- I-Keycloak ingumhlinzeki wobunikazi bomthombo ovulekile ohlanganisa ubuqiniso, ukugunyazwa, kanye ne-SSO kuzinhlelo zokusebenza eziningi usebenzisa i-OAuth 2.0, i-OpenID Connect, kanye ne-SAML.
- Imodeli yayo yezindawo, abasebenzisi, amaqembu, kanye nezindima ivumela ukuphathwa okuguquguqukayo kobunikazi kanye nezimvume, okuhlanganisa ukuhlangana nezinhlu zangaphandle ezifana ne-LDAP, i-Active Directory, noma i-Azure AD.
- Ingasetshenziswa ku-Docker, Kubernetes, noma kumishini. Linux nge-PostgreSQL, futhi ikhula ngokutholakala okuphezulu ngemuva kwama-proxies angemuva kanye nama-load balancers afana ne-Nginx kanye ne-Keepalived.
- Amathokheni e-JWT akhishwe yi-Keycloak angenziwa ngezifiso kusetshenziswa ama-mapper, okuvumela amamodeli okuphepha amahle ahlanganiswa kalula kuma-API nezinhlelo zokusebenza zesimanje.
Cishe kunoma yiluphi uhlelo lokusebenza lwesimanje olusebenzisa nsuku zonke (i-imeyili, imithombo yezokuxhumana, ama-intranet ezinkampani, amadeshibhodi amakhasimende, njll.) ngemuva kwezigcawu, kukhona uhlelo olunquma ukuthi ungubani nokuthi yini ongayifinyelela. Lapho izinkampani ziqala ukuqoqa izinhlelo zokusebenza, izinsizakalo, nama-API, ukuphatha ngesandla abasebenzisi, amaphasiwedi, izimvume, kanye nezikhathi kuba yindaba ebuhlungu ngempela.
I-Keycloak ifika ngesikhathi esifanele sokuxazulula leyo nkingaI-Keycloak iyipulatifomu yokuphatha ubunikazi nokufinyelela ehlanganisa ukuqinisekiswa, ukugunyazwa, kanye nokungena ngemvume okukodwa kwezinhlelo zokusebenza eziningi. Esikhundleni sokuthi uhlelo ngalunye lusebenzise uhlelo lwalo lokungena, indima, kanye nokubuyisa iphasiwedi, i-Keycloak isingatha konke lokho, futhi izinhlelo zokusebenza zimane ziyithembe zisebenzisa amazinga afana ne-OAuth 2.0, i-OpenID Connect, noma i-SAML 2.0.
Iyini i-Keycloak futhi iyidlala yiphi indima ekuphepheni kwe-IAM?
I-Keycloak iyi-IdP yomthombo ovulekile (Umhlinzeki Wobunikazi)Ibhalwe ngeJava futhi igcinwa yiRed Hat (eyayikade i-JBoss), inelayisensi ngaphansi kwe-Apache 2.0, ngakho ingasetshenziswa futhi ilungiswe ngokukhululekile ngisho nasezindaweni zezentengiselwano. Kukhona inguqulo ekhokhelwayo, esezingeni lebhizinisi ebizwa ngokuthi iRed Hat Single Sign-On, kodwa ukusebenza okuyinhloko kuyafana.
Le seva yobunikazi inikeza i-SSO, i-federation, kanye ne-multi-tenancyIvumela umsebenzisi ukuthi angene kanye futhi afinyelele izinhlelo zokusebenza eziningi, lezo zinhlelo zokusebenza zidlulisela ubuqiniso ku-Keycloak, kanye nokuphathwa kwabasebenzisi, amaqembu, izimfanelo, kanye nezimvume kwenziwa ngaphakathi, ngaphandle kokusebenzisa kabusha isondo kuphrojekthi ngayinye.
I-Keycloak ihlukile kwezinye izixazululo ze-IAM (mahhala, umthombo ovulekile, noma obunikazi) ngokusekelwe ekuvuthweni kwazo, ukwamukelwa, kanye nokuhambisana nezinqubo ezijwayelekile. Noma kunjalo, ikhambi elifanele lenhlangano ngayinye lizoncika ezidingweni zayo (ukusekelwa kwezentengiselwano, i-SLA, imisebenzi ethile, endaweni uma kuqhathaniswa nokuthunyelwa kwe-SaaS, njll.).
Enye yamandla kaKeycloak Ihlanganisa izingxenye eziningana: ukuqinisekiswa okusekelwe ku-OAuth 2.0 kanye ne-OpenID Connect, ukwesekwa kwe-SAML 2.0, ukungena ngemvume komphakathi (-Google, Facebook, GitHub, njll.), ukuhlanganiswa ne-LDAP kanye ne-Active Directory, ukuphathwa nge-web console, i-CLI kanye ne-REST API, kanye nemodeli eguquguqukayo yabasebenzisi, amaqembu kanye nezindima ezibonakala kumathokheni akhishwe kuzinhlelo zokusebenza.
Izisekelo ezidingekayo: i-OAuth 2.0, i-OpenID Connect kanye ne-JWT
Ukuze uqonde ngokugcwele lokho okwenziwa yi-Keycloak, kuyasiza ukuba nemibono emithathu ecacile.I-OAuth 2.0, i-OpenID Connect (OIDC), kanye ne-JSON Web Tokens (JWT). Akudingeki ube uchwepheshe, kodwa udinga ukuqonda umqondo ojwayelekile, ngoba konke kuzungeze wona.
I-OAuth 2.0 njengohlaka lokugunyazwa
I-OAuth 2.0 iwuhlaka olujwayelekile lokugunyazwa kwe-APIIsetshenziswa yiziqhwaga ezifana ne-Google, i-Facebook, i-Microsoft, i-GitHub, kanye ne-LinkedIn, umsebenzi wayo oyinhloko ukuvumela uhlelo lokusebenza (iklayenti) ukuthi lifinyelele izinsiza zomsebenzisi kolunye uhlelo lokusebenza noma i-API, ngemvume ecacile yomsebenzisi, ngaphandle kokwabelana njalo ngeziqinisekiso.
Esikhundleni sokuthumela igama lomsebenzisi nephasiwedi esicelweni ngasinyeI-OAuth 2.0 yethula umqondo wethokheni yokufinyelela: ithokheni yokufinyelela yesikhashana ethunyelwa ngezingcingo ze-HTTP ku-API futhi iqinisekiswe yi-API. I-IdP (i-Keycloak, isibonelo) ikhipha le thokheni ngemuva kokuqinisekisa ubunikazi bomsebenzisi kanye nemvume yakhe.
Indinganiso ichaza ukugeleza okuningana kokugunyazwa (izinhlobo zezibonelelo) ukuvumelanisa inqubo nohlobo lweklayenti: izinhlelo zokusebenza ezivikelekile ze-backend, ama-SPA asekelwe kusiphequluli, Izinhlelo zokusebenza amadivayisi eselula, amadivayisi anqunyelwe, ukuxhumana phakathi komshini nomshini, njll. Ukugeleza ngakunye kuphawula lokho okushintshaniswayo esinyathelweni ngasinye (amakhodi okugunyaza, amathokheni, iziqinisekiso, njll.).
Izindima ezine eziyisisekelo ze-OAuth 2.0 Yilezi:
- Umnikazi Wensiza: ngokuvamile umsebenzisi ofuna ukubonisana noma ukuguqula idatha yakhe.
- Client: uhlelo lokusebenza (iwebhu, iselula, IoT, i-backend…) efuna ukwenza okuthile egameni lomsebenzisi.
- iseva yensiza: i-API eveza idatha futhi iqinisekise amathokheni okufinyelela.
- Iseva Yokugunyazwa: i-IdP (Keycloak) eqinisekisa umsebenzisi futhi ikhiphe amathokheni.
Ngaphezu kwalokho, i-OAuth 2.0 yethula umqondo wezikophuLokhu kuchaza ububanzi bemvume umsebenzisi ayinikeza isicelo: ukufunda i-imeyili, ukuthumela kunethiwekhi yokuxhumana nabantu, ukufinyelela iphrofayela eyisisekelo, njll. Ithokheni ekhishwe ifaka ikhodi yokuthi yiziphi izimvume ezinikezwe iklayenti.
I-OpenID Connect: ungqimba lobunikazi oluphezulu kwe-OAuth 2.0
I-OpenID Connect (OIDC) ingeza ubunikazi ku-OAuth 2.0Nakuba i-OAuth ibhekana nokugunyazwa (lokho uhlelo lokusebenza olungakwenza), i-OIDC ibhekana nokuhlonza ngendlela ejwayelekile ukuthi ngubani umsebenzisi oqinisekisiwe nokuthi angayithola kanjani idatha yakhe eyisisekelo.
I-OIDC ichaza ama-endpoints kanye ne-metadata eyaziwayo, njengombhalo wokutholwa oshicilelwe endleleni /.well-known/openid-configuration lapho umhlinzeki ecacisa khona ama-URL okugunyazwa, ithokheni, okhiye bomphakathi, ulwazi lomsebenzisi, njll. Lokhu kuvumela izinhlelo zokusebenza ukuthi zilungiselelwe cishe ngokuzenzakalelayo.
Iphinde inikeze iphuzu lokugcina le-UserInfo.Lokhu kusetshenziselwa ukuthola ulwazi kumsebenzisi oqinisekisiwe (igama, i-imeyili, njll.) kusetshenziswa ithokheni yokufinyelela evumelekile. Kuvamile kakhulu ekuhlanganisweni okusekelwe ku-Keycloak ukufunda le datha ngemuva kokungena ngemvume ukuze kugcwaliswe amaphrofayili abasebenzisi kuhlelo lokusebenza.
I-Access_token kanye ne-JSON Web Tokens (JWT)
Ezinhlelweni eziningi zesimanje, i-access_token iyi-JWT (JSON Web Token). Lena indinganiso (RFC 7519) yokumela izimangalo njenge-JSON esayiniwe ngedijithali, ngezingxenye ezintathu ezihlukaniswe ngezikhathi: i-header, i-payload, kanye nesiginesha, konke kufakwe ikhodi ku-Base64URL.
Isihloko sibonisa ulwazi lobuchwepheshe mayelana nethokheni. (i-algorithm yesiginesha, uhlobo lwethokheni, futhi ngokuvamile isihlonzi sesihluthulelo esisetshenzisiwe, kidUmthwalo okhokhelwayo uqukethe izimangalo, njenge:
- Exp: usuku lokuphelelwa isikhathi.
- eya: isikhathi sokusakazwa.
- Nissan: umkhiphi, ngokuvamile i-URL ye-IdP.
- sub: isihlonzi somsebenzisi esiyingqayizivele.
- i-auditor: izilaleli okuqondiswe kuzo ithokheni.
- jti: isihlonzi esiyingqayizivele sethokheni.
Isiginesha sikhiqizwa ngokhiye oyimfihlo noma oyimfihlo.Ngakho-ke, noma yikuphi ukuguqulwa kwethokheni kuphula isiginesha futhi kutholakala ngesikhathi sokuqinisekiswa. I-API ithola ukhiye womphakathi ku-IdP ngenxa yesakhiwo. jwks_uri kusukela kudokhumenti yokuthola, ekhomba ifayela le-JSON eliqukethe uhlu lwezikhiye zomphakathi kanye kid.
I-Keycloak ivumela futhi ukwenza ngezifiso amathokheni akhishweIzimangalo ezengeziwe zingangezwa ngokusekelwe ezicini zomsebenzisi, amaqembu, izindima, noma ngisho namanani aqinile. Lokhu kwenziwa kusetshenziswa ama-mapper alungiselelwe iklayenti ngalinye noma ububanzi beklayenti ngalinye, okwenza kube lula ngama-API ukuthola ulwazi aludingayo ngqo.
Ukwakhiwa kwe-Keycloak: Izindawo, Abasebenzisi, Amaqembu, kanye Nezindima
I-Keycloak ihlela ukucushwa kwayo kuma-RealmsLokhu kufana “namaseva obunikazi obubonakalayo” ngaphakathi kokufakwa okukodwa. Abanye abathengisi babiza into efanayo ngokuthi i-renting noma i-directory. Indawo ngayinye inabasebenzisi bayo abazimele, amaqembu, amaklayenti, izinqubomgomo, kanye nezilungiselelo.
Ngokuzenzakalelayo kukhona indawo ekhethekile ebizwa ngokuthi i-masterLe akhawunti kufanele igcinelwe imisebenzi yokuphatha yomhlaba wonke, njengokudala nokuphatha eminye imikhakha. Umsebenzisi womlawuli angaphatha imikhakha eminingi kusukela kukhonsoli efanayo ngaphandle kokungena ngemvume ngama-akhawunti ahlukene ngayinye.
Abasebenzisi bendawo bangachazwa ngaphakathi kwendawoukubanika izimfanelo ezenziwe ngokwezifiso, ukuzihlanganisa, nokuzihlobanisa nezindima. Imodeli yakhelwe ngokucophelela ukuze ulwazi olufanele lubonakale ekugcineni kumathokheni asetshenziswa uhlelo lokusebenza (izindima, amaqembu, idatha yephrofayela, amafulegi okuphepha, njll.).
Amaqembu avumela abasebenzisi ukuthi bahlelwe ngokwezigaba.Iqembu lingaba namaqembu amancane (izingane), futhi umsebenzisi udla izimfanelo nezindima zawo wonke amaqembu angamalungu awo, okuhlanganisa nabazali bakhe. Lokhu kuvumela amamodeli okugunyazwa aguquguqukayo kakhulu ngaphandle kokuphinda ukucushwa komsebenzisi ngamunye.
Ngokuphathelene nezindima, kunezigaba ezimbili eziyinhloko:
- Izindima zoMbuso: emhlabeni jikelele ngaphakathi kombuso, isetshenziswe kakhulu ekuvumeleni impahla ehlukahlukene.
- Izindima zamakhasimende: okuqondene nohlelo lokusebenza oluthile, okuvumela ubuncane obuhle besevisi ngayinye.
I-Keycloak isekela izindima ezihlanganisiweOkusho ukuthi, izindima ezihlanganisa nezinye izindima. Lokhu kusiza ukuqoqa izimvume bese uzinika abasebenzisi noma amaqembu ngesikhathi esisodwa, nakuba kungcono ukungazisebenzisi ngokweqile ukuze ugweme ukwenza ukuphathwa kube nzima noma ukuthinta ukusebenza.
Ukufaka i-Keycloak kumodi yokuthuthukisa: i-Docker, i-Kubernetes, kanye ne-VM
Ukusetha indawo yelebhu nge-Keycloak Kunezinketho eziningana ezilula: Isitsha se-Docker, ukufakwa ku-Kubernetes (isibonelo nge-Minikube) noma ukufakwa okuvamile emshinini obonakalayo one-Linux ne-OpenJDK.
Ingubo yokhiye ku-Docker
Indlela esheshayo yokuqala i-Keycloak yokuhlola Kuhilela ukusebenzisa isitsha esinesithombe esisemthethweni, ukudalula i-port 8080 nokudlulisa igama lomsebenzisi nephasiwedi yomlawuli ngokusebenzisa iziguquguquki zemvelo, ukuqala kabusha kumodi start-dev (ngaphandle kwe-HTTPS kanye nesizindalwazi se-H2 esifakiwe):
Ngomyalo owodwa we-Docker iseva esebenzayo itholakala ku- http://localhost:8080, ngokwanele ukushintshanisa ikhonsoli yokuphatha, ukudala izindawo, abasebenzisi, amaklayenti nokuhlola ukuhlanganiswa okuyisisekelo.
Ingubo yokhiye ku-Kubernetes ne-Minikube
Uma usuvele usebenza neKubernetes, ungayisebenzisa kalula iKeycloak. Usebenzisa amasampula avela endaweni yokugcina esemthethweni, udala i-Deployment kanye ne-Service, bese uvula umhubhe nge-Minikube ukuze ufinyelele isevisi kusuka emshinini wakho, ngokuvamile futhi ku-port 8080.
Le ndlela ilungele ukulingisa izindawo eziseduze nokukhiqiza. (ngama-pod, izinsizakalo, ukucushwa kwangaphandle, njll.) kanye nokuzama ukuthunyelwa okulawulwayo, ukukala, kanye nokuthuthukiswa kwe-Keycloak kumaqoqo e-K8.
I-Keycloak ku-Ubuntu nge-OpenJDK kanye ne-PostgreSQL (imodi yokuthuthukisa ethuthukisiwe)
Okunye okungenzeka ukufaka i-Keycloak ku-Ubuntu VM Ukusebenzisa i-OpenJDK kanye nesizindalwazi sendawo se-PostgreSQL, nesitifiketi esizisayinele sona kanye negama lomethuleli elenziwe ngokwezifiso. Nakuba kuseyisimo sokuhlola, kuyasondela ku-topology yokukhiqiza.
Izinyathelo ezijwayelekile zifaka phakathi:
- Buyekeza uhlelo lokusebenza bese ufaka i-Java (isibonelo, i-OpenJDK 11 noma ngaphezulu).
- Faka i-PostgreSQL (ngokufaneleke kakhulu kuseva ehlukile, yize ilebhu ingaba semshinini ofanayo).
- Dala umsebenzisi kanye nedathabheyisi ethile ye-Keycloak bese unikeza amalungelo afanele.
- Dala umsebenzisi wesistimu ngaphandle kwamalungelo (isb.
keycloak) ukuze kuqhutshwe isevisi. - Landa ukusatshalaliswa kwe-Keycloak okusemthethweni, uyivule ku-
/opt/keycloakfuthi ulungise izimvume. - Khiqiza isitifiketi se-X.509 esisayinwe nguwe nge ukuvula bese uyibeka
keycloak.confkanye namapharamitha wokuxhumeka kwe-PostgreSQL kanyehostnameoyifunayo. - Chaza iyunithi i-systemd Ukuze uqale i-Keycloak kumodi yokuthuthukisa ekuqaleni kwesistimu, setha iziqinisekiso zomphathi ngokusebenzisa iziguquguquki zemvelo.
Uma isevisi isiqalile futhi isebenzaNgokuvamile ifinyelelwa nge-HTTPS ku-port 8443 ngegama lomethuleli elihleliwe. Uma kusetshenziswa isitifiketi esizisayinele sona, kuzodingeka sithembeke kusiphequluli (ngokungenisa i-CA noma isitifiketi ngokwaso esitolo sesitifiketi esithembekile somshini).
Ukufakwa okuthuthukisiwe: ukutholakala okuphezulu, i-PostgreSQL kanye ne-reverse proxy
Uma sishintsha sisuka elabhorethri siye ekukhiqizeniIsithombe siyashintsha: kufanele ucabange ngokutholakala okuphezulu, ukuqhubeka kwedatha okuqinile, izitifiketi ezivumelekile, kanye, ngokuvamile, iphrokzi ephambene ehlanganisa ukufinyelela kwe-HTTPS kanye nokulinganisela umthwalo.
Iphethini evamile kakhulu ukusebenzisa ama-node amaningi e-Keycloak ngemuva kwe-load balancer (isb., i-Nginx) nokusebenzisa i-PostgreSQL database kumodi ye-HA njenge-backend yokuphikelela. Umgomo uwukususa amaphuzu angawodwa okwehluleka kokubili kwezendlalelo zohlelo lokusebenza nezedatha.
Kulolu hlobo lokwakha, izinyathelo ezifana nalezi ezilandelayo zivame ukulandelwa::
- Lungisa amaseva e-Linux abuyekeziwe (i-Debian/Ubuntu) bese ufaka ukuxhomeka:
unzip,wget,openjdk,openssl, Njll - Dala umsebenzisi wesistimu
keycloakekhaya ngaphakathi/opt/keycloakfuthi ngaphandle kwezimvume zokungena ngemvume ezisebenzisanayo ezinelungelo. - Landa inguqulo oyifunayo ye-Keycloak, uyivule, bese unikeza umsebenzisi ozinikele ubunikazi.
- Dala isizindalwazi esithile ku-PostgreSQL, ngomsebenzisi namalungelo afanele, futhi ulungise umnikazi weskimu nezimvume ezizenzakalelayo kumathebula.
- Khiqiza izitifiketi ezizisayinile (noma sebenzisa izitifiketi ezivela ku-CA yangaphakathi) zama-node e-Keycloak bese ulungiselela i-HTTPS kuseva yohlelo lokusebenza.
- Lungisa
keycloak.confukuze uxhumeke ku-PostgreSQL VIP, chaza amachweba e-HTTP/HTTPS, izitifiketi, amapharamitha e-proxy, igama lomsingathi, i-cluster stack (isb., i-UDP), kanye namazinga elogi. - Chaza isevisi
systemdkulula lokho ibhuthini Ingubo yokhiye enekc.sh startokc.sh start --optimizedukuphatha ukuqala kabusha okuzenzakalelayo uma kwenzeka ukwehluleka.
I-Nginx ivame ukufakwa phezu kwesendlalelo sokushicilela nokulinganisa umthwalo. njenge-HTTPS reverse proxy, enesitifiketi sayo se-TLS kanye nokucushwa okuphezulu okukhomba kuma-Keycloak nodes kuma-backend port ayo (ngokuvamile i-8080 uma i-TLS inqanyuliwe ku-Nginx).
Ukususa amaphuzu alodwa okwehluleka ku-balancerKuvamile ukumisa ama-node amabili e-Nginx atholakala kakhulu usebenzisa i-Keepalived. Leli thuluzi liphatha i-IP ebonakalayo (VIP) entantayo ekhangiswa kwenye yamaseva njenge-master futhi, uma kwenzeka yehluleka, ishintshela ku-node yokusekelayo, igcina ukuqhubeka kwesevisi.
Ukusetha ukubhaliswa kweNdawo, abasebenzisi, kanye nohlelo lokusebenza (iklayenti)
Uma sesiqalile ukusebenza i-Keycloak, isinyathelo esilandelayo esinengqondo Kuhilela ukudala indawo yabasebenzisi bethu nezinhlelo zokusebenza, bese kusuka lapho kuchaza abasebenzisi, amaqembu, izindima kanye namakhasimende (izinhlelo zokusebenza ezizodlulisela ubuqiniso ku-Keycloak).
Kudalwa indawo entsha kusukela ku-Admin Console. Ngokufaka igama layo nje. Kusukela ngaleso sikhathi kuqhubeke, sizoba nendawo ehlukanisiwe enezilungiselelo zayo. Phakathi kokulungiswa kokuqala, okulandelayo kuvame ukuba wusizo:
- Lungiselela i-SMTP yokuthumela ama-imeyili (ukuqinisekiswa kwe-imeyili, ukubuyiselwa kwephasiwedi, izaziso).
- Nika amandla uma uthanda Iphrofayela Yomsebenzisi Omemezelayo, okukuvumela ukuthi uchaze ngokusobala ukuthi yiziphi izimfanelo umsebenzisi azoba nazo, yiziphi iziqinisekiso ezisebenzayo, nokuthi umsebenzisi angahlela yini.
- Lungisa amapharamitha okungena ngemvume: vumela noma ungavumeli ukubhalisa ngokwakho, khumbula iseshini phakathi kokuqalisa kabusha kwesiphequluli, vumela ukubuyiselwa kwephasiwedi, njll.
Ukudala umsebenzisi endaweni ethile kulula njengokugcwalisa ifomu Uzodinga igama lomsebenzisi, ikheli le-imeyili, igama lokuqala, nesibongo. Bese usetha iphasiwedi yakho (yesikhashana noma ehlala njalo) kuthebhu yeziqinisekiso. Ukusuka lapho, ungabela amaqembu, izindima, kanye nezimfanelo ezengeziwe.
I-Keycloak inikeza i-Akhawunti Console ezinikele kubasebenzisi bokugcina.lapho bangabuka futhi bashintshe khona idatha yephrofayela yabo, bashintshe iphasiwedi yabo, babuyekeze izikhathi ezisebenzayo, noma baphathe ezinye izici zokuqinisekisa. Kuyindlela elula kakhulu yokunikeza umsebenzisi ezinye zezindlela eziyisisekelo zokuphatha i-akhawunti yabo.
Ukuzenza ongeyena omunye umuntu kuyisici esithakazelisayo.Umphathi onemvume angakwazi "ukuzenza" umsebenzisi kusuka ku-console ukuze akhiqize izinkinga, aqinisekise izimvume, njll., ngaphandle kokudinga iphasiwedi yomsebenzisi.
Ukuze uhlelo lokusebenza lusebenzise i-Keycloak njenge-IdPKumelwe ibhaliswe njengeklayenti. Esigabeni samaKlayenti, kudalwa i-ID entsha yeklayenti, uhlobo lukhonjiswa njenge-OpenID Connect (ngaphandle kokuthi kuzosetshenziswa i-SAML), futhi kukhethwe ukugeleza kwe-OAuth 2.0 okuvunyelwe: Ukugeleza Okujwayelekile (Ikhodi Yokugunyaza), Izibonelelo Zokufinyelela Okuqondile (Iphasiwedi), Okungacacile, Iziqinisekiso zamaKlayenti (ama-akhawunti esevisi), Ikhodi Yedivayisi, i-CIBA, njll.
Ukucushwa kweklayenti nakho kuyanquma Uma kudingeka ukuqinisekiswa kweklayenti (imfihlo yeklayenti noma izitifiketi), yimaphi ama-URI okuqondisa kabusha asebenzayo nokuthi yimiphi imvelaphi yewebhu evunyelwe (kubaluleke kakhulu kuma-SPA ngenxa yezinqubomgomo ze-CORS). Ukusuka lapho, uhlelo lokusebenza lungasebenzisa imitapo yolwazi esemthethweni noma yenkampani yangaphandle ukuze lunikeze ukuqinisekiswa ku-Keycloak nge-OIDC.
Ukuhlanganiswa nezincwajana zangaphandle kanye nabanye abahlinzeki bobunikazi
I-Keycloak ingasebenza njengomthombo wobunikazi bendawo (abasebenzisi, amaqembu kanye nezindima ezichazwe ngaphakathi kwedatha yayo) noma ingasebenza njengomxhumanisi wobunikazi kumhlinzeki oyedwa noma ngaphezulu wangaphandle.
Ukuhlanganiswa okuvamile kakhulu kutholakala nge-Azure Active DirectoryI-Azure AD igcina abasebenzisi bezinkampani namaqembu, kanti i-Keycloak ixhumana njengeklayenti le-OIDC ukuze ilande ubunikazi namaqembu, iwahlanganise nabasebenzisi bendawo nezindima. Lokhu kugwema ukukopisha ubunikazi nemisebenzi yokuphatha kumasayithi amaningi.
Ngokuvamile, ukusebenzisa i-Azure AD njenge-IdP yangaphandle Lokhu okulandelayo kwenziwa:
- Bhalisa isicelo ku-Azure AD, uthole i-ID yaso yeklayenti bese udala imfihlo yeklayenti.
- Lungiselela ku-Azure AD ama-URI aqondiswe kabusha ku-Keycloak (i-OIDC broker endpoint endaweni ehambisanayo).
- Lungisa izimangalo ezizokhishwa kuthokheni kuhlelo lokusebenza lwe-Azure AD, isibonelo ngokufaka amaqembu abasebenzisi.
- Ku-Keycloak, dala uMhlinzeki Wobunikazi be-OpenID Connect okhomba kuma-endpoints e-Azure (ukugunyazwa, ithokheni, ukuphuma, ulwazi lomsebenzisi) kanye nokulungiselela i-ID yeklayenti, imfihlo yeklayenti, kanye namapharamitha okungena afunekayo.
Uma ukwethembana sekumisiwe phakathi kwaboUma umsebenzisi engena ngemvume nge-Azure AD, i-Keycloak idala (noma ivumelanisa) umsebenzisi endaweni futhi ingahlanganisa amaqembu e-Azure nezindima ze-Keycloak isebenzisa abenzi bemephu abathuthukile. Isibonelo, iqembu "labathuthukisi" ku-Azure lingahunyushwa libe yindima "yabathuthukisi" ku-Keycloak, bese idluliselwa kuzinhlelo zokusebenza ezihlanganisiwe nezinsizakalo (njenge-Jenkins).
Ngaphezu kwe-Azure AD, i-Keycloak ivumela ukuhlanganiswa kobunikazi kanye I-LDAP, i-Active Directory yakudala, amanye ama-IdP e-OIDC, abahlinzeki bezokuxhumana (i-Google, i-Facebook, i-GitHub, njll.) nokuningi, ukukwazi ukuxuba imithombo eminingana ngesikhathi esisodwa endaweni efanayo.
Ukuphepha okwengeziwe: ama-bot, i-CAPTCHA, kanye nemikhuba emihle kakhulu
Nakuba i-Keycloak iqinisa kakhulu ukuphepha kokuqinisekisa (i-MFA, izinqubomgomo zephasiwedi, ukukhiya i-akhawunti, ukulawula iseshini, njll.), amakhasi okungena ngemvume, okubhalisa kanye nokubuyisa iphasiwedi ahlala eyizinhloso ezicacile zama-bots kanye nokuhlasela okuzenzakalelayo.
Ukunciphisa lezi zinhlobo zezinsongoKunconywa ukuhlanganisa i-Keycloak nezindlela zokulwa ne-bot njengezixazululo ze-CAPTCHA ezihambisana ne-GDPR ezihlukanisa phakathi kwethrafikhi yabantu neyokuzenzakalelayo ngaphandle kokubeka engcupheni ulwazi lomsebenzisi. Lezi zixazululo zivame ukuhlanganiswa kumafomu okungena ngemvume nawokubhalisa, zengeza ungqimba olwengeziwe lokuzivikela ekuhlaselweni kokugcwalisa iziqinisekiso, ukudalwa kwama-akhawunti amaningi, noma ukusetshenziswa kabi kokuhamba kokubuyisa iphasiwedi.
Ngaphandle kwe-CAPTCHA, eminye imikhuba emihle ihlanganisa qapha izingodo ukuze ufinyelele, setha izexwayiso zokunyuka okungajwayelekile emizamweni ehlulekile, ubuyekeze njalo amathokheni akhishwe kanye nobude bawo, uqinisekise ukuthi kuphela izindawo zokugcina ezidingekayo ezivezwa ngaphandle, futhi ugcine i-Keycloak kanye nokuncika kwayo kubuyekeziwe ngama-patches okuphepha akamuva.
Lonke lolu hlelo lokusebenza olusebenzayo (i-SSO, ukuqasha okuningi, ukuhlanganiswa neziqondisi zangaphandle, amathokheni alungisekayo, ukuthunyelwa kokutholakala okuphezulu kanye nokuvikelwa kwe-bot) kwenza i-Keycloak ibe ithuluzi elinamandla kakhulu lokufaka phakathi ukuqinisekiswa kanye nokugunyazwa kwezinhlelo zokusebenza zesimanje, okusiza izinkampani ukuqinisa ukuma kwazo kokuphepha ngaphandle kokudela ulwazi lomsebenzisi noma ukuqhubeka nokuvuselela ukuphathwa kobunikazi.
Umbhali oshisekayo ngomhlaba wamabhayithi nobuchwepheshe ngokujwayelekile. Ngiyathanda ukwabelana ngolwazi lwami ngokubhala, futhi yilokho engizokwenza kule bhulogi, ngikubonise zonke izinto ezithakazelisayo kakhulu ngamagajethi, isofthiwe, ihadiwe, izitayela zobuchwepheshe, nokuningi. Inhloso yami ukukusiza ukuthi uzulazule emhlabeni wedijithali ngendlela elula nejabulisayo.