Ezinyangeni ezimbalwa ezedlule, bengisebenzisa iseva ye-OpenID Connect ukuze ngilawule ukufinyelela kwamakhulu ezinhlelo zethu zokusebenza zangaphakathi. Kusukela ekuthuthukisweni kwethu, okulungele ngezinga elincane, sidlulele ezingeni elamukelekayo ngokuvamile. Ukufinyelela ngesevisi emaphakathi kwenza imisebenzi enzima kakhulu ibe lula, kunciphisa izindleko zokusebenzisa ukugunyazwa, kukuvumela ukuthi uthole izixazululo eziningi esezakhiwe futhi unganyakazi ubuchopho bakho lapho usungula ezintsha. Kulesi sihloko, ngizokhuluma ngalolu shintsho kanye namaqhubu esakwazi ukuwagcwalisa.
Kudala... Kwaqala kanjani konke
Eminyakeni embalwa edlule, lapho kunezicelo eziningi zangaphakathi zokulawula mathupha, sabhala isicelo sokulawula ukufinyelela ngaphakathi kwenkampani. Kwakuwuhlelo lokusebenza olulula lwe-Rails oluxhunywe kusizindalwazi esinolwazi mayelana nabasebenzi, lapho ukufinyelela ekusebenzeni okuhlukahlukene kwalungiswa. Ngesikhathi esifanayo, siphakamise i-SSO yokuqala, eyayisekelwe ekuqinisekisweni kwamathokheni kusukela ohlangothini lweklayenti kanye neseva yokugunyazwa, ithokheni yathunyelwa ngefomu elibethelwe ngemingcele eminingana futhi yaqinisekiswa kuseva yokugunyazwa. Lena kwakungeyona inketho elula kakhulu, njengoba isicelo sangaphakathi ngasinye kwakufanele sichaze ungqimba olukhulu lomqondo, futhi imininingwane yolwazi yabasebenzi yavunyelaniswa ngokuphelele neseva yokugunyazwa.
Ngemva kwesikhathi esithile, sanquma ukwenza lula umsebenzi wokugunyazwa endaweni eyodwa. I-SSO idluliselwe kusilinganisi. Ngosizo lwe-OpenResty, isifanekiso sengezwe ku-Lua esihlole amathokheni, sazi ukuthi isicelo sizokusiphi isicelo, futhi singahlola ukuthi kukhona ukufinyelela lapho. Le ndlela yenze lula kakhulu umsebenzi wokulawula ukufinyelela kwezinhlelo zokusebenza zangaphakathi - kukhodi yohlelo ngalunye, kwakungasekho kudingekile ukuchaza umqondo owengeziwe. Ngenxa yalokho, savala ithrafikhi ngaphandle, futhi uhlelo lokusebenza ngokwalo alazi lutho mayelana nokugunyazwa.
Nokho, inkinga eyodwa ayizange ixazululwe. Kuthiwani ngezicelo ezidinga ulwazi ngabasebenzi? Bekungenzeka ukuthi ubhale i-API yensizakalo yokugunyazwa, kodwa-ke kuzodingeka ungeze ingqondo eyengeziwe kuhlelo lokusebenza ngalunye. Ngaphezu kwalokho, besifuna ukususa ukuncika kolunye lwezinhlelo zethu zokusebenza ezizibhalele, eziqondiswe esikhathini esizayo ukuze zihunyushelwe ku-OpenSource, kuseva yethu yokugunyazwa yangaphakathi. Sizokhuluma ngakho ngesinye isikhathi. I-OAuth ibe yisixazululo sazo zombili izinkinga.
ezindinganisweni ezivamile
I-OAuth iyindinganiso yokugunyazwa eqondakalayo, eyamukelwa ngokuvamile, kodwa njengoba ukusebenza kwayo kuphela akwanele, ngokushesha baqala ukucabangela i-OpenID Connect (OIDC). I-OIDC ngokwayo iwukuqaliswa kwesithathu kwezinga lokuqinisekisa elivulekile, eliye lagelezela kusengezo phezu kwephrothokholi ye-OAuth 2.0 (iphrothokholi yokugunyazwa evulekile). Lesi sixazululo sivala inkinga yokuntuleka kwedatha mayelana nomsebenzisi wokugcina, futhi kwenza kube lula ukushintsha umhlinzeki wokugunyazwa.
Nokho, asikhethanga umhlinzeki othile futhi sanquma ukungeza ukuhlanganiswa ne-OIDC kuseva yethu ekhona yokugunyazwa. Okuvune lesi sinqumo kwaba iqiniso lokuthi i-OIDC ivumelana nezimo kakhulu mayelana nokugunyazwa komsebenzisi wokugcina. Ngakho, kube nokwenzeka ukusebenzisa ukwesekwa kwe-OIDC kuseva yakho yokugunyazwa yamanje.
Indlela yethu yokusebenzisa iseva yethu ye-OIDC
1) Ulethe idatha kufomu oyifunayo
Ukuze uhlanganise i-OIDC, kuyadingeka ukuletha idatha yamanje yomsebenzisi efomini eliqondakalayo ngokwezinga. Ku-OIDC lokhu kubizwa ngokuthi Izicelo. Izimangalo empeleni ziyizinkambu zokugcina kusizindalwazi somsebenzisi (igama, i-imeyili, ifoni, njll.). Ikhona , futhi yonke into engafakiwe kulolu hlu ibhekwa njengesiko. Ngakho-ke, iphuzu lokuqala okudingeka ulinake uma ufuna ukukhetha umhlinzeki we-OIDC okhona ukuthi kungenzeka ukwenza ngokwezifiso imikhiqizo emisha.
Iqembu lezimpawu lihlanganiswa libe yisethi encane elandelayo - Ububanzi. Ngesikhathi sokugunyazwa, ukufinyelela akuceliwe kumabhrendi athile, kodwa kububanzi, noma ngabe amanye amabhrendi avela kububanzi awadingeki.
2) Kwenziwa izibonelelo ezidingekayo
Ingxenye elandelayo yokuhlanganiswa kwe-OIDC ukukhethwa nokusebenzisa izinhlobo zokugunyazwa, lokho okubizwa ngokuthi izibonelelo. Esinye isimo sokusebenzelana phakathi kwesicelo esikhethiwe kanye nesiphakeli sokugunyazwa sizoncika kusibonelelo esikhethiwe. Isikimu esiyisibonelo sokukhetha isibonelelo sikahulumeni esifanele siboniswe esithombeni esingezansi.
Esicelweni sethu sokuqala, sisebenzise isibonelelo esivame kakhulu, Ikhodi Yokugunyaza. Umehluko wayo kwabanye ukuthi iyizinyathelo ezintathu, i.e. ibhekene nokuhlolwa okwengeziwe. Okokuqala, umsebenzisi wenza isicelo semvume yokugunyazwa, uthola ithokheni - Ikhodi Yokugunyazwa, bese ngaleli thokheni, njengokungathi ngethikithi lokuhamba, ucela ithokheni yokufinyelela. Konke ukusebenzelana okuyinhloko kwalesi sikripthi sokugunyazwa kusekelwe ekuqondisweni kabusha phakathi kohlelo lokusebenza neseva yokugunyazwa. Ungafunda kabanzi ngalesi sibonelelo .
I-OAuth ibambelela emcabangweni wokuthi amathokheni okufinyelela atholwe ngemva kokugunyazwa kufanele abe okwesikhashana futhi ashintshe ngokungcono njalo ngemizuzu eyi-10 ngokwesilinganiso. Ukunikezwa Kwekhodi Yokugunyazwa kuyizinyathelo ezintathu zokuqinisekisa ngokuqondiswa kabusha, njalo ngemizuzu eyi-10 ukuguqula leso sinyathelo, ngokungagwegwesi, akuwona umsebenzi omnandi kakhulu wamehlo. Ukuxazulula le nkinga, kunesinye isibonelelo - Ithokheni Yokuvuselela, esayisebenzisa futhi ezweni lakithi. Konke kulula lapha. Ngesikhathi sokuqinisekiswa kwesinye isibonelelo, ngaphezu kwethokheni yokufinyelela eyinhloko, kukhishwa enye - Ithokheni Yokuvuselela, engasetshenziswa kanye kuphela futhi isikhathi sayo sokuphila ngokuvamile side kakhulu. Ngale Tokheni Yokuvuselela, lapho i-TTL (Isikhathi Sokuphila) yethokheni yokufinyelela eyinhloko iphela, isicelo sethokheni yokufinyelela entsha sizofika ekugcineni kwenye isibonelelo. Ithokheni Yokuvuselela esetshenzisiwe isethwa kabusha ngokushesha ukuze ibe uziro. Lokhu kuhlola kuyizinyathelo ezimbili futhi kungenziwa ngemuva, ngokungabonakali kumsebenzisi.
3) Setha amafomethi okukhipha idatha ngokwezifiso
Ngemuva kokuthi izibonelelo ezikhethiwe seziqalisiwe, ukugunyazwa kuyasebenza, kufanelekile ukusho ukuthola idatha mayelana nomsebenzisi wokugcina. I-OIDC inesiphetho esihlukile salokhu, lapho ungacela khona idatha yomsebenzisi nethokheni yakho yokufinyelela yamanje futhi uma isesimweni. Futhi uma idatha yomsebenzisi ingashintshi kaningi, futhi udinga ukulandela yamanje izikhathi eziningi, ungafika kusixazululo esinjengamathokheni e-JWT. Lawa mathokheni nawo asekelwa yizinga. Ithokheni ye-JWT ngokwayo iqukethe izingxenye ezintathu: unhlokweni (ulwazi mayelana nethokheni), ukukhokhelwa (noma iyiphi idatha edingekayo) kanye nesiginesha (isignesha, ithokheni isayinwe yiseva futhi ungakwazi kamuva ukuhlola umthombo wesignesha yayo).
Ekusetshenzisweni kwe-OIDC, ithokheni ye-JWT ibizwa ngokuthi i-id_token. Ingacelwa kanye nethokheni yokufinyelela evamile futhi okusele wukuqinisekisa isiginesha. Iseva yokugunyaza inendawo yokugcina ehlukile yalokhu enenqwaba yokhiye basesidlangalaleni ngefomethi . Futhi ukukhuluma ngalokhu, kufanelekile ukusho ukuthi kukhona esinye isiphetho, esisekelwe esimisweni ibonisa ukucushwa kwamanje kweseva ye-OIDC. Iqukethe wonke amakheli ephoyinti lokugcina (okuhlanganisa nekheli leringi yokhiye osesidlangalaleni esetshenziselwa ukusayina), amabhrendi asekelwe nezikophu, ama-algorithms okubethela asetshenzisiwe, izibonelelo ezisekelwayo, njll.
Isibonelo ku-Google:
{
"issuer": "https://accounts.google.com",
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth",
"device_authorization_endpoint": "https://oauth2.googleapis.com/device/code",
"token_endpoint": "https://oauth2.googleapis.com/token",
"userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo",
"revocation_endpoint": "https://oauth2.googleapis.com/revoke",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"iss",
"locale",
"name",
"picture",
"sub"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"grant_types_supported": [
"authorization_code",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
]
}Ngakho, usebenzisa i-id_token, ungadlulisela zonke izimpawu ezidingekayo ekukhokheni ithokheni futhi ungaxhumani neseva yokugunyazwa isikhathi ngasinye ukuze ucele idatha yomsebenzisi. Ububi bale ndlela ukuthi ushintsho lwedatha yomsebenzisi olusuka kuseva aluzi ngokushesha, kodwa luhambisana nethokheni yokufinyelela entsha.
Imiphumela yokuqaliswa
Ngakho-ke, ngemva kokusebenzisa iseva yethu ye-OIDC nokumisa ukuxhumana kuyo ngasohlangothini lwesicelo, sixazulule inkinga yokudlulisa ulwazi olumayelana nabasebenzisi.
Njengoba i-OIDC iyindinganiso evulekile, sinenketho yokukhetha umhlinzeki okhona noma ukusetshenziswa kweseva. Sizame i-Keycloak, ebonakale ilula kakhulu ukuyilungisa, ngemuva kokusetha nokushintsha izilungiselelo zokuxhuma ohlangothini lwesicelo, isilungele ukuhamba. Ngasohlangothini lohlelo lokusebenza, okusele nje ukushintsha izilungiselelo zokuxhuma.
Ukukhuluma ngezixazululo ezikhona
Ngaphakathi kwenhlangano yethu, njengeseva yokuqala ye-OIDC, sihlanganise ukuqaliswa kwethu, okwalekelelwa njengoba kudingekile. Ngemva kokubuyekezwa okuningiliziwe kwezinye izixazululo ezenziwe ngomumo, singasho ukuthi leli yiphuzu elingenalutho. Ngokuvuna isinqumo sokuqalisa iseva yabo, kube nokukhathazeka ngasohlangothini lwabahlinzeki lapho kungekho ukusebenza okudingekayo, kanye nokuba khona kwesistimu endala lapho kwakukhona ukugunyazwa okuhlukile kwangokwezifiso kwezinye izinsizakalo nokunye okuningi. idatha emayelana nabasebenzi yayisivele igciniwe. Kodwa-ke, ekusetshenzisweni osekulungele, kukhona ukusebenziseka kalula kokuhlanganiswa. Isibonelo, i-Keycloak inesistimu yayo yokuphatha umsebenzisi futhi idatha igcinwa kuyo ngokuqondile, futhi ngeke kube nzima ukudlula abasebenzisi bakho lapho. Ukwenza lokhu, i-Keycloak ine-API ezokuvumela ukuthi wenze ngokugcwele zonke izenzo zokudlulisa ezidingekayo.
Esinye isibonelo esiqinisekisiwe, esithakazelisayo, ngokombono wami, ukuqaliswa yi-Ory Hydra. Kuyathakazelisa ngoba iqukethe izingxenye ezahlukene. Ukuze uhlanganise, uzodinga ukuxhumanisa isevisi yakho yokuphatha yomsebenzisi kusevisi yabo yokugunyazwa futhi wandise njengoba kudingeka.
I-Keycloak ne-Ory Hydra akuzona kuphela izixazululo ezingaphandle kweshalofu. Kungcono ukukhetha ukuqaliswa okugunyazwe i-OpenID Foundation. Lezi zixazululo zivame ukuba nebheji yesitifiketi se-OpenID.
Futhi ungakhohlwa ngabahlinzeki abakhokhelwayo abakhona uma ungafuni ukugcina iseva yakho ye-OIDC. Namuhla kunezinketho eziningi ezinhle.
Yini elandelayo
Esikhathini esizayo esiseduze, sizovala ithrafikhi ezinsizeni zangaphakathi ngendlela ehlukile. Sihlela ukudlulisa i-SSO yethu yamanje kusilinganisi sisebenzisa i-OpenResty kummeleli osuselwe ku-OAuth. Kukhona izixazululo eziningi esezilungile lapha, isibonelo:
Izinto zokwengeza
- isevisi enhle yokuqinisekisa amathokheni e-JWT
- Uhlu lwezinhlelo zokusebenza ze-OIDC eziqinisekisiwe
Source: www.habr.com