Bayan 'yan watanni da suka gabata, ina aiwatar da uwar garken OpenID Connect don sarrafa damar shiga daruruwan aikace-aikacen mu na ciki. Daga ci gaban namu, dacewa akan ƙaramin ma'auni, mun matsa zuwa ma'aunin karɓuwa gabaɗaya. Samun shiga ta hanyar sabis na tsakiya yana sauƙaƙa sauƙaƙe ayyuka guda ɗaya, yana rage farashin aiwatar da izini, yana ba ku damar nemo mafita da aka ƙera da yawa kuma kada ku lalata kwakwalwar ku yayin haɓaka sababbi. A cikin wannan labarin, zan yi magana game da wannan sauyi da kuma abubuwan da muka yi nasarar cikawa.
Da dadewa... Yadda aka fara
Bayan 'yan shekarun da suka gabata, lokacin da aikace-aikacen ciki ya yi yawa don sarrafa hannu, mun rubuta aikace-aikacen don sarrafa shiga cikin kamfanin. Aikace-aikacen Rails mai sauƙi ne wanda ya haɗa zuwa bayanan bayanai tare da bayanai game da ma'aikata, inda aka saita damar yin amfani da ayyuka daban-daban. A lokaci guda kuma, mun tayar da SSO na farko, wanda ya dogara ne akan tabbatar da alamun daga gefen abokin ciniki da uwar garken izini, an aika alamar ta hanyar ɓoyewa tare da sigogi da yawa kuma an tabbatar da shi akan uwar garken izini. Wannan ba shine zaɓi mafi dacewa ba, tunda kowane aikace-aikacen ciki dole ne ya bayyana ɗimbin dabaru, kuma bayanan bayanan ma'aikata sun daidaita gaba ɗaya tare da sabar izini.
Bayan wani lokaci, mun yanke shawarar sauƙaƙe aikin ba da izini na tsakiya. An canza SSO zuwa ma'auni. Tare da taimakon OpenResty, an ƙara samfuri zuwa Lua wanda ya bincika alamun, ya san aikace-aikacen da buƙatar za ta yi, kuma yana iya bincika ko akwai shiga wurin. Wannan tsarin ya sauƙaƙa sosai aikin sarrafa damar yin amfani da aikace-aikacen ciki - a cikin lambar kowane aikace-aikacen, ba lallai ba ne a bayyana ƙarin dabaru. A sakamakon haka, mun rufe zirga-zirga a waje, kuma aikace-aikacen kanta bai san komai game da izini ba.
Koyaya, matsala ɗaya ta kasance ba a warware ba. Me game da aikace-aikacen da ke buƙatar bayani game da ma'aikata? Zai yiwu a rubuta API don sabis na izini, amma dole ne ku ƙara ƙarin dabaru don kowane irin wannan aikace-aikacen. Bugu da kari, muna so mu kawar da dogaro ga ɗaya daga cikin aikace-aikacen da muka rubuta da kanmu, wanda aka tsara a gaba don fassara zuwa OpenSource, akan sabar ba da izini na ciki. Za mu yi magana game da shi wani lokaci. Maganin matsalolin biyu shine OAuth.
zuwa ga gama gari
OAuth abu ne mai fahimta, ma'aunin izini gabaɗaya, amma tunda kawai aikinsa bai isa ba, nan da nan suka fara la'akari da OpenID Connect (OIDC). OIDC da kanta ita ce aiwatarwa ta uku na buɗaɗɗen ma'aunin tabbatarwa, wanda ya shiga cikin ƙarawa akan ka'idar OAuth 2.0 (ka'idar ba da izini buɗe). Wannan maganin yana rufe matsalar rashin bayanai game da mai amfani na ƙarshe, kuma yana ba da damar canza mai bada izini.
Koyaya, ba mu zaɓi takamaiman mai bayarwa ba kuma mun yanke shawarar ƙara haɗin kai tare da OIDC don uwar garken izini na yanzu. Dangane da wannan shawarar shine gaskiyar cewa OIDC tana da sassauƙa sosai dangane da izinin mai amfani na ƙarshe. Don haka, yana yiwuwa a aiwatar da tallafin OIDC akan uwar garken izini na yanzu.
Hanyarmu ta aiwatar da sabar OIDC namu
1) Kawo bayanan zuwa fom ɗin da ake so
Don haɗa OIDC, wajibi ne a kawo bayanan mai amfani na yanzu cikin wani nau'i wanda za'a iya fahimta ta ma'auni. A cikin OIDC ana kiran wannan da'awar. Da'awar ainihin filayen ƙarshe ne a cikin bayanan mai amfani (suna, imel, waya, da sauransu). Akwai , kuma duk abin da ba a haɗa shi cikin wannan jerin ana ɗaukar al'ada ba. Sabili da haka, batu na farko da kuke buƙatar kula da shi idan kuna son zaɓar mai ba da OIDC da ke akwai shine yuwuwar dacewa da keɓance sabbin samfuran.
An haɗa ƙungiyar alamomin zuwa cikin ƙaramin yanki mai zuwa - Girman. A lokacin ba da izini, ana buƙatar samun dama ba ga takamaiman samfuran ba, amma ga iyakoki, ko da ba a buƙatar wasu samfuran daga cikin iyakokin.
2) An aiwatar da tallafin da ya kamata
Sashe na gaba na haɗin gwiwar OIDC shine zaɓi da aiwatar da nau'ikan izini, abin da ake kira tallafi. Ƙarin yanayin hulɗa tsakanin aikace-aikacen da aka zaɓa da uwar garken izini zai dogara ne akan kyautar da aka zaɓa. An nuna wani tsari na misali don zabar tallafin da ya dace a cikin hoton da ke ƙasa.
Don aikace-aikacenmu na farko, mun yi amfani da kyautar da aka fi sani, Lambar Izini. Bambancinsa da sauran shine mataki uku ne, watau. yana fuskantar ƙarin gwaji. Da farko, mai amfani yana buƙatar neman izinin izini, yana karɓar alama - Lambar izini, sannan tare da wannan alamar, kamar dai tare da tikitin tafiya, yana buƙatar alamar samun dama. Duk babban hulɗar wannan rubutun izini ya dogara ne akan turawa tsakanin aikace-aikacen da uwar garken izini. Kuna iya karanta ƙarin game da wannan tallafin .
OAuth yana bin ra'ayin cewa alamun samun dama da aka samu bayan izini yakamata su kasance na ɗan lokaci kuma yakamata su canza, zai fi dacewa kowane minti 10 akan matsakaita. Kyautar lambar izini tabbaci ne na matakai uku ta hanyar turawa, kowane minti 10 don juya irin wannan matakin, a zahiri, ba shine mafi kyawun aiki ga idanu ba. Don magance wannan matsalar, akwai wani tallafi - Refresh Token, wanda kuma muka yi amfani da shi a cikin ƙasarmu. Komai yana da sauki a nan. Lokacin tabbatarwa daga wani tallafi, ban da babbar alamar shiga, ana fitar da wani - Refresh Token, wanda za'a iya amfani dashi sau ɗaya kawai kuma yawancin rayuwarsa ya fi tsayi. Tare da wannan Alamar Refresh, lokacin da TTL (Lokacin Rayuwa) na babban alamar samun damar ya ƙare, buƙatar sabon alamar shiga zai zo ƙarshen wani tallafi. Alamar Refresh Token da aka yi amfani da shi an sake saita shi nan da nan zuwa sifili. Wannan cak ɗin mataki biyu ne kuma ana iya yin shi a bango, ba tare da saninsa ga mai amfani ba.
3) Kafa al'ada data fitarwa Formats
Bayan an aiwatar da tallafin da aka zaɓa, izini yana aiki, yana da daraja ambaton samun bayanai game da mai amfani na ƙarshe. OIDC yana da keɓan wurin ƙarshen ƙarshen don wannan, inda zaku iya buƙatar bayanan mai amfani tare da alamar samun damar ku na yanzu kuma idan ya dace. Kuma idan bayanan mai amfani ba sa canzawa sau da yawa, kuma kuna buƙatar bin na yanzu sau da yawa, kuna iya zuwa ga irin wannan mafita kamar alamun JWT. Waɗannan alamun kuma suna da goyan bayan ma'auni. Alamar JWT da kanta ta ƙunshi sassa uku: taken (bayani game da alamar), ɗaukar nauyi (duk wani bayanan da ake buƙata) da sa hannu (sa hannu, alamar sabar sabar ce kuma daga baya zaku iya bincika tushen sa hannun sa).
A cikin aiwatar da OIDC, ana kiran alamar JWT id_token. Ana iya nema tare da alamar shiga ta al'ada kuma abin da ya rage shine tabbatar da sa hannun. Sabar izini tana da keɓan wurin ƙarshen wannan tare da gungun maɓallan jama'a a cikin tsari . Kuma da yake magana game da wannan, yana da kyau a ambaci cewa akwai wani ƙarshen ƙarshen, wanda, bisa ga ma'auni yana nuna tsarin sabar OIDC na yanzu. Ya ƙunshi duk adiresoshin ƙarshen (gami da adireshin zoben maɓalli na jama'a da aka yi amfani da su don sa hannu), samfuran tallafi da ƙayyadaddun bayanai, algorithms ɓoye da aka yi amfani da su, tallafin tallafi, da sauransu.
Misali akan Google:
{
"issuer": "https://accounts.google.com",
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"device_authorization_endpoint": "https://oauth2.googleapis.com/device/code",
"token_endpoint": "https://oauth2.googleapis.com/token",
"userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"revocation_endpoint": "https://oauth2.googleapis.com/revoke",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"iss",
"locale",
"name",
"picture",
"sub"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"grant_types_supported": [
"authorization_code",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
]
}Don haka, ta amfani da id_token, zaku iya canja wurin duk mahimman alamomin da ake buƙata zuwa nauyin nauyin alamar kuma kada ku tuntuɓi uwar garken izini kowane lokaci don neman bayanan mai amfani. Rashin lahani na wannan hanya shine cewa canjin bayanan mai amfani daga uwar garken ba ya zo nan da nan, amma tare da sabon alamar shiga.
Sakamakon aiwatarwa
Don haka, bayan aiwatar da namu uwar garken OIDC da daidaita haɗin kai zuwa gare ta a gefen aikace-aikacen, mun warware matsalar canja wurin bayanai game da masu amfani.
Tun da OIDC buɗaɗɗen ma'auni ne, muna da zaɓi na zabar mai samarwa ko aiwatar da sabar. Mun gwada Keycloak, wanda ya zama dacewa sosai don daidaitawa, bayan kafawa da canza saitunan haɗin kai a gefen aikace-aikacen, yana shirye don tafiya. A gefen aikace-aikacen, abin da ya rage shine canza saitunan haɗin gwiwa.
Magana game da data kasance mafita
A cikin ƙungiyarmu, a matsayin uwar garken OIDC na farko, mun tattara namu aiwatarwa, wanda aka ƙara kamar yadda ya cancanta. Bayan cikakken nazari na sauran shirye-shiryen da aka yi, za mu iya cewa wannan batu ne mai mahimmanci. Dangane da shawarar aiwatar da uwar garken nasu, akwai damuwa a ɓangaren masu samarwa idan babu aikin da ya dace, da kasancewar wani tsohon tsarin wanda akwai izini na al'ada daban-daban don wasu ayyuka da yawa da yawa. An riga an adana bayanan game da ma'aikata. Duk da haka, a cikin shirye-shiryen aiwatarwa, akwai dacewa don haɗin kai. Misali, Keycloak yana da nasa tsarin sarrafa mai amfani kuma ana adana bayanai kai tsaye a cikinsa, kuma ba zai yi wahala a iya riskar masu amfani da ku a can ba. Don yin wannan, Keycloak yana da API wanda zai ba ku damar aiwatar da duk mahimman ayyukan canja wuri.
Wani misali na bokan, mai ban sha'awa, a ganina, aiwatarwa shine Ory Hydra. Yana da ban sha'awa domin ya ƙunshi sassa daban-daban. Don haɗawa, kuna buƙatar haɗa sabis ɗin sarrafa mai amfanin ku zuwa sabis ɗin ba da izini kuma ku tsawaita yadda ake buƙata.
Keycloak da Ory Hydra ba shine kawai mafita na kashe-kashe ba. Zai fi kyau a zaɓi aiwatarwa da OpenID Foundation ta ƙulla. Waɗannan mafita yawanci suna da alamar Buɗaɗɗen Takaddun shaida.
Hakanan kar a manta game da masu samar da kuɗin da ake biya idan ba kwa son ci gaba da sabar OIDC ɗin ku. A yau akwai zaɓuɓɓuka masu kyau da yawa.
Menene gaba
Nan gaba kadan, za mu rufe zirga-zirga zuwa ayyukan cikin gida ta wata hanya dabam. Muna shirin canja wurin SSO na yanzu akan ma'auni ta amfani da OpenResty zuwa wakili bisa OAuth. Akwai riga da yawa shirye-shiryen mafita anan, misali:
Materialsarin kayan
- kyakkyawan sabis don tabbatar da alamun JWT
- jerin ƙwararrun aiwatar da OIDC
source: www.habr.com