Mwedzi mishoma yapfuura, ndanga ndichishandisa OpenID Connect server kubata mukana wemazana emapurogiramu edu emukati. Kubva mubudiriro yedu pachedu, yakanakira pamwero mudiki, taenda kune mwero unogamuchirwa. Kupinda kuburikidza nesevhisi yepakati kunorerutsa zvakanyanya mashandiro, kunoderedza mutengo wekuita zvibvumirano, kunobvumidza iwe kuwana akawanda akagadzirira-akagadziriswa mhinduro uye kwete kukwenya huropi hwako paunenge uchigadzira nyowani. Muchinyorwa chino, ini ndichataura nezve shanduko iyi uye mabumps atakakwanisa kuzadza.
Kare kare... Kuti zvakatanga sei
Makore mashoma apfuura, paive neakawandisa emukati manyorerwo ekutonga kwemanyorerwo, takanyora application yekudzora kupinda mukati mekambani. Yakanga iri nyore Rails application yakabatana kune dhatabhesi ine ruzivo nezvevashandi, uko kuwana kune akasiyana mashandiro akagadzirwa. Panguva imwecheteyo, takasimudza yekutanga SSO, iyo yaive yakavakirwa pakusimbiswa kwezviratidzo kubva kudivi remutengi uye sevha yemvumo, chiratidzo chakafambiswa mune encrypted fomu ine akati wandei paramita uye yakasimbiswa pane yekubvumidza server. Iyi yanga isiri iyo yakanyanya kunaka sarudzo, sezvo yega yega yemukati application yaifanirwa kutsanangura yakakura dhizaini yepfungwa, uye dhatabhesi revashandi rakanyatsoenderana nesevha yemvumo.
Mushure menguva yakati, takasarudza kurerutsa basa remvumo yepakati. SSO yakaendeswa kune muchengeti. Nerubatsiro rweOpenResty, template yakawedzerwa kuLua iyo yakaongorora tokens, yaiziva kuti chikumbiro chaizoenda kupi, uye yaigona kutarisa kana pakanga paine mukana ipapo. Iyi nzira yakarerutsa zvakanyanya basa rekudzora kupinda kwemukati maapplication - mune kodhi yechishandiso chega chega, zvainge zvisisade kutsanangura imwe pfungwa. Nekuda kweizvozvo, isu takavhara traffic kunze, uye application pachayo haina chaiziva nezve mvumo.
Zvisinei, rimwe dambudziko rakaramba risina kugadziriswa. Zvakadini nezvikumbiro zvinoda ruzivo nezvevashandi? Zvaigoneka kunyora API yebasa remvumo, asi ipapo waizofanira kuwedzera imwe pfungwa kune yega yega application. Pamusoro pezvo, taida kubvisa kutsamira pane chimwe chezvinyorero zvedu, zvakanangidzirwa mune ramangwana kuti tishandurirwe muOpenSource, pane yedu yemukati mvumo server. Tichazotaura nezvazvo pane imwe nguva. Mhinduro kumatambudziko ese aive OAuth.
kumitemo yakafanana
OAuth inonzwisisika, inowanzo gamuchirwa mvumo chiyero, asi sezvo chete kushanda kwayo kusina kukwana, vakabva vatanga kufunga OpenID Connect (OIDC). OIDC pachayo ndiyo yechitatu yekuitwa kweyakavhurika yechokwadi mwero, iyo yakayerera ichipinda mukuwedzera pamusoro peOAuth 2.0 protocol (yakavhurika mvumo protocol). Iyi mhinduro inovhara dambudziko rekushaikwa kwe data pamusoro pemushandisi wekupedzisira, uye zvakare inoita kuti zvikwanise kuchinja mupi wemvumo.
Nekudaro, isu hatina kusarudza mumwe mupi uye takasarudza kuwedzera kubatanidzwa neOIDC kune yedu iripo mvumo sevha. Mukufarira sarudzo iyi yaive chokwadi chekuti OIDC inochinjika zvakanyanya maererano nemvumo yemushandisi wekupedzisira. Saka, zvaigoneka kushandisa OIDC rutsigiro pane yako yazvino mvumo server.
Nzira yedu yekushandisa yedu OIDC server
1) Akaunza iyo data kune yaidiwa fomu
Kuti ubatanidze OIDC, zvinodikanwa kuunza data razvino remushandisi mufomu inonzwisisika neyakajairwa. MuOIDC izvi zvinonzi Claims. Zvikumbiro ndiwo minda yekupedzisira mudura remushandisi (zita, email, foni, nezvimwewo). Uripo , uye zvese zvisina kubatanidzwa mune iyi runyorwa zvinoonekwa setsika. Naizvozvo, poindi yekutanga yaunofanirwa kutarisisa kana iwe uchida kusarudza iripo OIDC mupi mukana weiyo nyore kugadzirisa mabhureki matsva.
Iro boka rezviratidzo rinosanganiswa mune inotevera subset - Scope. Munguva yemvumo, kupinda kunokumbirwa kwete kune chaiwo mabhureki, asi kune scopes, kunyangwe mamwe emhando kubva pachiyero asingade.
2) Kushandisa zvipo zvinodiwa
Chikamu chinotevera chekubatana kweOIDC ndiko kusarudzwa uye kushandiswa kwemhando dzemvumo, izvo zvinonzi zvipo. Iyo imwezve mamiriro ekudyidzana pakati pechishandiso chakasarudzwa uye sevha yemvumo zvinoenderana nerupo rwakasarudzwa. Chirongwa chemuenzaniso chekusarudza rubatsiro rwakakodzera chinoratidzwa mumufananidzo uri pasi apa.
Pakushandisa kwedu kwekutanga, takashandisa yakajairika rubatsiro, iyo Mvumo Code. Musiyano wayo kubva kune vamwe ndewekuti inhanho nhatu, i.e. iri kuedzwazve. Kutanga, mushandisi anoita chikumbiro chemvumo yemvumo, anogamuchira chiratidzo - Mvumo Code, ipapo nechiratidzo ichi, sekunge netikiti yekufamba, inokumbira chiratidzo chekuwana. Kwese kupindirana kukuru kweiyi mvumo script kunobva pane redirects pakati pechishandiso uye sevha yekubvumidza. Unogona kuverenga zvakawanda nezverubatsiro urwu .
OAuth inotevedzera pfungwa yekuti matokeni ekuwana anowanikwa mushure memvumo anofanira kunge ari echinguvana uye anofanira kuchinja, zviri nani maminetsi gumi ega ega paavhareji. Iyo Mvumo yeKodhi yekupihwa ndeye-nhanho-nhanho yekusimbisa kuburikidza nekudzokorora, maminetsi gumi ega ega kushandura nhanho yakadai, kutaura chokwadi, harisi iro rinonyanya kunakidza basa remeso. Kugadzirisa dambudziko iri, kune imwe rubatsiro - Refresh Token, yatakashandisawo munyika yedu. Zvese zviri nyore pano. Panguva yekusimbiswa kubva kune imwe rubatsiro, kuwedzera kune chiratidzo chikuru chekuwana, imwe inopihwa - Refresh Token, iyo inogona kushandiswa kamwe chete uye hupenyu hwayo kazhinji hurefu. Neiyi Refresh Token, kana iyo TTL (Nguva Yekurarama) yechiratidzo chikuru chekuwana ichipera, chikumbiro chechiratidzo chitsva chekuwana chichauya kumagumo eimwe rubatsiro. Iyo yakashandiswa Refresh Token inongoiswa patsva kusvika zero. Cheki iyi inhanho mbiri uye inogona kuitwa kumashure, zvisingaonekwe kumushandisi.
3) Gadzirisa mafomu ekubuda kwedata
Mushure mekunge ma grants akasarudzwa aitwa, mvumo inoshanda, zvakakosha kutaura nezve kuwana data nezve yekupedzisira mushandisi. OIDC ine magumo akasiyana eizvi, kwaunogona kukumbira data remushandisi nechiratidzo chako chekupinda uye kana chiripo. Uye kana data yemushandisi isingachinji kazhinji, uye iwe unofanirwa kutevedzera zvazvino kakawanda, unogona kuuya kune mhinduro yakadai seJWT tokens. Aya ma tokeni anotsigirwawo nechiyero. Iyo JWT tokeni pachayo ine zvikamu zvitatu: musoro (ruzivo nezve chiratidzo), payload (chero data inodiwa) uye siginecha (siginicha, chiratidzo chakasainwa neseva uye iwe unogona gare gare kutarisa kwakabva siginicha yayo).
Mukuitwa kweOIDC, chiratidzo cheJWT chinonzi id_token. Inogona kukumbirwa pamwe neyakajairwa yekuwana tokeni uye chasara kuratidza siginicha. Sevha yemvumo ine imwe nzvimbo yekupedzisira yeiyi ine boka remakiyi eruzhinji mufomati . Uye kutaura pamusoro peizvi, zvakakodzera kutaura kuti pane imwe magumo, iyo, zvichienderana nechiyero inoratidza kugadziridzwa kwazvino kweOIDC server. Iyo ine ese ekupedzisira kero (kusanganisira kero yeruzhinji kiyi mhete inoshandiswa kusaina), mabhureki anotsigirwa uye scopes, anoshandiswa encryption algorithms, anotsigirwa magrants, nezvimwe.
Somuenzaniso paGoogle:
{
"issuer": "https://accounts.google.com",
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"device_authorization_endpoint": "https://oauth2.googleapis.com/device/code",
"token_endpoint": "https://oauth2.googleapis.com/token",
"userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"revocation_endpoint": "https://oauth2.googleapis.com/revoke",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"iss",
"locale",
"name",
"picture",
"sub"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"grant_types_supported": [
"authorization_code",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
]
}Nekudaro, uchishandisa id_token, unogona kuendesa ese anodiwa mamakisi kumubhadharo wechiratidzo uye kwete kubata sevha yekubvumidza nguva yega yega kukumbira mushandisi data. Izvo zvakashata zveiyi nzira ndeyokuti shanduko yemushandisi data kubva kuseva haiuye nekukurumidza, asi pamwe chete nechiratidzo chitsva chekuwana.
Implementation results
Saka, mushure mekushandisa yedu yega OIDC server uye nekugadzirisa zvinongedzo kwairi padivi rekushandisa, isu takagadzirisa dambudziko rekufambisa ruzivo nezvevashandisi.
Sezvo OIDC iri chiyero chakavhurika, isu tine sarudzo yekusarudza aripo mupi kana server kuita. Takaedza Keycloak, iyo yakazove yakanyatso kurongeka kugadzirisa, mushure mekumisikidza uye nekuchinja magadzirirwo ekubatanidza padivi rekushandisa, yagadzirira kuenda. Padivi rekushandisa, chasara ndechekuchinja magadzirirwo ekubatanidza.
Kutaura pamusoro pemhinduro dziripo
Mukati mesangano redu, sevhavha yekutanga yeOIDC, takaunganidza zvedu kuita, izvo zvakawedzerwa sezvinodiwa. Mushure mekuongorora kwakadzama kwemamwe magadzirirwo akagadzirwa, tinogona kutaura kuti iyi ipfungwa yekupokana. Mukuda kwechisarudzo chekushandisa sevha yavo, pakanga paine kunetseka kune chikamu chevanopa mukushayikwa kwekushanda kwakakosha, pamwe nekuvapo kweiyo yekare sisitimu umo maive nemvumo dzakasiyana dzemamwe masevhisi uye zvakawanda. yedata yevashandi yanga yatochengetwa. Zvisinei, mune zvakagadzirirwa-zvakagadzirwa kushandiswa, kune zviri nyore zvekubatanidza. Semuyenzaniso, Keycloak ine yayo mushandisi manejimendi system uye data inochengetwa yakananga mairi, uye hazvizove zvakaoma kutora vashandisi vako ipapo. Kuti uite izvi, Keycloak ine API iyo inokutendera iwe kuti uite zvizere zvese zvinodiwa kutamisa zviito.
Mumwe muenzaniso weyakasimbiswa, inonakidza, mumaonero angu, kuita ndeye Ory Hydra. Inonakidza nekuti ine zvikamu zvakasiyana. Kuti ubatanidze, iwe unozofanirwa kubatanidza yako mushandisi manejimendi sevhisi kune yavo mvumo sevhisi uye kuwedzera sezvinodiwa.
Keycloak uye Ory Hydra haisiriyo yega mhinduro kubva pasherufu. Zvakanakisisa kusarudza kushandiswa kwakasimbiswa neOpenID Foundation. Aya mhinduro anowanzo kuve neOpenID Certification bheji.
Zvakare usakanganwe nezve varipo vanobhadhara vanopa kana iwe usingade kuchengeta yako OIDC server. Nhasi kune zvakawanda zvingasarudzwa zvakanaka.
Chii chinotevera
Munguva pfupi iri kutevera, tiri kuzovhara traffic kumasevhisi emukati neimwe nzira. Isu tinoronga kuendesa SSO yedu yazvino pane yekuenzanisa neOpenResty kune proxy yakavakirwa paOAuth. Patova nemhinduro dzakawanda dzakagadzirwa pano, semuenzaniso:
Zvimwe zvekushandisa
-sevhisi yakanaka yekusimbisa maJWT tokeni
- runyorwa rwezvakasimbiswa OIDC mashandisirwo
Source: www.habr.com