhbF5pQox_FZx9SVVhxZppYz3xe0mVgBRIysc8q80T1hpwU15D_mhSQ4UxA875dwYtmq6UHVEG5qbPpCmAqV3YZXfCm2MtSyXiQflibIf6JemoON3QL645N--Y3nFI3mTu5CN9IUyvlXKR4f-AwmxJW1OhyjoyGiVLhJ3MMSKdp2x7MCPBQyuSKdIQLEyeCpWuGj6bviG2jm44xlsigKjGkW7X13bs-CqNwODPdOISX_4cxNnQhClmI6mpoXFW9fhYwLpOdx8vG3gi_5P-IuX6oCNUTyFnkpfOTmbacfG7bqUUwcPeUcjHkQdm9QuJWYmqffWTiJN-w"


------------------------------------------------------------------------------------------------------------
HTTP/1.1 401 Unauthorized
Connection: keep-alive
Content-Type: application/json
Content-Length: 37
Date: Wed, 06 Nov 2019 17:28:53 GMT

{"error":"Bearer token format error"}
------------------------------------------------------------------------------------------------------------
============================================================================================================
------------------------------------------------------------------------------------------------------------
GET https://127.0.0.1:8444/auth/admin/realms/master HTTP/1.1
Host: 127.0.0.1:8444
User-Agent: curl/7.55.1
Accept: */*
Authorization: Bearer "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ0RF9JNHY2dHJtWnBMQTg4aFU2V1ZXb0dCcVdwSm0xRW51ajVEWjVuQWE4In0.eyJqdGkiOiI0MTQ4MzgyNi1kOGMyLTQ5ZmEtOWQ1My0xNjY3NjIwM2IzMmIiLCJleHAiOjE1NzMwNjEzOTIsIm5iZiI6MCwiaWF0IjoxNTczMDYxMzMyLCJpc3MiOiJodHRwczovLzEyNy4wLjAuMTo4NDQ0L2F1dGgvcmVhbG1zL21hc3RlciIsInN1YiI6IjA2ODRjZDJmLWU4YWItNDEzNy1hNDMzLTAyNWE1OTcyOTdjOCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFkbWluLWNsaSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjYwNWVkZTE1LWU4Y2EtNDQ1OS1iYjQ0LTliMzQ5NzA3NzUwZSIsImFjciI6IjEiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbXVzZXIifQ.I-snNpKcCFBmhbF5pQox_FZx9SVVhxZppYz3xe0mVgBRIysc8q80T1hpwU15D_mhSQ4UxA875dwYtmq6UHVEG5qbPpCmAqV3YZXfCm2MtSyXiQflibIf6JemoON3QL645N--Y3nFI3mTu5CN9IUyvlXKR4f-AwmxJW1OhyjoyGiVLhJ3MMSKdp2x7MCPBQyuSKdIQLEyeCpWuGj6bviG2jm44xlsigKjGkW7X13bs-CqNwODPdOISX_4cxNnQhClmI6mpoXFW9fhYwLpOdx8vG3gi_5P-IuX6oCNUTyFnkpfOTmbacfG7bqUUwcPeUcjHkQdm9QuJWYmqffWTiJN-w"


------------------------------------------------------------------------------------------------------------
HTTP/1.1 401 Unauthorized
Connection: keep-alive
Content-Type: application/json
Content-Length: 37
Date: Wed, 06 Nov 2019 17:28:53 GMT

{"error":"Bearer token format error"}
------------------------------------------------------------------------------------------------------------
============================================================================================================
------------------------------------------------------------------------------------------------------------
GET http://127.0.0.1:8444/auth/admin/realms/master/clients HTTP/1.1
Host: 127.0.0.1:8444
User-Agent: curl/7.55.1
Accept: */*
Connection: Keep-Alive
Authorization: Bearer "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ0RF9JNHY2dHJtWnBMQTg4aFU2V1ZXb0dCcVdwSm0xRW51ajVEWjVuQWE4In0.eyJqdGkiOiI0MTQ4MzgyNi1kOGMyLTQ5ZmEtOWQ1My0xNjY3NjIwM2IzMmIiLCJleHAiOjE1NzMwNjEzOTIsIm5iZiI6MCwiaWF0IjoxNTczMDYxMzMyLCJpc3MiOiJodHRwczovLzEyNy4wLjAuMTo4NDQ0L2F1dGgvcmVhbG1zL21hc3RlciIsInN1YiI6IjA2ODRjZDJmLWU4YWItNDEzNy1hNDMzLTAyNWE1OTcyOTdjOCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFkbWluLWNsaSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjYwNWVkZTE1LWU4Y2EtNDQ1OS1iYjQ0LTliMzQ5NzA3NzUwZSIsImFjciI6IjEiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbXVzZXIifQ.I-snNpKcCFBmhbF5pQox_FZx9SVVhxZppYz3xe0mVgBRIysc8q80T1hpwU15D_mhSQ4UxA875dwYtmq6UHVEG5qbPpCmAqV3YZXfCm2MtSyXiQflibIf6JemoON3QL645N--Y3nFI3mTu5CN9IUyvlXKR4f-AwmxJW1OhyjoyGiVLhJ3MMSKdp2x7MCPBQyuSKdIQLEyeCpWuGj6bviG2jm44xlsigKjGkW7X13bs-CqNwODPdOISX_4cxNnQhClmI6mpoXFW9fhYwLpOdx8vG3gi_5P-IuX6oCNUTyFnkpfOTmbacfG7bqUUwcPeUcjHkQdm9QuJWYmqffWTiJN-w"


------------------------------------------------------------------------------------------------------------
HTTP/1.0 200 This buggy server did not return headers

 P
------------------------------------------------------------------------------------------------------------
============================================================================================================
------------------------------------------------------------------------------------------------------------
GET http://127.0.0.1:8444/auth/admin/realms/master HTTP/1.1
Host: 127.0.0.1:8444
User-Agent: curl/7.55.1
Accept: */*
Connection: Keep-Alive
Authorization: Bearer "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ0RF9JNHY2dHJtWnBMQTg4aFU2V1ZXb0dCcVdwSm0xRW51ajVEWjVuQWE4In0.eyJqdGkiOiI0MTQ4MzgyNi1kOGMyLTQ5ZmEtOWQ1My0xNjY3NjIwM2IzMmIiLCJleHAiOjE1NzMwNjEzOTIsIm5iZiI6MCwiaWF0IjoxNTczMDYxMzMyLCJpc3MiOiJodHRwczovLzEyNy4wLjAuMTo4NDQ0L2F1dGgvcmVhbG1zL21hc3RlciIsInN1YiI6IjA2ODRjZDJmLWU4YWItNDEzNy1hNDMzLTAyNWE1OTcyOTdjOCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFkbWluLWNsaSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjYwNWVkZTE1LWU4Y2EtNDQ1OS1iYjQ0LTliMzQ5NzA3NzUwZSIsImFjciI6IjEiLCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbXVzZXIifQ.I-snNpKcCFBmhbF5pQox_FZx9SVVhxZppYz3xe0mVgBRIysc8q80T1hpwU15D_mhSQ4UxA875dwYtmq6UHVEG5qbPpCmAqV3YZXfCm2MtSyXiQflibIf6JemoON3QL645N--Y3nFI3mTu5CN9IUyvlXKR4f-AwmxJW1OhyjoyGiVLhJ3MMSKdp2x7MCPBQyuSKdIQLEyeCpWuGj6bviG2jm44xlsigKjGkW7X13bs-CqNwODPdOISX_4cxNnQhClmI6mpoXFW9fhYwLpOdx8vG3gi_5P-IuX6oCNUTyFnkpfOTmbacfG7bqUUwcPeUcjHkQdm9QuJWYmqffWTiJN-w"


------------------------------------------------------------------------------------------------------------
HTTP/1.0 200 This buggy server did not return headers

 P
------------------------------------------------------------------------------------------------------------
============================================================================================================

答案1

我完全按照你的描述進行操作,但我使用 Python 來解析 JSON。這是我所做的:

ACCESS_TOKEN=$(curl -s -k -d 'client_id=admin-cli' \
                          -d 'username=admin' \
                          -d "password=$KEYCLOAK_PW" \
                          -d 'grant_type=password' \
                         "https://${KEYCLOAK_SERVER}/auth/realms/master/protocol/openid-connect/token" | python -c '
import json,sys;keycloak_data=json.load(sys.stdin);print keycloak_data["access_token"]')

創建領域:

cat <<! | curl -k -s \
        -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: bearer $ACCESS_TOKEN" \
        --data-binary @- "https://${KEYCLOAK_SERVER}/auth/admin/realms"
{"enabled":true,"id":"myrealm","realm":"myrealm"}
!

在客戶端添加

cat <<! | curl -s -k \
        -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: bearer $ACCESS_TOKEN" \
        --data-binary @- "https://${KEYCLOAK_SERVER}/auth/admin/realms/myrealm/clients"
{
                "clientId": "$INSTANCE_NAME",
                "clientAuthenticatorType": "client-secret",
                "protocol": "openid-connect",
                "fullScopeAllowed": false,
                "authorizationServicesEnabled": true,
                "serviceAccountsEnabled": true,
                "redirectUris" : [ "https://$INSTANCE/*" ],
                "publicClient": false,
                "enabled": true
                }
}
!

檢索 CLIENT_ID

CLIENT_ID=$(curl -s -k \
        -X GET \
        -H "Content-Type: application/json" \
        -H "Authorization: bearer $ACCESS_TOKEN" \
        "https://${KEYCLOAK_SERVER}/auth/admin/realms/myrealm/clients" | python -c '
import json,sys,os;keycloak_data=json.load(sys.stdin)
CLIENTID=os.environ["INSTANCE_NAME"]
for c in keycloak_data:
    if c["clientId"]==CLIENTID:
        print c["id"]
        sys.exit()
')

如果您仍然需要它,或者其他人需要它,這也許會有所幫助。

答案2

Keycloak 專案幾乎已經停止,他們現在擁有專有的身份存取管理(IAM)。

Keycloak 本身總是被破壞,許多 REST 端點無法運作並傳回無意義的回應,正如您自己看到的那樣,即使嚴格遵循文件也是如此。

答案是,因為 Keycloak 已損壞,即使遵循文件也不可能執行您想要的操作。

我的建議是你嘗試你能找到的替代方案這裡

相關內容