Fatal编程技术网
  • keycloak/
  • Keycloak 存放jti索赔的钥匙斗篷?

Keycloak 存放jti索赔的钥匙斗篷?

keycloak

Keycloak 存放jti索赔的钥匙斗篷?,keycloak,Keycloak,我正试图研究防止重放攻击的方法,我认为它使用了jti声明来处理 首先,我通过OpenIDRestapi(…协议/OpenIDConnect/token)登录,它会像这样返回JWT { "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlX0l1RWo2cWEza2ZMb1MyVUwyNGJUMGJKUElXRWRkU3YxM2RSd1ZTM1lzIn0.eyJqdGkiOiI2ZjE3OGQxMi00M

我正试图研究防止重放攻击的方法,我认为它使用了jti声明来处理

首先,我通过OpenIDRestapi(…协议/OpenIDConnect/token)登录,它会像这样返回JWT

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlX0l1RWo2cWEza2ZMb1MyVUwyNGJUMGJKUElXRWRkU3YxM2RSd1ZTM1lzIn0.eyJqdGkiOiI2ZjE3OGQxMi00Mzc3LTQ5MzEtOTljOC1lYmIyNDk1OWY3NmIiLCJleHAiOjE1NjY5NzczOTMsIm5iZiI6MCwiaWF0IjoxNTY2OTc3MzMzLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6ODA4MC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOlsibWFzdGVyLXJlYWxtIiwiYWNjb3VudCJdLCJzdWIiOiI0OTEwMGFiZC00ZGFjLTQ5MzQtOTUwYi05N2I0ZGMxYmI5MGMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzZWN1cml0eS1hZG1pbi1jb25zb2xlIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiNmJkZTM5ZGYtN2FkZi00MDVlLThjYTEtMGI3NDlhYWUwN2Q1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJjcmVhdGUtcmVhbG0iLCJvZmZsaW5lX2FjY2VzcyIsImFkbWluIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJxdWVyeS1ncm91cHMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6InN1cGVyYWRtaW4gc3VwZXJhZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6InN1cGVyYWRtaW4iLCJnaXZlbl9uYW1lIjoic3VwZXJhZG1pbiIsImZhbWlseV9uYW1lIjoic3VwZXJhZG1pbiIsInVzZXIiOnsiZGV2aWNlSWQiOlsiMTIzNCJdfSwiZW1haWwiOiJzdXBlcmFkbWluQGdtYWlsLmNvbSJ9.OZnw3SbaBpVJSN1KbHMcdmP-zt55AIxmBv3ddyvfXEV-zqStH_TkmZ6P36oDoKu-UctGb9KdemmO0EHM0z1tN4vk35WtS5K3luWtYv42FWvx67mifUxc9BCsgXPz4qx78Kd05UzQ6297NqAAiDfU8gdeywT3mNZ_2AoT45Sw5Sb1cCq8pAJokOHT2PSLHGgTYpY6wbSKe9msfchmzJv1FZK1RnLuLY9HwDhbn_VDIgWlmro8bXNq5eTLAVtnzEL2vEokeFdKDlnPfoBk1oPE5XfjVaqoSBo5yxwxPMKDX_g4EayOXHjQqRCTTKdZm3Ah14DN0t8XBWi3p2vdUhqoIA",
    "expires_in": 59,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3ZTVmNzhhYy05ODVmLTRjMTgtYmMwYS1kMDJjZDFlOGRhNGQifQ.eyJqdGkiOiJmNTEwMjUxNC0wMGE4LTQzNDEtOTljOC1mNjg3ZjBmOTk0MTMiLCJleHAiOjE1NjY5NzkxMzQsIm5iZiI6MCwiaWF0IjoxNTY2OTc3MzM0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6ODA4MC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6ODA4MC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJzdWIiOiI0OTEwMGFiZC00ZGFjLTQ5MzQtOTUwYi05N2I0ZGMxYmI5MGMiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoic2VjdXJpdHktYWRtaW4tY29uc29sZSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjZiZGUzOWRmLTdhZGYtNDA1ZS04Y2ExLTBiNzQ5YWFlMDdkNSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJjcmVhdGUtcmVhbG0iLCJvZmZsaW5lX2FjY2VzcyIsImFkbWluIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJxdWVyeS1ncm91cHMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCJ9.Hsaib16poW3SW0EYUB80jU0HyseZi_Ui9tj_2QJAZ-w",
    "token_type": "bearer",
    "not-before-policy": 1566975958,
    "session_state": "6bde39df-7adf-405e-8ca1-0b749aae07d5",
    "scope": "profile email"
}

{
"sub": "49100abd-4dac-4934-950b-97b4dc1bb90c",
"email_verified": false,
"name": "superadmin superadmin",
"preferred_username": "superadmin",
"given_name": "superadmin",
"family_name": "superadmin",
"user": {
    "deviceId": []
},
"email": "superadmin@gmail.com"
}
已解码的访问令牌,您将看到jti索赔

{
  "jti": "6f178d12-4377-4931-99c8-ebb24959f76b",
  "exp": 1566977393,
  "nbf": 0,
  "iat": 1566977333,
  "iss": "http://192.168.99.100:8080/auth/realms/master",
  "aud": [
    "master-realm",
    "account"
  ], 
 ...
下一步,我将看到管理上的新会话列表,如下图所示

其次,我使用access_令牌获取userinfo RESTAPI(…/protocol/openid connect/userinfo),它返回如下响应

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlX0l1RWo2cWEza2ZMb1MyVUwyNGJUMGJKUElXRWRkU3YxM2RSd1ZTM1lzIn0.eyJqdGkiOiI2ZjE3OGQxMi00Mzc3LTQ5MzEtOTljOC1lYmIyNDk1OWY3NmIiLCJleHAiOjE1NjY5NzczOTMsIm5iZiI6MCwiaWF0IjoxNTY2OTc3MzMzLCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6ODA4MC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOlsibWFzdGVyLXJlYWxtIiwiYWNjb3VudCJdLCJzdWIiOiI0OTEwMGFiZC00ZGFjLTQ5MzQtOTUwYi05N2I0ZGMxYmI5MGMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzZWN1cml0eS1hZG1pbi1jb25zb2xlIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiNmJkZTM5ZGYtN2FkZi00MDVlLThjYTEtMGI3NDlhYWUwN2Q1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJjcmVhdGUtcmVhbG0iLCJvZmZsaW5lX2FjY2VzcyIsImFkbWluIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJxdWVyeS1ncm91cHMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6InN1cGVyYWRtaW4gc3VwZXJhZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6InN1cGVyYWRtaW4iLCJnaXZlbl9uYW1lIjoic3VwZXJhZG1pbiIsImZhbWlseV9uYW1lIjoic3VwZXJhZG1pbiIsInVzZXIiOnsiZGV2aWNlSWQiOlsiMTIzNCJdfSwiZW1haWwiOiJzdXBlcmFkbWluQGdtYWlsLmNvbSJ9.OZnw3SbaBpVJSN1KbHMcdmP-zt55AIxmBv3ddyvfXEV-zqStH_TkmZ6P36oDoKu-UctGb9KdemmO0EHM0z1tN4vk35WtS5K3luWtYv42FWvx67mifUxc9BCsgXPz4qx78Kd05UzQ6297NqAAiDfU8gdeywT3mNZ_2AoT45Sw5Sb1cCq8pAJokOHT2PSLHGgTYpY6wbSKe9msfchmzJv1FZK1RnLuLY9HwDhbn_VDIgWlmro8bXNq5eTLAVtnzEL2vEokeFdKDlnPfoBk1oPE5XfjVaqoSBo5yxwxPMKDX_g4EayOXHjQqRCTTKdZm3Ah14DN0t8XBWi3p2vdUhqoIA",
    "expires_in": 59,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3ZTVmNzhhYy05ODVmLTRjMTgtYmMwYS1kMDJjZDFlOGRhNGQifQ.eyJqdGkiOiJmNTEwMjUxNC0wMGE4LTQzNDEtOTljOC1mNjg3ZjBmOTk0MTMiLCJleHAiOjE1NjY5NzkxMzQsIm5iZiI6MCwiaWF0IjoxNTY2OTc3MzM0LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6ODA4MC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6ODA4MC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJzdWIiOiI0OTEwMGFiZC00ZGFjLTQ5MzQtOTUwYi05N2I0ZGMxYmI5MGMiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoic2VjdXJpdHktYWRtaW4tY29uc29sZSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjZiZGUzOWRmLTdhZGYtNDA1ZS04Y2ExLTBiNzQ5YWFlMDdkNSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJjcmVhdGUtcmVhbG0iLCJvZmZsaW5lX2FjY2VzcyIsImFkbWluIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJtYXN0ZXItcmVhbG0iOnsicm9sZXMiOlsidmlldy1yZWFsbSIsInZpZXctaWRlbnRpdHktcHJvdmlkZXJzIiwibWFuYWdlLWlkZW50aXR5LXByb3ZpZGVycyIsImltcGVyc29uYXRpb24iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZXJzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJxdWVyeS1ncm91cHMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCJ9.Hsaib16poW3SW0EYUB80jU0HyseZi_Ui9tj_2QJAZ-w",
    "token_type": "bearer",
    "not-before-policy": 1566975958,
    "session_state": "6bde39df-7adf-405e-8ca1-0b749aae07d5",
    "scope": "profile email"
}

{
"sub": "49100abd-4dac-4934-950b-97b4dc1bb90c",
"email_verified": false,
"name": "superadmin superadmin",
"preferred_username": "superadmin",
"given_name": "superadmin",
"family_name": "superadmin",
"user": {
    "deviceId": []
},
"email": "superadmin@gmail.com"
}
当我单击backoffice上的“注销所有会话”时,jti在存储器上被删除,并且我再次获得用户信息并返回

{
    "error": "invalid_request",
    "error_description": "User session not found or doesn't have client attached on it"
}
jti声明存储在何处?

jti声明值只是一个随机UUID,不存储在任何地方。您要查找的是
session\u state
param,它是会话ID。当您将
access\u token
传递给
/userinfo
endpoint时,keybape检索
session\u state
值并在分布式缓存(Infinispan)中搜索相应的会话

单击
logout all sessions
按钮后,keydape将清除缓存中的所有会话

更新

另一件可以减轻泄漏的访问令牌的事情是缩短它们的寿命。您可以在“超时”页面中指定此选项。客户端和应用程序在短时间内刷新其访问令牌的访问令牌的短寿命(分钟)。如果管理员检测到泄漏,他们可以注销所有用户会话以使这些刷新令牌无效或设置吊销策略。确保刷新令牌始终对客户端保持私有,并且永远不会传输,这一点也非常重要

在上面的链接中有更多关于安全注意事项的信息

代币黑名单

钥匙斗篷中不存在令牌黑名单,也不应该存在。代币代表特定客户端的用户或服务帐户发行。所以,如果你想让一个普通用户访问某个由keydove保护的服务,你只需要在keydove管理控制台中创建这个用户。对于机器对机器通信中的第三方应用程序,您创建了一个启用服务帐户的客户端,第三方应用程序使用其客户端id和密码代表自身发出访问和刷新令牌

您只需注销(从缓存中删除)用户或客户端的会话,而不是将令牌列入黑名单

如果您想完全删除合作伙伴对API的访问权限,您可以禁用客户端(管理->客户端->客户端->设置启用为false)或用户(管理->用户->用户->设置启用为false)。

JTI不用于黑名单令牌?和OpenIDAuthEndpoint(RESTAPI)创建一个会话?KeyClope中的令牌黑名单是什么?是的,每次对用户进行身份验证时,KeyClope都会创建会话并为此会话颁发访问/刷新令牌对。我添加了一个到相关文档部分的链接。好了,会议结束了。JTI是由Key斗篷创建的,但没有使用?你能读一下这个@PanupongKongarn吗?我更新了我的答案。简言之,与其将令牌列入黑名单,不如注销某个用户(或服务帐户)的会话。您可以扩展身份验证机制,以包括用户代理信息,并将其显示在帐户的会话页面上,甚至可以创建自定义REST端点,该端点将注销特定设备的每个会话。