Miyezi ingapo yapitayo ndinali kukhazikitsa seva ya OpenID Connect kuti ndizitha kuyang'anira mwayi wofikira mazana a mapulogalamu athu amkati. Kuchokera ku chitukuko chathu, chosavuta pamlingo wocheperako, tinasamukira ku muyezo wovomerezeka. Kufikira kudzera pagulu lapakati kumapangitsa kuti magwiridwe antchito azikhala osavuta, amachepetsa mtengo wogwiritsa ntchito zilolezo, amakulolani kuti mupeze mayankho okonzeka komanso osasokoneza ubongo wanu popanga zatsopano. M'nkhaniyi ndilankhula za kusinthaku ndi mabala omwe tinakwanitsa kugunda.
Kalekaleβ¦Kumene zinayambira
Zaka zingapo zapitazo, pamene ntchito zamkati zakhala zochulukira kuti sizitha kuwongolera pamanja, tidalemba fomu yowongolera mwayi wopezeka mukampani. Inali ntchito yosavuta ya Rails yomwe idalumikizidwa ku database yokhala ndi chidziwitso chokhudza antchito, pomwe mwayi wogwiritsa ntchito zosiyanasiyana udakhazikitsidwa. Panthawi imodzimodziyo, tinayambitsa SSO yoyamba, yomwe idakhazikitsidwa ndi kutsimikizira kwa zizindikiro pa gawo la kasitomala ndi seva yovomerezeka; chizindikirocho chinatumizidwa mu mawonekedwe obisika ndi magawo angapo ndikutsimikiziridwa pa seva yovomerezeka. Iyi sinali njira yabwino kwambiri, chifukwa ntchito iliyonse yamkati iyenera kufotokozera malingaliro angapo, ndipo nkhokwe za ogwira ntchito zidalumikizidwa kwathunthu ndi seva yovomerezeka.
Patapita nthawi, tinaganiza zochepetsera ntchito yovomerezeka pakati. SSO idasamutsidwa ku balancer. Mothandizidwa ndi OpenResty, template idawonjezedwa ku Lua yomwe idayang'ana zizindikiro, idadziwa ntchito yomwe pemphoyo ikupita, ndipo imatha kuwona ngati pali mwayi wofikira pamenepo. Njirayi idafewetsa kwambiri ntchito yowongolera mwayi wogwiritsa ntchito mkati - panalibenso chifukwa chofotokozera malingaliro owonjezera mu code ya pulogalamu iliyonse. Zotsatira zake, tidatseka magalimoto kunja, koma pulogalamuyo sinadziwe chilichonse chokhudza chilolezo.
Komabe, vuto limodzi silinathe. Nanga bwanji mapulogalamu omwe amafunikira chidziwitso cha ogwira ntchito? Zinali zotheka kulemba API ya ntchito yovomerezeka, koma muyenera kuwonjezera malingaliro owonjezera pakugwiritsa ntchito kulikonse. Kuphatikiza apo, tinkafuna kuchotsa kudalira pa imodzi mwazolemba zomwe tazilemba tokha, zomwe zimayang'ana kwambiri kumasulira ku OpenSource, pa seva yathu yovomerezeka yamkati. Tidzakuuzani nthawi ina. Yankho lamavuto onsewa linali OAuth.
Pamiyezo yovomerezeka
OAuth ndi mulingo wovomerezeka, wovomerezeka, koma popeza magwiridwe ake okha sikokwanira, OpenID Connect (OIDC) idaganiziridwa nthawi yomweyo. OIDC palokha ndikukhazikitsa kwachitatu kwa mulingo wotsimikizika wotseguka, womwe wasintha kukhala gawo lalikulu la protocol ya OAuth 2.0 (Open Authorization Protocol). Njira yothetsera vutoli imathetsa vuto la kusowa kwa deta za wogwiritsa ntchito mapeto, komanso zimapangitsa kuti zitheke kusintha wopereka chilolezo.
Komabe, sitinasankhe wothandizira wina ndipo tinaganiza zowonjezera kuphatikiza ndi OIDC pa seva yathu yovomerezeka yomwe ilipo. Chigamulochi chinathandizidwa ndi mfundo yakuti OIDC ndi yosinthika kwambiri ponena za chilolezo cha ogwiritsa ntchito mapeto. Chifukwa chake, zinali zotheka kugwiritsa ntchito thandizo la OIDC pa seva yanu yovomerezeka.
Njira yathu yoyendetsera seva yathu ya OIDC
1) Bweretsani deta mu fomu yofunikira
Kuti muphatikize OIDC, m'pofunika kubweretsa deta yamakono mu mawonekedwe omwe amamveka bwino. Mu OIDC izi zimatchedwa Claims. Mitundu ndiye gawo lomaliza pazosungidwa za ogwiritsa ntchito (dzina, imelo, foni, ndi zina). Lilipo , ndipo chilichonse chomwe sichinaphatikizidwe pamndandandawu chimatengedwa ngati mwambo. Chifukwa chake, mfundo yoyamba yomwe muyenera kulabadira ngati mukufuna kusankha omwe alipo OIDC ndikutha kusintha masitampu atsopano.
Gulu la zizindikiro limaphatikizidwa mu kagawo kakang'ono kotsatira - Scope. Pachilolezo, mwayi umafunsidwa osati ku zizindikiro zenizeni, koma kumtunda, ngakhale zizindikiro zina zomwe sizikufunika.
2) Anagwiritsa ntchito zopereka zofunika
Gawo lotsatira la kuphatikiza kwa OIDC ndikusankha ndi kukhazikitsa mitundu yovomerezeka, yotchedwa grants. Zochitika zina za kuyanjana pakati pa ntchito yosankhidwa ndi seva yovomerezeka zidzadalira thandizo losankhidwa. Chiwembu choyerekeza chosankha chithandizo choyenera chikuwonetsedwa mu chithunzi pansipa.
Pakufunsira kwathu koyamba, tidagwiritsa ntchito chithandizo chodziwika bwino - Code Authorization. Kusiyanitsa kwake ndi ena ndikuti ndi masitepe atatu, i.e. amayesedwa owonjezera. Choyamba, wogwiritsa ntchito akupempha chilolezo chololeza, amalandira chizindikiro cha Authorization Code, ndiye ndi chizindikiro ichi, ngati ndi tikiti yoyendayenda, amapempha chizindikiro chofikira. Kuyanjana konse kwakukulu kwachiwonetsero chovomerezekachi kumatengera kuwongolera pakati pa pulogalamuyo ndi seva yovomerezeka. Mutha kuwerenga zambiri za thandizoli .
OAuth imagwirizana ndi lingaliro lakuti zizindikiro zolandirira zolandilidwa pambuyo pa chilolezo ziyenera kukhala zosakhalitsa ndipo makamaka zisinthe pafupifupi mphindi 10 zilizonse. Kupereka kwa Code Authorization ndikutsimikizira magawo atatu kudzera mukuwongoleranso; kuchita izi mphindi 10 zilizonse, kunena mosabisa, si ntchito yosangalatsa kwambiri m'maso. Kuti athetse vutoli, pali thandizo lina - Refresh Token, yomwe tidagwiritsanso ntchito. Chilichonse ndi chosavuta apa. Panthawi yotsimikiziridwa kuchokera ku chithandizo china, kuwonjezera pa chizindikiro chachikulu chofikira, china chimaperekedwa - Chizindikiro Chotsitsimutsa, chomwe chingagwiritsidwe ntchito kamodzi kokha ndipo moyo wake, monga lamulo, ndi wautali kwambiri. Ndi Chizindikiro Chotsitsimutsa ichi, pamene TTL (Time to Live) ya chizindikiro chachikulu chofikira itatha, pempho la chizindikiro chatsopano lidzafika kumapeto kwa chithandizo china. Chizindikiro Chotsitsimutsa chomwe chagwiritsidwa ntchito chimasinthidwanso kukhala zero. Cheke ichi ndi masitepe awiri ndipo akhoza kuchitidwa chapansipansi, osadziwika ndi wosuta.
3) Mafayilo opangidwa ndi data ya ogwiritsa ntchito
Zopereka zosankhidwa zikakwaniritsidwa, chilolezo chimagwira ntchito, ndikofunikira kutchulapo kulandila kwa data ya ogwiritsa ntchito. OIDC ili ndi mapeto osiyana a izi, komwe mungapemphe deta ya ogwiritsa ntchito ndi chizindikiro chanu chamakono komanso ngati chiripo. Ndipo ngati zomwe wogwiritsa ntchito sizisintha nthawi zambiri, koma muyenera kupita pazomwe zilipo nthawi zambiri, mutha kubwera ku yankho monga ma tokeni a JWT. Zizindikiro izi zimathandizidwanso ndi muyezo. Chizindikiro cha JWT chokha chimakhala ndi magawo atatu: mutu (zambiri za chizindikiro), malipiro (chidziwitso chilichonse chofunikira) ndi siginecha (siginecha, chizindikirocho chimasindikizidwa ndi seva ndipo m'tsogolomu mukhoza kuyang'ana gwero la siginecha yake).
Pokhazikitsa OIDC, chizindikiro cha JWT chimatchedwa id_token. Itha kufunsidwa limodzi ndi chizindikiro chofikira nthawi zonse ndipo chomwe chatsalira ndikutsimikizira siginecha. Pachifukwa ichi, seva yovomerezeka ili ndi mapeto osiyana ndi gulu la makiyi a anthu mumtundu . Ndipo kulankhula za izi, ndi bwino kutchula kuti pali mapeto ena, omwe amachokera pa muyezo ikuwonetsa masinthidwe apano a seva ya OIDC. Lili ndi ma adilesi onse omaliza (kuphatikiza adilesi ya makiyi a anthu onse omwe amagwiritsidwa ntchito kusaina), masitampu othandizidwa ndi ma scopes, ma algorithms ogwiritsira ntchito encryption, thandizo lothandizira, ndi zina zambiri.
Mwachitsanzo pa Google:
{
"issuer": "https://accounts.google.com",
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"device_authorization_endpoint": "https://oauth2.googleapis.com/device/code",
"token_endpoint": "https://oauth2.googleapis.com/token",
"userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"revocation_endpoint": "https://oauth2.googleapis.com/revoke",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"iss",
"locale",
"name",
"picture",
"sub"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"grant_types_supported": [
"authorization_code",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
]
}Chifukwa chake, pogwiritsa ntchito id_token mutha kusamutsa zidziwitso zonse zofunikira pazolipira zolipira ndipo osalumikizana ndi seva yovomerezeka nthawi zonse kuti mupemphe zambiri za ogwiritsa ntchito. Choyipa cha njirayi ndikuti kusintha kwa data ya ogwiritsa ntchito kuchokera pa seva sikubwera nthawi yomweyo, koma limodzi ndi chizindikiro chatsopano.
Zotsatira zakugwiritsa ntchito
Chifukwa chake, titatha kugwiritsa ntchito seva yathu ya OIDC ndikukhazikitsa zolumikizira kumbali ya pulogalamuyo, tathetsa vuto lotumiza zidziwitso za ogwiritsa ntchito.
Popeza OIDC ndi muyezo wotseguka, tsopano tili ndi mwayi wosankha wopereka kapena kukhazikitsa seva. Tidayesa Keycloak, yomwe idakhala yosavuta kuyikonza; mutatha kukhazikitsa ndikusintha masinthidwe olumikizira mbali ya pulogalamuyo, yakonzeka kupita. Pambali yogwiritsira ntchito, chomwe chatsala ndikusintha masinthidwe olumikizira.
Kulankhula za zothetsera zomwe zilipo
Mkati mwa bungwe lathu, monga seva yoyamba ya OIDC, tinasonkhanitsa kukhazikitsidwa kwathu, komwe kunawonjezeredwa ngati kuli kofunikira. Pambuyo popenda mwatsatanetsatane njira zina zokonzekera, tikhoza kunena kuti iyi ndi mfundo yotsutsana. Lingaliro lokhazikitsa seva yathu lidayendetsedwa ndi nkhawa zomwe opereka amapereka zokhudzana ndi kusowa kwa magwiridwe antchito, komanso kukhalapo kwa dongosolo lakale lomwe linali ndi zilolezo zosiyanasiyana zamautumiki ena ndikusunga kale zambiri zokhudzana ndi antchito. . Komabe, muzokhazikitsidwa zokonzedwa kale, pali zabwino zophatikizira. Mwachitsanzo, Keycloak ili ndi machitidwe ake ogwiritsira ntchito ndipo deta imasungidwa mwachindunji mmenemo, ndipo kusuntha ogwiritsa ntchito kumeneko sikudzakhala kovuta. Pachifukwa ichi, Keycloak ali ndi API yomwe ingakuthandizeni kuchita zonse zofunika kusamutsa.
Chitsanzo china cha chovomerezeka, chosangalatsa, mwa lingaliro langa, kukhazikitsa ndi Ory Hydra. Ndizosangalatsa chifukwa zimakhala ndi zigawo zosiyanasiyana. Kuti muphatikize, muyenera kulumikiza ntchito yoyang'anira ogwiritsa ntchito ku ntchito yawo yovomerezeka ndikukulitsa ngati pakufunika.
Keycloak ndi Ory Hydra sizomwe zidapangidwa kale. Ndikwabwino kusankha kukhazikitsa kovomerezeka ndi OpenID Foundation. Mayankho awa nthawi zambiri amakhala ndi baji ya OpenID Certification.
Komanso musaiwale za omwe adalipira omwe alipo ngati simukufuna kusunga seva yanu ya OIDC. Masiku ano pali njira zambiri zabwino.
Chotsatira
Posachedwapa, tidzatseka magalimoto ku mautumiki amkati mwa njira yosiyana. Tikukonzekera kusamutsa SSO yathu yapano pa balancer pogwiritsa ntchito OpenResty kupita ku proxy yotengera OAuth. Palinso mayankho ambiri okonzeka apa, mwachitsanzo:
Zowonjezera
- ntchito yabwino yowonera ma tokeni a JWT
- mndandanda wazovomerezeka za OIDC
Source: www.habr.com