Ob peb lub hlis dhau los, kuv tau siv OpenID Connect server los tswj kev nkag mus rau ntau pua ntawm peb cov ntawv thov sab hauv. Los ntawm peb tus kheej txoj kev txhim kho, yooj yim ntawm qhov me me, peb tau hloov mus rau tus qauv lees paub. Kev nkag mus los ntawm kev pabcuam hauv nruab nrab ua kom yooj yim rau kev ua haujlwm monotonous, txo tus nqi ntawm kev siv cov ntawv tso cai, tso cai rau koj nrhiav tau ntau yam kev npaj ua tiav thiab tsis rack koj lub hlwb thaum tsim cov tshiab. Hauv tsab xov xwm no, kuv yuav tham txog qhov kev hloov pauv no thiab cov pob uas peb tau ua tiav.
Ib lub sij hawm ntev dhau los... Nws pib li cas
Ob peb xyoos dhau los, thaum muaj ntau daim ntawv thov sab hauv rau kev tswj xyuas phau ntawv, peb tau sau ib daim ntawv thov los tswj kev nkag mus hauv tuam txhab. Nws yog ib daim ntawv thov Rails yooj yim uas txuas nrog cov ntaub ntawv nrog cov ntaub ntawv hais txog cov neeg ua haujlwm, qhov chaw nkag mus rau ntau yam haujlwm tau teeb tsa. Nyob rau tib lub sijhawm, peb tau tsa thawj SSO, uas yog raws li kev txheeb xyuas ntawm tokens los ntawm sab ntawm tus neeg siv khoom thiab cov neeg rau zaub mov tso cai, lub token tau xa mus rau hauv daim ntawv encrypted nrog ntau qhov kev ntsuas thiab txheeb xyuas ntawm cov neeg siv kev tso cai. Qhov no tsis yog qhov kev xaiv yooj yim tshaj plaws, txij li txhua daim ntawv thov sab hauv yuav tsum tau piav qhia txog txheej txheej txheej txheej txheej txheej txheej txheej, thiab cov neeg ua haujlwm cov ntaub ntawv tau raug synchronized tag nrho nrog kev tso cai server.
Tom qab qee lub sijhawm, peb txiav txim siab ua kom yooj yim txoj haujlwm ntawm kev tso cai hauv nruab nrab. SSO tau pauv mus rau tus neeg tshuav nyiaj li cas. Nrog kev pab los ntawm OpenResty, tus qauv tau ntxiv rau Lua uas tau txheeb xyuas cov tokens, paub tias daim ntawv thov twg yuav mus, thiab tuaj yeem tshawb xyuas seb puas muaj kev nkag mus rau ntawd. Txoj hauv kev no ua kom yooj yim heev rau txoj haujlwm ntawm kev tswj kev nkag mus rau hauv cov ntawv thov sab hauv - hauv cov cai ntawm txhua daim ntawv thov, nws tsis tas yuav piav qhia ntxiv txog kev xav. Yog li ntawd, peb kaw cov tsheb khiav tawm sab nraud, thiab daim ntawv thov nws tus kheej tsis paub dab tsi txog kev tso cai.
Txawm li cas los xij, ib qho teeb meem tseem tsis tau daws. Yuav ua li cas txog cov ntawv thov uas xav tau cov ntaub ntawv hais txog cov neeg ua haujlwm? Nws tuaj yeem sau API rau kev tso cai kev pabcuam, tab sis tom qab ntawd koj yuav tsum tau ntxiv cov logic ntxiv rau txhua daim ntawv thov. Tsis tas li ntawd, peb xav kom tshem tawm qhov kev vam khom ntawm ib qho ntawm peb cov ntawv sau tus kheej, uas tom qab ntawd yuav raug muab txhais ua OpenSource, ntawm peb lub server tso cai sab hauv. Peb yuav tham txog nws qee lub sijhawm. Kev daws rau ob qho teeb meem yog OAuth.
ua raws li cov qauv
OAuth yog qhov nkag siab, feem ntau lees txais tus qauv kev tso cai, tab sis vim tsuas yog nws txoj haujlwm tsis txaus, lawv tau pib xav txog OpenID Connect (ODC). OIDC nws tus kheej yog qhov thib peb qhov kev siv ntawm tus qauv qhib kev lees paub, uas tau ntws mus rau hauv ib qho ntxiv ntawm OAuth 2.0 raws tu qauv (qhov qhib kev tso cai raws tu qauv). Qhov kev daws teeb meem no kaw qhov teeb meem ntawm qhov tsis muaj cov ntaub ntawv hais txog tus neeg siv kawg, thiab tseem ua rau nws tuaj yeem hloov pauv tus neeg muab kev tso cai.
Txawm li cas los xij, peb tsis tau xaiv ib tus neeg muab kev pabcuam tshwj xeeb thiab txiav txim siab ntxiv kev koom ua ke nrog ODDC rau peb cov neeg siv kev tso cai uas twb muaj lawm. Hauv kev pom zoo ntawm qhov kev txiav txim siab no yog qhov tseeb tias ODC hloov pauv tau yooj yim ntawm cov neeg siv kev tso cai kawg. Yog li, nws muaj peev xwm siv ODDC kev txhawb nqa ntawm koj lub server tso cai tam sim no.
Peb txoj kev siv peb tus kheej ODDC server
1) Nqa cov ntaub ntawv mus rau daim ntawv xav tau
Txhawm rau koom ua ke ODDC, nws yog qhov yuav tsum tau nqa cov ntaub ntawv siv tam sim no rau hauv daim ntawv nkag siab los ntawm tus qauv. Hauv ODDC qhov no yog hu ua Cov Cai. Kev thov yog qhov tseem ceeb kawg hauv cov neeg siv cov ntaub ntawv (lub npe, email, xov tooj, thiab lwm yam). Muaj , thiab txhua yam uas tsis suav nrog hauv daim ntawv teev npe no yog suav tias yog kev cai. Yog li ntawd, thawj lub ntsiab lus uas koj yuav tsum tau them sai sai rau yog tias koj xav xaiv tus neeg muab kev pabcuam ODC uas twb muaj lawm yog qhov ua tau yooj yim rau kev hloov kho ntawm cov hom tshiab.
Cov pab pawg ntawm cov cim tseem ceeb tau muab tso rau hauv cov kab hauv qab no - Scope. Thaum muaj kev tso cai, kev nkag mus yog thov tsis yog rau cov npe tshwj xeeb, tab sis rau cov peev txheej, txawm tias qee lub npe los ntawm cov peev txheej tsis xav tau.
2) Siv cov nyiaj pab tsim nyog
Qhov txuas ntxiv ntawm ODC kev koom ua ke yog kev xaiv thiab kev siv cov kev tso cai hom, uas yog hu ua cov nyiaj pab. Qhov xwm txheej ntxiv ntawm kev sib cuam tshuam ntawm daim ntawv thov xaiv thiab tus neeg rau zaub mov tso cai yuav nyob ntawm qhov nyiaj tau xaiv. Ib qho qauv zoo rau kev xaiv qhov nyiaj pab zoo yog muaj nyob rau hauv daim duab hauv qab no.
Rau peb thawj daim ntawv thov, peb siv cov nyiaj pab ntau tshaj plaws, Txoj Cai Tso Cai. Nws qhov txawv ntawm lwm tus yog tias nws yog peb-kauj ruam, i.e. tab tom raug kuaj ntxiv. Ua ntej, tus neeg siv ua daim ntawv thov kev tso cai, tau txais ib lub token - Tso Cai Code, tom qab ntawd nrog lub token no, zoo li nrog daim pib mus ncig, thov kom nkag mus rau token. Txhua qhov kev cuam tshuam tseem ceeb ntawm tsab ntawv tso cai no yog nyob ntawm kev hloov pauv ntawm daim ntawv thov thiab tus neeg rau zaub mov tso cai. Koj tuaj yeem nyeem ntxiv txog qhov nyiaj pab no .
OAuth ua raws li lub tswv yim hais tias kev nkag mus rau tokens tau txais tom qab kev tso cai yuav tsum yog ib ntus thiab yuav tsum hloov pauv, zoo dua txhua 10 feeb ntawm qhov nruab nrab. Txoj Cai Kev Tso Cai tso cai yog qhov kev pov thawj peb-kauj ruam los ntawm kev hloov pauv, txhua 10 feeb kom tig cov kauj ruam no, hais ncaj ncees, tsis yog txoj haujlwm zoo tshaj plaws rau lub qhov muag. Txhawm rau daws qhov teeb meem no, muaj lwm qhov nyiaj pab - Refresh Token, uas peb kuj tau siv hauv peb lub tebchaws. Txhua yam yooj yim ntawm no. Thaum kuaj xyuas los ntawm lwm qhov nyiaj pab, ntxiv rau qhov tseem ceeb nkag token, lwm qhov yog muab - Refresh Token, uas tuaj yeem siv tau ib zaug xwb thiab nws lub neej feem ntau yog ntev dua. Nrog rau qhov Refresh Token no, thaum TTL (Lub Sijhawm Ua Neej Nyob) ntawm lub ntsiab nkag token xaus, qhov kev thov rau tus lej nkag tshiab yuav tuaj rau qhov kawg ntawm lwm qhov nyiaj pab. Qhov siv Refresh Token tam sim ntawd rov qab mus rau xoom. Qhov kev kuaj no yog ob-kauj ruam thiab tuaj yeem ua hauv keeb kwm yav dhau, imperceptibly rau tus neeg siv.
3) Teeb tsa cov ntaub ntawv tawm tswv yim kev cai
Tom qab xaiv cov nyiaj pab cuam raug muab coj los siv, kev tso cai ua haujlwm, nws tsim nyog tau txais cov ntaub ntawv hais txog tus neeg siv kawg. OIDC muaj qhov xaus rau qhov no, qhov twg koj tuaj yeem thov cov ntaub ntawv siv nrog koj tus lej nkag mus tam sim no thiab yog tias nws hloov tshiab. Thiab yog tias tus neeg siv cov ntaub ntawv tsis hloov ntau zaus, thiab koj yuav tsum ua raws li tam sim no ntau zaus, koj tuaj yeem tuaj yeem daws qhov kev daws teeb meem zoo li JWT tokens. Cov tokens no kuj tau txais kev txhawb los ntawm tus qauv. JWT token nws tus kheej muaj peb ntu: header (cov ntaub ntawv hais txog lub token), payload (ib yam ntaub ntawv tsim nyog) thiab kos npe (kos npe, lub token kos npe los ntawm server thiab tom qab ntawd koj tuaj yeem tshawb xyuas qhov chaw ntawm nws kos npe).
Hauv kev siv ODC, JWT token hu ua id_token. Nws tuaj yeem thov nrog rau ib txwm siv token thiab txhua yam uas tseem tshuav yog txhawm rau txheeb xyuas qhov kos npe. Cov neeg rau zaub mov tso cai muaj qhov xaus rau qhov no nrog ib pawg ntawm cov yuam sij pej xeem hauv hom . Thiab hais txog qhov no, nws tsim nyog hais tias muaj lwm qhov kawg, uas, raws li tus qauv qhia txog kev teeb tsa tam sim no ntawm ODC server. Nws muaj tag nrho cov chaw nyob kawg (nrog rau qhov chaw nyob ntawm lub nplhaib tseem ceeb ntawm pej xeem siv rau kev kos npe), cov hom kev txhawb nqa thiab cov txheej txheem, siv encryption algorithms, kev txhawb nqa nyiaj pab, thiab lwm yam.
Piv txwv li hauv Google:
{
"issuer": "https://accounts.google.com",
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"device_authorization_endpoint": "https://oauth2.googleapis.com/device/code",
"token_endpoint": "https://oauth2.googleapis.com/token",
"userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"revocation_endpoint": "https://oauth2.googleapis.com/revoke",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"iss",
"locale",
"name",
"picture",
"sub"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"grant_types_supported": [
"authorization_code",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
]
}Yog li, siv id_token, koj tuaj yeem hloov tag nrho cov cim tsim nyog rau kev them nyiaj ntawm lub token thiab tsis hu rau tus neeg rau zaub mov tso cai txhua zaus thov cov ntaub ntawv siv. Qhov tsis zoo ntawm txoj hauv kev no yog qhov kev hloov pauv ntawm cov neeg siv cov ntaub ntawv los ntawm cov neeg rau zaub mov tsis tuaj tam sim ntawd, tab sis nrog rau tus lej nkag tshiab.
Cov txiaj ntsig ua tiav
Yog li, tom qab siv peb tus kheej ODC server thiab teeb tsa kev sib txuas rau nws ntawm daim ntawv thov, peb tau daws qhov teeb meem ntawm kev hloov cov ntaub ntawv hais txog cov neeg siv.
Txij li ODDC yog tus qauv qhib, peb muaj kev xaiv xaiv tus neeg muab kev pabcuam lossis kev siv server. Peb sim Keycloak, uas tau ua kom yooj yim rau kev teeb tsa, tom qab teeb tsa thiab hloov pauv kev sib txuas ntawm daim ntawv thov sab, nws npaj mus. Ntawm daim ntawv thov sab, txhua yam uas tseem tshuav yog hloov qhov kev sib txuas configurations.
Tham txog cov kev daws teeb meem uas twb muaj lawm
Nyob rau hauv peb lub koom haum, raws li thawj tus neeg rau zaub mov ODC, peb tau sib sau ua ke peb tus kheej kev siv, uas tau ntxiv raws li qhov tsim nyog. Tom qab kev tshuaj xyuas ntxaws ntxaws ntawm lwm cov kev daws teeb meem npaj tau, peb tuaj yeem hais tias qhov no yog qhov taw qhia moot. Hauv kev pom zoo ntawm kev txiav txim siab los siv lawv tus kheej server, muaj kev txhawj xeeb ntawm ib feem ntawm cov chaw muab kev pabcuam thaum tsis muaj qhov tsim nyog ua haujlwm, nrog rau lub xub ntiag ntawm cov txheej txheem qub uas muaj kev tso cai sib txawv rau qee qhov kev pabcuam thiab ntau heev. cov ntaub ntawv hais txog cov neeg ua haujlwm twb tau khaws cia lawm. Txawm li cas los xij, hauv kev npaj ua tiav, muaj kev yooj yim rau kev sib koom ua ke. Piv txwv li, Keycloak muaj nws tus kheej cov neeg siv kev tswj hwm thiab cov ntaub ntawv khaws cia ncaj qha rau hauv nws, thiab nws yuav tsis yooj yim rau hla koj cov neeg siv nyob ntawd. Txhawm rau ua qhov no, Keycloak muaj API uas yuav tso cai rau koj ua tiav tag nrho cov kev hloov pauv tsim nyog.
Lwm qhov piv txwv ntawm kev lees paub, nthuav, hauv kuv lub tswv yim, kev siv yog Ory Hydra. Nws yog qhov nthuav vim nws muaj cov khoom sib txawv. Txhawm rau koom ua ke, koj yuav tsum txuas koj cov kev pabcuam tswj hwm cov neeg siv rau lawv qhov kev tso cai thiab txuas ntxiv raws li xav tau.
Keycloak thiab Ory Hydra tsis yog qhov kev daws teeb meem nkaus xwb. Nws yog qhov zoo tshaj plaws los xaiv qhov kev siv uas tau lees paub los ntawm OpenID Foundation. Cov kev daws teeb meem no feem ntau muaj daim ntawv pov thawj OpenID.
Tsis tas li tsis txhob hnov ββββqab txog cov chaw them nyiaj uas twb muaj lawm yog tias koj tsis xav khaws koj tus neeg rau zaub mov ODC. Niaj hnub no muaj ntau yam kev xaiv zoo.
Dab tsi ntxiv
Nyob rau yav tom ntej, peb yuav kaw cov tsheb khiav mus rau cov kev pabcuam sab hauv hauv ib txoj kev sib txawv. Peb npaj yuav hloov peb SSO tam sim no ntawm qhov sib npaug siv OpenResty mus rau lub npe raws li OAuth. Muaj twb muaj ntau yam kev npaj ua tiav ntawm no, piv txwv li:
Cov ntaub ntawv ntxiv
- Kev pabcuam zoo rau kev lees paub JWT tokens
- Daim ntawv teev npe ntawm cov ntawv pov thawj ODDC kev siv
Tau qhov twg los: www.hab.com