X5 Retail Group ãäŸå€ã§ã¯ãªããã©ã®ãããªå€§äŒæ¥ã§ããçºå±ããã«ã€ããŠãŠãŒã¶ãŒã®æ¿èªãå¿ èŠãªãããžã§ã¯ãã®æ°ãå¢å ããŸãã æéã®çµéãšãšãã«ãããã¢ããªã±ãŒã·ã§ã³ããå¥ã®ã¢ããªã±ãŒã·ã§ã³ãžã®ãŠãŒã¶ãŒã®ã·ãŒã ã¬ã¹ãªç§»è¡ãå¿ èŠã«ãªããåäžã®ã·ã³ã°ã« ãµã€ã³ãªã³ (SSO) ãµãŒããŒã䜿çšããå¿ èŠãçããŸãã ããããè¿œå ã®å±æ§ãæããªã AD ãªã©ã® ID ãããã€ããŒããã§ã«ããŸããŸãªãããžã§ã¯ãã§äœ¿çšãããŠããå Žåã¯ã©ããªãã§ããããã ãèå¥ãããŒã«ãŒããšåŒã°ããäžçš®ã®ã·ã¹ãã ãå©ãã«ãªããŸãã æãæ©èœçãªã®ã¯ãKeycloakãGravitee ã¢ã¯ã»ã¹ç®¡çãªã©ã®ä»£è¡šçãªãã®ã§ããã»ãšãã©ã®å Žåããã·ã³ã®å¯Ÿè©±ããŠãŒã¶ãŒã®åå ãªã©ããŠãŒã¹ã±ãŒã¹ã¯ããŸããŸã§ãããœãªã¥ãŒã·ã§ã³ã¯ããã¹ãŠã®èŠä»¶ã XNUMX ã€ã«çµåã§ããæè»ã§ã¹ã±ãŒã©ãã«ãªæ©èœããµããŒãããå¿ èŠããããŸãããããŠãã®ãããªãœãªã¥ãŒã·ã§ã³ãšããŠãåœç€Ÿã«ã¯çŸåšãã€ã³ãã£ã±ãŒã·ã§ã³ãããŒã«ãŒã§ããKeycloakãååšããŸãã
Keycloak ã¯ãRedHat ã«ãã£ãŠç®¡çãããŠãããªãŒãã³ãœãŒã¹ã® ID ããã³ã¢ã¯ã»ã¹å¶åŸ¡è£œåã§ãã ããã¯ãSSO (RH-SSO) ã䜿çšããå瀟補åã®åºç€ã§ãã
ã³ã³ã»ãã
ãœãªã¥ãŒã·ã§ã³ãšã¢ãããŒãã«åãçµã¿å§ããåã«ãããã»ã¹ã®çšèªãšé åºã決å®ããå¿ èŠããããŸãã
èå¥ ããã¯ããµããžã§ã¯ãããã®èå¥å (ã€ãŸããååããã°ã€ã³ããŸãã¯çªå·ã®å®çŸ©) ã«ãã£ãŠèªèããããã®æé ã§ãã
èªèšŒ - ããã¯èªèšŒæé ã§ã (ãŠãŒã¶ãŒã¯ãã¹ã¯ãŒãã§ãã§ãã¯ãããã¬ã¿ãŒã¯é»å眲åã§ãã§ãã¯ãããŸã)ã
æ¿èª - ããã¯ããªãœãŒã¹ (é»åã¡ãŒã«ãªã©) ãžã®ã¢ã¯ã»ã¹ã®æäŸã§ãã
ID ãããŒã«ãŒ Keycloak
ããŒã¯ããŒã¯ ã¯ããã€ã¯ããµãŒãã¹ ã¢ãŒããã¯ã㣠ãã¿ãŒã³ã䜿çšã§ãã IS ã§äœ¿çšããããã«èšèšããããªãŒãã³ ãœãŒã¹ã® ID ããã³ã¢ã¯ã»ã¹ç®¡çãœãªã¥ãŒã·ã§ã³ã§ãã
Keycloakã¯ãã·ã³ã°ã«ã»ãµã€ã³ãªã³ïŒSSOïŒã仲ä»åIDããã³ãœãŒã·ã£ã«ã»ãã°ã€ã³ããŠãŒã¶ãŒã»ãã§ãã¬ãŒã·ã§ã³ãã¯ã©ã€ã¢ã³ãã»ã¢ããã¿ãŒã管çã³ã³ãœãŒã«ãã¢ã«ãŠã³ã管çã³ã³ãœãŒã«ãªã©ã®æ©èœãæäŸããŸãã
Keycloakã§ãµããŒããããåºæ¬æ©èœ:
- ãã©ãŠã¶ ã¢ããªã±ãŒã·ã§ã³ã®ã·ã³ã°ã« ãµã€ã³ãªã³ãšã·ã³ã°ã« ãµã€ã³ ã¢ãŠãã
- OpenID/OAuth 2.0/SAML ã®ãµããŒãã
- ID ãããŒã«ãªã³ã° - å€éšã® OpenID Connect ãŸã㯠SAML ID ãããã€ããŒã䜿çšããèªèšŒã
- ãœãŒã·ã£ã« ãã°ã€ã³ â ãŠãŒã¶ãŒèå¥ã®ããã® GoogleãGitHubãFacebookãTwitter ã®ãµããŒãã
- ãŠãŒã¶ãŒ ãã§ãã¬ãŒã·ã§ã³ - LDAP ãµãŒããŒãActive Directory ãµãŒããŒãããã³ä»ã® ID ãããã€ããŒããã®ãŠãŒã¶ãŒã®åæã
- Kerberos ããªããž - èªåãŠãŒã¶ãŒèªèšŒã« Kerberos ãµãŒããŒã䜿çšããŸãã
- 管çã³ã³ãœãŒã« - Web çµç±ã§èšå®ãšãœãªã¥ãŒã·ã§ã³ ãªãã·ã§ã³ãäžå 管çããŸãã
- ã¢ã«ãŠã³ã管çã³ã³ãœãŒã« - ãŠãŒã¶ãŒ ãããã¡ã€ã«ã®èªå·±ç®¡ççšã
- äŒæ¥ã®ã³ãŒãã¬ãŒãã¢ã€ãã³ãã£ãã£ã«åºã¥ãããœãªã¥ãŒã·ã§ã³ã®ã«ã¹ã¿ãã€ãºã
- 2FA èªèšŒ - Google Authenticator ãŸã㯠FreeOTP ã䜿çšãã TOTP/HOTP ã®ãµããŒãã
- ãã°ã€ã³ ãã㌠- ãŠãŒã¶ãŒã®èªå·±ç»é²ããã¹ã¯ãŒãã®å埩ãšãªã»ãããªã©ãå¯èœã§ãã
- ã»ãã·ã§ã³ç®¡ç - 管çè ã¯ãŠãŒã¶ãŒ ã»ãã·ã§ã³ã XNUMX ã€ã®ãã€ã³ããã管çã§ããŸãã
- ããŒã¯ã³ ããã㌠- ãŠãŒã¶ãŒå±æ§ãããŒã«ããã®ä»ã®å¿ é å±æ§ãããŒã¯ã³ã«ãã€ã³ãããŸãã
- ã¬ã«ã ãã¢ããªã±ãŒã·ã§ã³ããŠãŒã¶ãŒå šäœã«ãããæè»ãªããªã·ãŒç®¡çã
- CORS ãµããŒã - ã¯ã©ã€ã¢ã³ã ã¢ããã¿ãŒã«ã¯ CORS ãµããŒããçµã¿èŸŒãŸããŠããŸãã
- ãµãŒãã¹ ãããã€ã㌠ã€ã³ã¿ãŒãã§ã€ã¹ (SPI) - èªèšŒãããŒãã¢ã€ãã³ãã£ã㣠ãããã€ããŒããããã³ã« ãããã³ã°ãªã©ããµãŒããŒã®ããŸããŸãªåŽé¢ãã«ã¹ã¿ãã€ãºã§ããå€æ°ã® SPIã
- JavaScript ã¢ããªã±ãŒã·ã§ã³ãWildFlyãJBoss EAPãFuseãTomcatãJettyãSpring çšã®ã¯ã©ã€ã¢ã³ãã¢ããã¿ãŒã
- OpenID Connect Relying Party ã©ã€ãã©ãªãŸã㯠SAML 2.0 Service Provider Library ããµããŒãããããŸããŸãªã¢ããªã±ãŒã·ã§ã³ã®æäœã®ãµããŒãã
- ãã©ã°ã€ã³ã䜿çšããŠæ¡åŒµå¯èœã
CI / CD ããã»ã¹ããã³ Keycloak ã§ã®ç®¡çããã»ã¹ã®èªååã«ã¯ãREST API / JAVA API ã䜿çšã§ããŸãã ããã¥ã¡ã³ãã¯é»åçã«å ¥æã§ããŸãã
REST API
Java API
ãšã³ã¿ãŒãã©ã€ãº ID ãããã€ã㌠(ãªã³ãã¬ãã¹)
ãŠãŒã¶ãŒ ãã§ãã¬ãŒã·ã§ã³ ãµãŒãã¹ãéããŠãŠãŒã¶ãŒãèªèšŒããæ©èœã
ãã¹ã¹ã«ãŒèªèšŒã䜿çšã§ããŸãããŠãŒã¶ãŒãKerberos (LDAPãŸãã¯AD)ã䜿çšããŠã¯ãŒã¯ã¹ããŒã·ã§ã³ã«å¯ŸããŠèªèšŒããå ŽåããŠãŒã¶ãŒåãšãã¹ã¯ãŒããå床å
¥åããããšãªããKeycloakã«å¯ŸããŠèªåçã«èªèšŒãããŸãã
ãŠãŒã¶ãŒã®èªèšŒãšãããªãèªå¯ã«ã¯ããããžã§ã¯ãã®åæ段éã§æéã®ãããèšå®ãçµ±åãå¿ èŠãšããªããããéçºç°å¢ã«æãé©ãããªã¬ãŒã·ã§ãã« DBMS ã䜿çšã§ããŸãã ããã©ã«ãã§ã¯ãKeycloakã¯çµã¿èŸŒã¿DBMSã䜿çšããŠèšå®ãšãŠãŒã¶ãŒããŒã¿ãä¿åããŸãã
ãµããŒããããŠãã DBMS ã®ãªã¹ãã¯å€å²ã«ããããMS SQLãOracleãPostgreSQLãMariaDBãOracle ãªã©ãå«ãŸããŸãã ãããŸã§ã«æããã¹ããããã®ã¯ãOracle 12C Release1 RAC ãš MariaDB 3.12 ã® Galera 10.1.19 ã¯ã©ã¹ã¿ãŒã§ãã
ID ãããã€ã㌠- ãœãŒã·ã£ã« ãã°ã€ã³
SNSããã®ãã°ã€ã³ãå¯èœã§ãã ãŠãŒã¶ãŒãèªèšŒããæ©èœãæå¹ã«ããã«ã¯ãKeycloack 管çã³ã³ãœãŒã«ã䜿çšããŸãã ã¢ããªã±ãŒã·ã§ã³ ã³ãŒããå€æŽããå¿ èŠã¯ãªãããã®æ©èœã¯ããã«äœ¿çšã§ãããããžã§ã¯ãã®ã©ã®æ®µéã§ãã¢ã¯ãã£ãåã§ããŸãã
ãŠãŒã¶ãŒèªèšŒã« OpenID/SAML ID ãããã€ããŒã䜿çšããããšãã§ããŸãã
Keycloakã§OAuth2ã䜿çšããäžè¬çãªèªå¯ã·ããªãª
èªå¯ã³ãŒãã®æµã - ãµãŒããŒåŽã¢ããªã±ãŒã·ã§ã³ã§äœ¿çšãããŸãã ã¢ããªã±ãŒã·ã§ã³ã®ãœãŒã¹ ã³ãŒããšã¯ã©ã€ã¢ã³ã ããŒã¿ãéšå€è ãå©çšã§ããªããµãŒã㌠ã¢ããªã±ãŒã·ã§ã³ã«é©ããŠãããããæãäžè¬çãªã¿ã€ãã®æ¿èªæš©éã® XNUMX ã€ã§ãã ãã®å Žåã®ããã»ã¹ã¯ãªãã€ã¬ã¯ãã«åºã¥ããŠããŸãã ã¢ããªã±ãŒã·ã§ã³ã¯ããŠãŒã¶ãŒ ãšãŒãžã§ã³ããéããŠãªãã€ã¬ã¯ãããã API èªèšŒã³ãŒããåä¿¡ããããã«ãWeb ãã©ãŠã¶ãŒãªã©ã®ãŠãŒã¶ãŒ ãšãŒãžã§ã³ã (ãŠãŒã¶ãŒ ãšãŒãžã§ã³ã) ãšå¯Ÿè©±ã§ããå¿ èŠããããŸãã
æé»çãªãã㌠- ã¢ãã€ã«ãŸã㯠Web ã¢ããªã±ãŒã·ã§ã³ (ãŠãŒã¶ãŒã®ããã€ã¹äžã§å®è¡ãããã¢ããªã±ãŒã·ã§ã³) ã«ãã£ãŠäœ¿çšãããŸãã
æé»çæ¿èªããŒããã·ã§ã³ ã¿ã€ãã¯ãã¯ã©ã€ã¢ã³ãã®æ©å¯æ§ãä¿èšŒã§ããªãã¢ãã€ã« ã¢ããªã±ãŒã·ã§ã³ã Web ã¢ããªã±ãŒã·ã§ã³ã§äœ¿çšãããŸãã æé»çãªã¢ã¯ã»ã¹èš±å¯ã®çš®é¡ã§ã¯ããŠãŒã¶ãŒ ãšãŒãžã§ã³ãã®ãªãã€ã¬ã¯ãã䜿çšãããŸããããã«ãããã¢ããªã±ãŒã·ã§ã³ã§ããã«äœ¿çšããããã«ãã¢ã¯ã»ã¹ ããŒã¯ã³ããŠãŒã¶ãŒ ãšãŒãžã§ã³ãã«æž¡ãããŸãã ããã«ããããŠãŒã¶ãŒããã³ãŠãŒã¶ãŒã®ããã€ã¹äžã®ä»ã®ã¢ããªã±ãŒã·ã§ã³ãããŒã¯ã³ãå©çšã§ããããã«ãªããŸãã ãã®ã¿ã€ãã®æ¿èªæš©éã¯ã¢ããªã±ãŒã·ã§ã³ã® ID ãèªèšŒãããããã»ã¹èªäœã¯ãªãã€ã¬ã¯ã URL (äºåã«ãµãŒãã¹ã«ç»é²ãããŠãã) ã«äŸåããŸãã
ã€ã³ããªã·ãã ãããŒã¯ãã¢ã¯ã»ã¹ ããŒã¯ã³ã®ãªãã¬ãã·ã¥ ããŒã¯ã³ããµããŒãããŸããã
ã¯ã©ã€ã¢ã³ãèªèšŒæ
å ±ã®ä»äžãã㌠â ã¢ããªã±ãŒã·ã§ã³ã API ã«ã¢ã¯ã»ã¹ãããšãã«äœ¿çšãããŸãã ãã®ã¿ã€ãã®æ¿èªæš©éã¯éåžžããŠãŒã¶ãŒãšã®å³æ察話ãªãã§ããã¯ã°ã©ãŠã³ãã§å®è¡ããå¿
èŠããããµãŒããŒéã®å¯Ÿè©±ã«äœ¿çšãããŸãã ã¯ã©ã€ã¢ã³ãè³æ Œæ
å ±ä»äžãããŒã䜿çšãããšãWeb ãµãŒãã¹ (æ©å¯ã¯ã©ã€ã¢ã³ã) ããå¥ã® Web ãµãŒãã¹ãåŒã³åºããšãã«èªèšŒã®ããã«ãŠãŒã¶ãŒã«ãªãããŸãã®ã§ã¯ãªããç¬èªã®è³æ Œæ
å ±ã䜿çšã§ããããã«ãªããŸãã ããé«ãã¬ãã«ã®ã»ãã¥ãªãã£ãå®çŸããããã«ãåŒã³åºãåŽãµãŒãã¹ãè³æ Œæ
å ±ãšã㊠(å
±æã·ãŒã¯ã¬ããã®ä»£ããã«) 蚌ææžã䜿çšããããšãå¯èœã§ãã
OAuth2 ä»æ§ã«ã€ããŠã¯ã以äžã§èª¬æãããŠããŸãã
JWTããŒã¯ã³ãšãã®å©ç¹
JWT (JSON Web Token) ã¯ãªãŒãã³æšæºã§ã (
æšæºã«ããã°ãããŒã¯ã³ã¯ããããã§åºåããã Base-64 圢åŒã® XNUMX ã€ã®éšåã§æ§æãããŸãã æåã®éšåã¯ããããŒãšåŒã°ããããŒã¯ã³ã®çš®é¡ãšããžã¿ã«çœ²åãååŸããããã®ããã·ã¥ ã¢ã«ãŽãªãºã ã®ååãå«ãŸããŸãã XNUMX çªç®ã®éšåã«ã¯ãåºæ¬æ å ± (ãŠãŒã¶ãŒãå±æ§ãªã©) ãæ ŒçŽãããŸãã XNUMX çªç®ã®éšåã¯ããžã¿ã«çœ²åã§ãã
ã ã
ããŒã¯ã³ã DB ã«ä¿åããªãã§ãã ããã æå¹ãªããŒã¯ã³ã¯ãã¹ã¯ãŒããšåçã§ãããããããŒã¯ã³ãä¿åããããšã¯ããã¹ã¯ãŒããã¯ãªã¢ ããã¹ãã§ä¿åããããšãšåãã§ãã
ã¢ã¯ã»ã¹ããŒã¯ã³ ææè
ã«å®å
šãªãµãŒã㌠ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãèš±å¯ããããŒã¯ã³ã§ãã éåžžãæå¹æéã¯çããããŒã¯ã³ãèŠæ±ããŠããåœäºè
ã® IP ã¢ãã¬ã¹ãªã©ã®è¿œå æ
å ±ãå«ãŸããå ŽåããããŸãã
ãªãã¬ãã·ã¥ããŒã¯ã³ æå¹æéãåããåŸã«ã¯ã©ã€ã¢ã³ããæ°ããã¢ã¯ã»ã¹ ããŒã¯ã³ãèŠæ±ã§ããããã«ããããŒã¯ã³ã§ãã ãããã®ããŒã¯ã³ã¯éåžžãé·æéçºè¡ãããŸãã
ãã€ã¯ããµãŒãã¹ ã¢ãŒããã¯ãã£ã§äœ¿çšããäž»ãªå©ç¹ã¯æ¬¡ã®ãšããã§ãã
- ã¯ã³ã¿ã€ã èªèšŒã§ããŸããŸãªã¢ããªã±ãŒã·ã§ã³ããµãŒãã¹ã«ã¢ã¯ã»ã¹ã§ããŸãã
- ãŠãŒã¶ãŒ ãããã¡ã€ã«ã«å€æ°ã®å¿ é å±æ§ãååšããªãå Žåã¯ãèªååããããã®ããªã³ã¶ãã©ã€ã§è¡ããããã®ãªã©ããã€ããŒãã«è¿œå ã§ããããŒã¿ã§åŒ·åããããšãã§ããŸãã
- ã¢ã¯ãã£ããªã»ãã·ã§ã³ã«é¢ããæ å ±ãä¿åããå¿ èŠã¯ãªãããµãŒã㌠ã¢ããªã±ãŒã·ã§ã³ã¯çœ²åãæ€èšŒããã ãã§æžã¿ãŸãã
- ãã€ããŒãå ã®è¿œå å±æ§ã«ãããããæè»ãªã¢ã¯ã»ã¹å¶åŸ¡ã
- ããããŒãšãã€ããŒãã«ããŒã¯ã³çœ²åã䜿çšãããšããœãªã¥ãŒã·ã§ã³å šäœã®ã»ãã¥ãªãã£ãåäžããŸãã
JWT ããŒã¯ã³ - æ§æ
ã¿ã€ãã« - ããã©ã«ãã§ã¯ãããããŒã«ã¯ããŒã¯ã³ã®ã¿ã€ããšæå·åã«äœ¿çšãããã¢ã«ãŽãªãºã ã®ã¿ãå«ãŸããŸãã
ããŒã¯ã³ã®ã¿ã€ãã¯ãtypãããŒã«æ ŒçŽãããŸãã JWT ã§ã¯ãtypeãããŒã¯ç¡èŠãããŸãã ãtypãããŒãååšããå Žåããã®ãªããžã§ã¯ãã JSON Web ããŒã¯ã³ã§ããããšã瀺ãããã«ããã®å€ã¯ JWT ã§ããå¿ èŠããããŸãã
256 çªç®ã®ããŒãalgãã¯ãããŒã¯ã³ã®æå·åã«äœ¿çšãããã¢ã«ãŽãªãºã ãå®çŸ©ããŸãã ããã©ã«ãã§ã¯ HS64 ã«èšå®ãããŠããå¿ èŠããããŸãã ããããŒã¯baseXNUMXã§ãšã³ã³ãŒããããŸãã
{ "alg": "HS256", "type": "JWT"}
ãã€ããŒã (ã³ã³ãã³ã) â ãã€ããŒãã«ã¯ãæ€èšŒãå¿
èŠãªæ
å ±ãä¿åãããŸãã ãã€ããŒãå
ã®åããŒã¯ãã¹ããŒãã¡ã³ãããšããŠç¥ãããŠããŸãã ããšãã°ãæåŸ
å¶ïŒã¯ããŒãºãããã¢ãŒã·ã§ã³ïŒã®ã¿ã§å¿åããããšãã§ããŸãã 誰ããåå ã«æåŸ
ããããšãã¯ãæåŸ
ç¶ãéããŸãã é»åã¡ãŒã« ã¢ãã¬ã¹ãæåŸ
ãåãå
¥ãã人ã®ãã®ã§ããããšã確èªããããšãéèŠã§ãããã®ããããã®ã¢ãã¬ã¹ããã€ããŒãã«å«ããŸãããã®ããããé»åã¡ãŒã«ãããŒã«ä¿åããŸãã
{ "Eã¡ãŒã«"ïŒ "[ã¡ãŒã«ä¿è·]" }
ãã€ããŒãå
ã®ããŒã¯ä»»æã§ãã ãã ããäºçŽãããŠãããã®ãããã€ããããŸãã
- iss (çºè¡è ) - ããŒã¯ã³ã®éä¿¡å ã®ã¢ããªã±ãŒã·ã§ã³ãèå¥ããŸãã
- sub (件å) - ããŒã¯ã³ã®ä»¶åãå®çŸ©ããŸãã
- aud (Audience) ã¯ããã®ããŒã¯ã³ã®åä¿¡è ã®ãªã¹ãã§ããã倧æåãšå°æåãåºå¥ããæååãŸã㯠URI ã®é åã§ãã åä¿¡åŽã¯ãæå®ãããããŒãæ〠JWT ãåä¿¡ãããšãåä¿¡è ã«ããèªäœãååšãããã©ããã確èªããå¿ èŠããããŸããããã§ãªãå Žåã¯ãããŒã¯ã³ãç¡èŠããŸãã
- exp (æå¹æé) - ããŒã¯ã³ã®æå¹æéããã€åãããã瀺ããŸãã JWT æšæºã§ã¯ããã®ãã¹ãŠã®å®è£ ã§æéåãã®ããŒã¯ã³ãæåŠããããšãèŠæ±ãããŸãã exp ããŒã¯ãUNIX 圢åŒã®ã¿ã€ã ã¹ã¿ã³ãã§ããå¿ èŠããããŸãã
- nbf (Not Before) ã¯ãããŒã¯ã³ãæå¹ã«ãªãç¬éã決å®ãã UNIX 圢åŒã®æå»ã§ãã
- iat (çºè¡æå») - ãã®ããŒã¯ããŒã¯ã³ãçºè¡ãããæå»ãè¡šããJWT ã®çµéæéã決å®ããããã«äœ¿çšã§ããŸãã iat ããŒã¯ãUNIX 圢åŒã®ã¿ã€ã ã¹ã¿ã³ãã§ããå¿ èŠããããŸãã
- Jti (JWT ID) â ãã®ããŒã¯ã³ã®äžæã®èå¥åãå®çŸ©ããæååã倧æåãšå°æåã¯åºå¥ãããŸãã
ãã€ããŒãã¯æå·åããã圢åŒã§éä¿¡ãããªãããšãç解ããããšãéèŠã§ã (ãã ããããŒã¯ã³ããã¹ãããããšãã§ããæå·åãããããŒã¿ãéä¿¡ããããšã¯å¯èœã§ã)ã ãããã£ãŠãç§å¯æ
å ±ãä¿åããããšã¯ã§ããŸããã ããããŒãšåæ§ã«ããã€ããŒã㯠Base64 ã§ãšã³ã³ãŒããããŸãã
眲å - ã¿ã€ãã«ãšãã€ããŒããããã°ã眲åãèšç®ã§ããŸãã
Base64 ãšã³ã³ãŒã: ããããŒãšãã€ããŒããååŸãããããããä»ããŠæååã«çµåãããŸãã 次ã«ããã®æååãšç§å¯ããŒããããããŒã§æå®ãããæå·åã¢ã«ãŽãªãºã (ãalgãããŒ) ã«å ¥åãããŸãã ããŒã«ã¯ä»»æã®æååãæå®ã§ããŸãã æŸããŸã§ã«æéãããããããé·ã匊ãæã奜ãŸããŸãã
{"alg":"RSA1_5","ãã€ããŒã":"A128CBC-HS256"}
Keycloakãã§ã€ã«ãªãŒããŒã»ã¯ã©ã¹ã¿ãŒã»ã¢ãŒããã¯ãã£ã®æ§ç¯
ãã¹ãŠã®ãããžã§ã¯ãã«åäžã®ã¯ã©ã¹ã¿ãŒã䜿çšããå ŽåãSSO ãœãªã¥ãŒã·ã§ã³ã®èŠä»¶ãå¢å ããŸãã ãããžã§ã¯ãã®æ°ãå°ãªãå Žåããããã®èŠä»¶ã¯ãã¹ãŠã®ãããžã§ã¯ãã§ããã»ã©é¡èã§ã¯ãããŸãããããŠãŒã¶ãŒãšçµ±åã®æ°ãå¢å ãããšãå¯çšæ§ãšããã©ãŒãã³ã¹ã®èŠä»¶ãå¢å ããŸãã
åäžã® SSO é害ã®ãªã¹ã¯ãå¢å ãããšããœãªã¥ãŒã·ã§ã³ ã¢ãŒããã¯ãã£ã®èŠä»¶ãšåé·ã³ã³ããŒãã³ãã«äœ¿çšãããæ¹æ³ãå¢å ããSLA ãéåžžã«å³ãããªããŸãã ãã®ç¹ã§ãå€ãã®å Žåããœãªã¥ãŒã·ã§ã³ã®éçºãŸãã¯å®è£ ã®åæ段éã§ã¯ããããžã§ã¯ãã«ã¯ç¬èªã®éãã©ãŒã«ã ãã¬ã©ã³ã ã€ã³ãã©ã¹ãã©ã¯ãã£ãååšããŸãã éçºãé²ãã«ã€ããŠãéçºãšæ¡åŒµã®æ©äŒãèšããå¿ èŠããããŸãã ã³ã³ããä»®æ³åãŸãã¯ãã€ããªãã ã¢ãããŒãã䜿çšããŠãã§ãŒã«ãªãŒã㌠ã¯ã©ã¹ã¿ãŒãæ§ç¯ããã®ãæãæè»ã§ãã
ã¢ã¯ãã£ã/ã¢ã¯ãã£ã ã¯ã©ã¹ã¿ ã¢ãŒãããã³ã¢ã¯ãã£ã/ããã·ã ã¯ã©ã¹ã¿ ã¢ãŒãã§åäœããã«ã¯ããªã¬ãŒã·ã§ãã« ããŒã¿ããŒã¹å ã®ããŒã¿ã®äžè²«æ§ã確ä¿ããå¿ èŠããããŸããäž¡æ¹ã®ããŒã¿ããŒã¹ ããŒãããå°ççã«åæ£ãããç°ãªãããŒã¿ ã»ã³ã¿ãŒéã§åæããŠã¬ããªã±ãŒããããå¿ èŠããããŸãã
ãã©ãŒã«ã ãã¬ã©ã³ããªã€ã³ã¹ããŒã«ã®æãåçŽãªäŸã
åäžã¯ã©ã¹ã¿ãŒã䜿çšããå©ç¹ã¯æ¬¡ã®ãšããã§ãã
- é«ãå¯çšæ§ãšããã©ãŒãã³ã¹ã
- åäœã¢ãŒãã®ãµããŒã: ã¢ã¯ãã£ã/ã¢ã¯ãã£ããã¢ã¯ãã£ã/ããã·ãã
- åçã«ã¹ã±ãŒãªã³ã°ããæ©èœ - ã³ã³ããä»®æ³åã䜿çšããå Žåã
- äžå çãªç®¡çãšç£èŠãå¯èœã
- ãããžã§ã¯ãå ã®ãŠãŒã¶ãŒã®èå¥/èªèšŒ/èªå¯ã®ããã®çµ±åã¢ãããŒãã
- ãŠãŒã¶ãŒã®é¢äžãªãã§ãç°ãªããããžã§ã¯ãéã§ããéææ§ã®é«ã察話ãå¯èœã«ãªããŸãã
- ããŸããŸãªãããžã§ã¯ã㧠JWT ããŒã¯ã³ãåå©çšããæ©èœã
- åäžã®ä¿¡é Œç¹ã
- ãã€ã¯ããµãŒãã¹/ã³ã³ããä»®æ³åã䜿çšããŠãããžã§ã¯ããããè¿ éã«èµ·åããŸã (è¿œå ã®ã³ã³ããŒãã³ããæã¡äžããŠæ§æããå¿ èŠã¯ãããŸãã)ã
- ãã³ããŒããåçšãµããŒããè³Œå ¥ããããšãã§ããŸãã
ã¯ã©ã¹ã¿ãŒãèšç»ãããšãã«æ³šæãã¹ãããš
DBMS
Keycloakã¯ããŒã¿ããŒã¹ç®¡çã·ã¹ãã ã䜿çšããŠãã¬ã«ã ãã¯ã©ã€ã¢ã³ãããŠãŒã¶ãŒãªã©ãä¿åããŸãã
MS SQLãOracleãMySQLãPostgreSQL ãªã©ãå¹
åºã DBMS ããµããŒããããŠããŸãã Keycloakã«ã¯ç¬èªã®çµã¿èŸŒã¿ãªã¬ãŒã·ã§ãã«ããŒã¿ããŒã¹ãä»å±ããŠããŸãã éçºç°å¢ãªã©ãããŒããããŠããªãç°å¢ã§äœ¿çšããããšããå§ãããŸãã
ã¢ã¯ãã£ã/ã¢ã¯ãã£ã ã¯ã©ã¹ã¿ ã¢ãŒãããã³ã¢ã¯ãã£ã/ããã·ã ã¯ã©ã¹ã¿ ã¢ãŒãã§åäœããã«ã¯ããªã¬ãŒã·ã§ãã« ããŒã¿ããŒã¹å ã®ããŒã¿ã®äžè²«æ§ãå¿ èŠã§ãããäž¡æ¹ã®ããŒã¿ããŒã¹ ã¯ã©ã¹ã¿ ããŒããããŒã¿ ã»ã³ã¿ãŒéã§åæããŠã¬ããªã±ãŒããããŸãã
åæ£ãã£ãã·ã¥ (Infinspan)
ã¯ã©ã¹ã¿ãŒãæ£ããæ©èœããã«ã¯ãJBoss Data Grid ã䜿çšããŠæ¬¡ã®ã¿ã€ãã®ãã£ãã·ã¥ãè¿œå åæããå¿ èŠããããŸãã
èªèšŒã»ãã·ã§ã³ - ç¹å®ã®ãŠãŒã¶ãŒãèªèšŒãããšãã«ããŒã¿ãä¿åããããã«äœ¿çšãããŸãã ãã®ãã£ãã·ã¥ããã®ãªã¯ãšã¹ãã«ã¯éåžžããã©ãŠã¶ãŒãšKeycloakãµãŒããŒã®ã¿ãå«ãŸããã¢ããªã±ãŒã·ã§ã³ã¯å«ãŸããŸããã
ã¢ã¯ã·ã§ã³ ããŒã¯ã³ã¯ããŠãŒã¶ãŒãã¢ã¯ã·ã§ã³ãéåæçã« (é»åã¡ãŒã«çµç±ã§) 確èªããå¿ èŠãããã·ããªãªã§äœ¿çšãããŸãã ããšãã°ããã¹ã¯ãŒããå¿ããå Žåã®ãããŒäžãactionTokens Infinispan ãã£ãã·ã¥ã¯ãæ¢ã«äœ¿çšãããŠããé¢é£ã¢ã¯ã·ã§ã³ ããŒã¯ã³ã«é¢ããã¡ã¿ããŒã¿ã远跡ããããã«äœ¿çšããããããåå©çšããããšã¯ã§ããŸããã
æ°žç¶ããŒã¿ã®ãã£ãã·ã¥ãšç¡å¹å - ããŒã¿ããŒã¹ãžã®äžå¿ èŠãªã¯ãšãªãåé¿ããããã«æ°žç¶ããŒã¿ããã£ãã·ã¥ããããã«äœ¿çšãããŸãã ããããã®KeycloakãµãŒããŒãããŒã¿ãæŽæ°ãããšããã¹ãŠã®ããŒã¿ã»ã³ã¿ãŒå ã®ä»ã®ãã¹ãŠã®KeycloakãµãŒããŒããããèªèããå¿ èŠããããŸãã
äœæ¥ - ã¯ã©ã¹ã¿ãŒ ããŒããšããŒã¿ ã»ã³ã¿ãŒéã§ç¡å¹ãªã¡ãã»ãŒãžãéä¿¡ããããã«ã®ã¿äœ¿çšãããŸãã
ãŠãŒã¶ãŒ ã»ãã·ã§ã³ - ãŠãŒã¶ãŒã®ãã©ãŠã¶ ã»ãã·ã§ã³ã®éæå¹ãªãŠãŒã¶ãŒ ã»ãã·ã§ã³ã«é¢ããããŒã¿ãä¿åããããã«äœ¿çšãããŸãã ãã£ãã·ã¥ã¯ããšã³ã ãŠãŒã¶ãŒããã³ã¢ããªã±ãŒã·ã§ã³ããã® HTTP ãªã¯ãšã¹ããåŠçããå¿ èŠããããŸãã
ãã«ãŒã ãã©ãŒã¹ä¿è· - 倱æãããã°ã€ã³ã«é¢ããããŒã¿ã远跡ããããã«äœ¿çšãããŸãã
è² è·åæ£
ããŒã ãã©ã³ãµãŒã¯ Keycloak ãžã®åäžã®ãšã³ã㪠ãã€ã³ãã§ãããã¹ãã£ãã㌠ã»ãã·ã§ã³ããµããŒãããå¿ èŠããããŸãã
ã¢ããªã±ãŒã·ã§ã³ãµãŒããŒ
ãããã¯ã³ã³ããŒãã³ãéã®çžäºäœçšãå¶åŸ¡ããããã«äœ¿çšãããæ¢åã®èªååããŒã«ãã€ã³ãã©ã¹ãã©ã¯ãã£èªååããŒã«ã®åçãªã¹ã±ãŒãªã³ã°ã䜿çšããŠä»®æ³åãŸãã¯ã³ã³ããåã§ããŸãã OpenShiftãKubernatesãRancher ã§ã®æãäžè¬çãªãããã€ã¡ã³ã ã·ããªãªã
ããã§æåã®éšåãã€ãŸãçè«çãªéšåãå®äºããŸããã 次ã®äžé£ã®èšäºã§ã¯ãããŸããŸãª ID ãããã€ããŒãšã®çµ±åäŸãšèšå®äŸãåæããŸãã
åºæïŒ habr.com