ProHoster > SSO ntawm microservice architecture. Peb siv Keycloak. Part #1

SSO ntawm microservice architecture. Peb siv Keycloak. Part #1

Nyob rau hauv ib lub tuam txhab loj, thiab X5 Retail Group tsis muaj qhov tshwj xeeb, raws li nws tsim, tus naj npawb ntawm cov haujlwm uas yuav tsum tau tso cai rau cov neeg siv tau nce. Nyob rau tib lub sijhawm, kev hloov pauv tsis sib haum ntawm cov neeg siv los ntawm ib daim ntawv thov mus rau lwm qhov yog xav tau, thiab tom qab ntawd nws yuav tsum tau siv ib leeg-Sing-On (SSO) server. Tab sis yuav ua li cas txog thaum tus neeg muab kev pab cuam xws li AD lossis lwm tus uas tsis muaj tus cwj pwm ntxiv tau siv rau hauv ntau qhov haujlwm. Ib chav kawm ntawm cov kab ke hu ua "cov neeg ua haujlwm qhia tus lej" yuav los cawm. Qhov kev ua haujlwm zoo tshaj plaws yog nws cov neeg sawv cev, xws li Keycloak, Gravitee Access kev tswj hwm, thiab lwm yam. Feem ntau, kev siv cov rooj plaub tuaj yeem sib txawv: kev sib cuam tshuam ntawm lub tshuab, kev koom tes ntawm cov neeg siv, thiab lwm yam. Cov kev daws teeb meem yuav tsum txhawb kev hloov pauv tau yooj yim thiab ua kom muaj peev xwm ua tau zoo uas tuaj yeem ua ke tag nrho cov kev xav tau hauv ib qho, thiab cov kev daws teeb meem zoo li no peb lub tuam txhab tam sim no muaj tus kws qhia ntawv - Keycloak.

SSO ntawm microservice architecture. Peb siv Keycloak. Part #1

Keycloak yog qhov qhib qhov chaw yog tus kheej thiab nkag mus rau cov khoom tswj hwm los ntawm RedHat. Nws yog lub hauv paus rau lub tuam txhab cov khoom siv SSO - RH-SSO.

Cov ntsiab lus tseem ceeb

Ua ntej koj pib daws cov kev daws teeb meem thiab cov txheej txheem, koj yuav tsum txiav txim siab hauv cov ntsiab lus thiab ntu ntawm cov txheej txheem:

SSO ntawm microservice architecture. Peb siv Keycloak. Part #1

Qhia txog yog tus txheej txheem rau kev lees paub ib qho kev kawm los ntawm nws tus lej (hauv lwm lo lus, qhov no yog lub ntsiab lus ntawm lub npe, tus ID nkag mus lossis tus lej).

Kev Txhaum Cai - Qhov no yog cov txheej txheem authentication (tus neeg siv tau tshuaj xyuas nrog tus password, tsab ntawv raug kuaj nrog kos npe hluav taws xob, thiab lwm yam)

Tso Cai - qhov no yog kev muab kev nkag mus rau cov peev txheej (piv txwv li, rau e-mail).

Tus Kheej Broker Keycloak

keycloak yog ib qho qhib qhov kev paub txog tus kheej thiab kev tswj xyuas kev daws teeb meem tsim los siv hauv IS qhov twg microservice architecture qauv tuaj yeem siv tau.

Keycloak muaj cov yam ntxwv xws li ib qho kev kos npe rau (SSO), brokered tus kheej thiab kev nkag mus rau kev sib raug zoo, koom nrog cov neeg siv khoom, tus neeg siv khoom hloov pauv, admin console thiab kev tswj hwm tus account.

Basic functionality txhawb los ntawm Keycloak:

  • Single-Signon On thiab Ib-Sign Out rau browser applications.
  • Txhawb rau OpenID/OAuth 2.0/SAML.
  • Identity Brokering - authentication siv sab nraud OpenID Connect lossis SAML tus neeg muab kev pabcuam.
  • Social ID nkag mus - Google, GitHub, Facebook, Twitter txhawb rau cov neeg siv txheeb xyuas.
  • User Federation - synchronization ntawm cov neeg siv los ntawm LDAP thiab Active Directory servers thiab lwm tus neeg muab kev pabcuam.
  • Kerberos choj - siv Kerberos neeg rau zaub mov rau kev siv tsis siv neeg authentication.
  • Admin Console - rau kev tswj hwm kev sib koom ua ke ntawm kev teeb tsa thiab kev daws teeb meem ntawm lub vev xaib.
  • Account Management Console - rau kev tswj tus kheej ntawm tus neeg siv profile.
  • Customization ntawm cov kev daws teeb meem raws li kev lag luam tus kheej ntawm lub tuam txhab.
  • 2FA Authentication - TOTP / HOTP kev txhawb nqa siv Google Authenticator lossis FreeOTP.
  • ID nkag mus Flows - tus neeg siv tus kheej sau npe, rov qab lo lus zais thiab rov pib dua, thiab lwm yam ua tau.
  • Session Management - Cov thawj coj tuaj yeem tswj cov neeg siv sijhawm los ntawm ib qho chaw.
  • Token Mappers - khi cov neeg siv cov cwj pwm, lub luag haujlwm thiab lwm yam uas yuav tsum tau muaj rau cov tokens.
  • Kev tswj hwm txoj cai yooj yim thoob plaws ntiaj teb, daim ntawv thov thiab cov neeg siv.
  • Kev them nyiaj yug CORS - Client adapters muaj kev txhawb nqa hauv CORS.
  • Service Provider Interfaces (SPI) - Ntau tus SPIs uas tso cai rau koj los kho ntau yam ntawm cov neeg rau zaub mov: kev txheeb xyuas qhov tseeb, tus neeg muab kev pabcuam tus kheej, daim ntawv qhia kev cai, thiab ntau dua.
  • Client adapters rau JavaScript applications, WildFly, JBoss EAP, Fuse, Tomcat, Jetty, Caij nplooj ntoos hlav.
  • Kev them nyiaj yug rau kev ua haujlwm nrog ntau daim ntawv thov uas txhawb nqa OpenID Connect Relying Party lub tsev qiv ntawv lossis SAML 2.0 Service Provider Library.
  • Expandable siv plugins.

Rau cov txheej txheem CI / CD, nrog rau automation ntawm kev tswj cov txheej txheem hauv Keycloak, REST API / JAVA API tuaj yeem siv. Cov ntaub ntawv muaj nyob hauv hluav taws xob:

QIV API https://www.keycloak.org/docs-api/8.0/rest-api/index.html
Java API https://www.keycloak.org/docs-api/8.0/javadocs/index.html

Enterprise Identity Providers (On-Premise)

Muaj peev xwm ntawm cov neeg siv kev lees paub los ntawm Cov Neeg Siv Khoom Pabcuam.

SSO ntawm microservice architecture. Peb siv Keycloak. Part #1

Pass-through authentication kuj tseem siv tau - yog tias cov neeg siv txheeb xyuas qhov chaw ua haujlwm nrog Kerberos (LDAP lossis AD), ces lawv tuaj yeem raug lees paub tseeb rau Keycloak yam tsis tas yuav tsum nkag mus rau lawv tus username thiab password dua.

Rau kev lees paub thiab kev tso cai ntxiv ntawm cov neeg siv, nws tuaj yeem siv qhov kev sib raug zoo DBMS, uas yog feem ntau siv rau kev txhim kho ib puag ncig, vim nws tsis cuam tshuam nrog kev teeb tsa ntev thiab kev sib koom ua ke thaum ntxov ntawm cov haujlwm. Los ntawm lub neej ntawd, Keycloak siv DBMS built-in los khaws cov chaw thiab cov ntaub ntawv siv.

Cov npe ntawm cov kev txhawb nqa DBMS yog qhov dav thiab suav nrog: MS SQL, Oracle, PostgreSQL, MariaDB, Oracle thiab lwm yam. Qhov kev sim tshaj plaws txog tam sim no yog Oracle 12C Release1 RAC thiab Galera 3.12 pawg rau MariaDB 10.1.19.

Cov neeg muab kev qhia txog tus kheej - social login

Nws tuaj yeem siv tus ID nkag mus los ntawm kev sib tham. Txhawm rau qhib lub peev xwm los lees paub cov neeg siv, siv Keycloack admin console. Kev hloov pauv hauv daim ntawv thov code tsis tas yuav tsum tau thiab qhov kev ua haujlwm no muaj tawm ntawm lub thawv thiab tuaj yeem qhib rau txhua theem ntawm qhov project.

SSO ntawm microservice architecture. Peb siv Keycloak. Part #1

Nws muaj peev xwm siv OpenID / SAML Cov neeg muab kev pabcuam rau kev lees paub tus neeg siv.

Cov xwm txheej pom zoo siv OAuth2 hauv Keycloak

Kev Tso Cai Code Flow - siv nrog cov ntawv thov sab server. Ib qho ntawm ntau hom kev tso cai tso cai vim tias nws zoo haum rau cov ntawv thov server qhov twg daim ntawv thov cov cai thiab cov ntaub ntawv tus neeg siv tsis muaj rau cov neeg sab nraud. Cov txheej txheem nyob rau hauv cov ntaub ntawv no yog raws li redirection. Daim ntawv thov yuav tsum muaj peev xwm cuam tshuam nrog tus neeg siv tus neeg sawv cev (tus neeg siv-tus neeg sawv cev), xws li lub vev xaib browser - kom tau txais API tso cai cov lej xa rov qab los ntawm tus neeg siv tus neeg sawv cev.

implicit ntws - siv los ntawm mobile lossis web daim ntawv thov (cov ntawv thov khiav ntawm tus neeg siv lub cuab yeej).

Hom kev tso cai implicit tso cai yog siv los ntawm mobile thiab web daim ntawv thov uas tus neeg siv khoom tsis pub lwm tus paub tsis tuaj yeem lav. Hom kev tso cai implicit kuj siv tus neeg siv tus neeg sawv cev redirection, uas yog tus token nkag mus rau tus neeg sawv cev rau kev siv ntxiv hauv daim ntawv thov. Qhov no ua rau lub token muaj rau tus neeg siv thiab lwm yam kev siv ntawm tus neeg siv lub cuab yeej. Hom kev tso cai no tsis lees paub tus kheej ntawm daim ntawv thov, thiab cov txheej txheem nws tus kheej tso siab rau qhov hloov pauv URL (yav dhau los sau npe nrog cov kev pabcuam).

Implicit Flow tsis txhawb kev nkag mus rau token refresh tokens.

Client Credentials Grant Flow - siv thaum daim ntawv thov nkag mus rau API. Hom kev tso cai no feem ntau yog siv rau kev sib cuam tshuam ntawm server-rau-server uas yuav tsum tau ua nyob rau hauv keeb kwm yav dhau yam tsis muaj kev cuam tshuam cov neeg siv tam sim ntawd. Cov neeg siv cov ntaub ntawv pov thawj pom zoo tso cai rau lub vev xaib (cov neeg siv khoom ntiag tug) siv nws tus kheej cov ntaub ntawv pov thawj es tsis txhob ua tus neeg siv los ua pov thawj thaum hu rau lwm lub vev xaib. Rau qib siab dua ntawm kev ruaj ntseg, nws muaj peev xwm rau kev hu xov tooj siv daim ntawv pov thawj (tsis yog kev sib koom zais cia) ua daim ntawv pov thawj.

OAuth2 specification tau piav qhia hauv
RFC-6749
RFC-8252
RFC-6819

JWT token thiab nws cov txiaj ntsig

JWT (JSON Web Token) yog tus qauv qhib (https://tools.ietf.org/html/rfc7519).

Raws li tus qauv, lub token muaj peb qhov hauv paus-64 hom, sib cais los ntawm cov dots. Thawj ntu yog hu ua header, uas muaj hom token thiab lub npe ntawm hash algorithm kom tau txais ib qho kev kos npe digital. Qhov thib ob khaws cov ntaub ntawv yooj yim (tus neeg siv, tus cwj pwm, thiab lwm yam). Qhov thib peb yog qhov kos npe digital.

. .
Tsis txhob khaws ib lub token hauv koj DB. Vim tias qhov token siv tau zoo sib npaug rau tus password, khaws cia lub token zoo li khaws tus password hauv cov ntawv ntshiab.
Access token yog ib qho token uas tso cai rau nws tus tswv nkag mus rau kev ruaj ntseg server. Nws feem ntau muaj lub neej luv luv thiab tuaj yeem nqa cov ntaub ntawv ntxiv xws li IP chaw nyob ntawm tog thov lub token.

Refresh token yog ib qho token uas tso cai rau cov neeg siv khoom thov kom nkag tau cov tokens tshiab tom qab lawv lub neej tas mus li. Cov tokens no feem ntau yog muab rau lub sijhawm ntev.

Lub ntsiab zoo ntawm kev siv microservice architecture:

  • Muaj peev xwm nkag mus rau ntau yam kev siv thiab kev pabcuam los ntawm kev lees paub ib zaug.
  • Thaum tsis muaj tus lej ntawm cov yam ntxwv xav tau hauv tus neeg siv profile, nws muaj peev xwm ua kom muaj txiaj ntsig nrog cov ntaub ntawv uas tuaj yeem muab ntxiv rau hauv kev them nyiaj, suav nrog automated thiab on-the-fly.
  • Tsis tas yuav khaws cov ntaub ntawv hais txog kev ua haujlwm nquag, daim ntawv thov neeg rau zaub mov tsuas yog xav tau los txheeb xyuas qhov kos npe.
  • Kev tswj tau yooj yim dua los ntawm kev ntxiv cov cwj pwm hauv lub payload.
  • Kev siv lub token kos npe rau header thiab payload ua rau kom muaj kev ruaj ntseg ntawm kev daws teeb meem tag nrho.

JWT token - kev sib sau

Header - los ntawm lub neej ntawd, lub header tsuas muaj hom token thiab cov algorithm siv rau encryption.

Hom token yog khaws cia rau hauv "typ" tus yuam sij. Tus yuam sij 'hom' tsis quav ntsej hauv JWT. Yog tias tus yuam sij "typ" tam sim no, nws tus nqi yuav tsum yog JWT los qhia tias qhov khoom no yog JSON Web Token.

Qhov tseem ceeb thib ob "alg" txhais cov algorithm siv los encrypt lub token. Nws yuav tsum tau teem rau HS256 los ntawm lub neej ntawd. Lub header yog encoded hauv base64.

{ "alg": "HS256", "type": "JWT"}
payload (cov ntsiab lus) - lub payload khaws cov ntaub ntawv uas yuav tsum tau txheeb xyuas. Txhua tus yuam sij hauv payload yog hu ua "zaj lus". Piv txwv li, koj tuaj yeem nkag mus rau hauv daim ntawv thov tsuas yog los ntawm kev caw (kaw nce qib). Thaum peb xav caw ib tug neeg tuaj koom, peb xa ib tsab ntawv caw rau lawv. Nws yog ib qho tseem ceeb uas yuav tau xyuas kom meej tias email chaw nyob yog tus neeg txais kev caw, yog li peb yuav suav nrog qhov chaw nyob no hauv payload, rau qhov no peb khaws cia rau hauv "email" tseem ceeb.

{ "email": "example@x5.ru" }

Cov yuam sij hauv payload tuaj yeem ua tiav. Txawm li cas los xij, muaj qee qhov tshwj tseg:

  • iss (Issuer) - txiav txim siab daim ntawv thov uas tus token xa.
  • sub (Subject) - txhais cov ntsiab lus ntawm lub token.
  • aud (Cov neeg tuaj saib) yog ib qho ntawm cov ntaub ntawv-sensitive hlua los yog URIs uas yog ib daim ntawv teev cov neeg tau txais cov token no. Thaum tus txais tau txais JWT nrog tus yuam sij muab, nws yuav tsum kuaj xyuas nws tus kheej hauv cov neeg tau txais - txwv tsis pub tsis quav ntsej lub token.
  • exp (Lub Sijhawm Kawg) - Qhia thaum lub token tas sijhawm. JWT tus qauv xav kom tag nrho nws cov kev siv los tsis lees yuav cov tokens uas tas sij hawm. Tus yuam sij exp yuav tsum yog timestamp hauv unix hom.
  • nbf (Tsis Ua Ntej) yog lub sijhawm nyob rau hauv unix hom uas txiav txim siab lub sijhawm thaum lub token siv tau.
  • iat (Tshaj Tawm Ntawm) - Tus yuam sij no sawv cev rau lub sijhawm lub cim tau muab tawm thiab tuaj yeem siv los txiav txim lub hnub nyoog ntawm JWT. Tus yuam sij iat yuav tsum yog lub sij hawm nyob rau hauv hom unix.
  • Jti (JWT ID) - ib txoj hlua uas txhais cov cim tshwj xeeb ntawm lub cim no, cov ntaub ntawv-sensitive.

Nws yog ib qho tseem ceeb kom nkag siab tias lub payload tsis yog kis tau rau hauv daim ntawv encrypted (txawm hais tias tokens tuaj yeem ua zes thiab nws muaj peev xwm xa cov ntaub ntawv encrypted). Yog li ntawd, nws tsis tuaj yeem khaws cov ntaub ntawv zais cia. Zoo li lub header, lub payload yog base64 encoded.
Kos npe - Thaum peb muaj lub npe thiab them nyiaj, peb tuaj yeem suav tus kos npe.

Base64-encoded: header thiab payload raug coj mus rau hauv ib txoj hlua los ntawm qhov chaw. Tom qab ntawd cov hlua no thiab tus yuam sij zais cia nkag rau hauv encryption algorithm teev nyob rau hauv header ("alg" key). Tus yuam sij tuaj yeem yog txhua txoj hlua. Cov hlua ntev dua yuav nyiam tshaj plaws vim nws yuav siv sijhawm ntev dua los khaws.

{"alg":"RSA1_5","payload":"A128CBC-HS256"}

Tsim lub Keycloak Failover Cluster Architecture

Thaum siv ib pawg rau txhua qhov haujlwm, muaj cov kev xav tau ntau ntxiv rau kev daws teeb meem SSO. Thaum tus naj npawb ntawm cov haujlwm me me, cov kev xav tau no tsis pom zoo rau txhua qhov haujlwm, txawm li cas los xij, nrog kev nce ntawm cov neeg siv thiab kev sib koom ua ke, qhov yuav tsum tau muaj thiab kev ua tau zoo nce.

Ua kom muaj kev pheej hmoo ntawm ib leeg SSO tsis ua haujlwm nce qhov yuav tsum tau ua rau kev daws teeb meem thiab cov txheej txheem siv rau cov khoom siv rov ua dua thiab ua rau SLA nruj heev. Nyob rau hauv no hais txog, ntau zaus thaum lub sij hawm txoj kev loj hlob los yog thaum ntxov theem ntawm kev siv cov kev daws teeb meem, tej yaam num muaj lawv tus kheej tsis txhaum-tolerant infrastructure. Raws li kev loj hlob zuj zus, nws yuav tsum tau tso cov cib fim rau kev txhim kho thiab kev ntsuas. Nws yog qhov hloov tau yooj yim tshaj plaws los tsim kom muaj kev tsis sib haum xeeb siv lub thawv virtualization lossis txoj hauv kev hybrid.

Txhawm rau ua haujlwm hauv Active / Active thiab Active / Passive pawg, nws yuav tsum ua kom cov ntaub ntawv sib xws hauv cov ntaub ntawv sib raug zoo - ob qho tib si database yuav tsum tau synchronously replicated ntawm txawv geo-distributed data centers.

Qhov piv txwv yooj yim tshaj plaws ntawm kev ua txhaum kev ua haujlwm siab.

SSO ntawm microservice architecture. Peb siv Keycloak. Part #1

Dab tsi yog cov txiaj ntsig ntawm kev siv ib pawg:

  • Muaj peev xwm thiab kev ua haujlwm siab.
  • Kev them nyiaj yug rau kev khiav hauj lwm hom: Active / Active, Active / Passive.
  • Muaj peev xwm mus dynamically scale - thaum siv thawv virtualization.
  • Muaj peev xwm ntawm centralized tswj thiab saib xyuas.
  • Kev sib koom ua ke rau kev txheeb xyuas / kev lees paub / kev tso cai ntawm cov neeg siv hauv cov haujlwm.
  • Ntau pob tshab sib cuam tshuam ntawm cov haujlwm sib txawv yam tsis muaj cov neeg siv kev koom tes.
  • Muaj peev xwm rov siv JWT token hauv ntau qhov haujlwm.
  • Ib qho kev ntseeg siab.
  • Kev tshaj tawm sai dua ntawm cov haujlwm siv microservices / thawv virtualization (tsis tas yuav nruab thiab teeb tsa cov khoom siv ntxiv).
  • Nws muaj peev xwm yuav kev lag luam kev txhawb nqa los ntawm tus neeg muag khoom.

Yuav Nrhiav Dab Tsi Thaum Npaj Ib Pawg

DBMS

Keycloak siv cov txheej txheem tswj kev khaws cia: thaj chaw, cov neeg siv khoom, cov neeg siv khoom, thiab lwm yam.
Ntau yam ntawm DBMS tau txais kev txhawb nqa: MS SQL, Oracle, MySQL, PostgreSQL. Keycloak los nrog nws tus kheej built-in relational database. Nws raug nquahu kom siv rau qhov chaw tsis muaj kev thauj khoom - xws li kev loj hlob ib puag ncig.

Txhawm rau ua haujlwm hauv Active / Active thiab Active / Passive pawg, nws yog qhov tsim nyog los xyuas kom meej cov ntaub ntawv sib xws hauv cov ntaub ntawv sib raug zoo thiab ob qho tib si ntawm pawg database yog synchronously replicated ntawm cov chaw zov me nyuam.

Distributed cache (Infinspan)

Rau pawg ua haujlwm kom raug, ntxiv synchronization ntawm hom caches hauv qab no siv JBoss Data Grid yog xav tau:

Authentication sessions - siv los khaws cov ntaub ntawv thaum kuaj xyuas tus neeg siv tshwj xeeb. Kev thov los ntawm cov cache no feem ntau tsuas yog suav nrog browser thiab Keycloak server, tsis yog daim ntawv thov.

Action tokens yog siv rau cov xwm txheej uas tus neeg siv yuav tsum paub meej tias qhov kev txiav txim asynchronously (ntawm email). Piv txwv li, thaum lub sij hawm tsis nco qab lo lus zais ntws, qhov actionTokens Infinispan cache yog siv los khaws cov metadata txog kev cuam tshuam cov tokens uas twb tau siv lawm, yog li nws tsis tuaj yeem rov qab siv dua.

Caching thiab invalidation ntawm cov ntaub ntawv tsis tu ncua - siv los cache cov ntaub ntawv tsis tu ncua kom tsis txhob muaj cov lus nug tsis tsim nyog rau cov ntaub ntawv. Thaum twg Keycloak server hloov kho cov ntaub ntawv, tag nrho lwm cov Keycloak servers hauv txhua lub chaw cov ntaub ntawv yuav tsum paub txog nws.

Ua hauj lwm - Tsuas yog siv los xa cov lus tsis raug ntawm pawg nodes thiab cov chaw khaws ntaub ntawv.

Cov neeg siv zaug - siv los khaws cov ntaub ntawv hais txog cov neeg siv zaug uas siv tau rau lub sijhawm ntawm tus neeg siv qhov browser sib ntsib. Lub cache yuav tsum tuav HTTP thov los ntawm tus neeg siv kawg thiab daim ntawv thov.

Brute force tiv thaiv - siv los taug qab cov ntaub ntawv hais txog kev nkag tsis tau.

Load ntsuas

Lub load balancer yog ib qho kev nkag mus rau keycloak thiab yuav tsum txhawb nqa cov ntu nplaum.

Application Servers

Lawv tau siv los tswj kev sib cuam tshuam ntawm cov khoom sib txuas nrog ib leeg thiab tuaj yeem ua virtualized lossis ntim khoom siv cov cuab yeej automation uas twb muaj lawm thiab kev ntsuas qhov ntsuas ntawm cov cuab yeej siv hluav taws xob automation. Cov xwm txheej feem ntau xa mus rau hauv OpenShift, Kubernates, Rancher.

Qhov no xaus thawj ntu - theoretical ib. Hauv kab ntawv txuas ntxiv, piv txwv ntawm kev sib koom ua ke nrog ntau tus neeg muab kev pabcuam tus kheej thiab cov piv txwv ntawm kev teeb tsa yuav raug tshuaj xyuas.

Tau qhov twg los: www.hab.com

Yuav txhim khu kev qha hosting rau cov chaw nrog DDoS tiv thaiv, VPS VDS servers 🔥 Yuav lub vev xaib hosting txhim khu kev qha nrog kev tiv thaiv DDoS, VPS VDS servers | ProHoster