To be continued
Keycloak
Keycloak provide open source authentication and access management for modern applications and services, known as authentication and authorization. Keycloak support OpenID, OAuth 2.0 and SAML 2.0 protocols; support for user registration, user management, rights management; proxy support OpenID, SAML 2.0 IDP, support GitHub, LinkedIn and other third-party login, support the integration of LDAP and Active Directory; support custom certification process , custom user interface, support for internationalization.
Keycloak support Java, C #, Python, Android, iOS, JavaScript, Nodejs other platforms or languages, providing easy to use Adapter, only a small amount of code and configuration to achieve SSO.
The new release Keycloak named Quarkus , tailored specifically a framework for GraalVM Kurbernetes Native Java and OpenJDK HotSpot, planned by the end of 2019 officially released.
installation
Keycloak built on WildFly application server, downloaded from the official website Standalone Server Distribution's bin / standalone.sh to start running after decompression. H2 default database, you can modify the configuration using the other database. Standalone Clustered Mode, Domain Clustered Mode startup mode and more configuration please refer to the official documentation.
By default, the local site at http: // localhost: 8080 / auth , you must first create an admin user login: 
log in directly Console Admin HTTP: // localhost: 8080 / auth / admin / :
Realm
为保护不同的应用,通常创建不同的Realm,各Realm间的数据和配置是独立的。初始创建的Realm为Master,Master是最高级别的Realm。Master Realm内的admin用户(授予admin角色的用户)拥有查看和管理任何其它realm的权限。因此,不推荐使用master realm管理用户和应用,而应仅供超级管理员来创建和管理realm。
每个realm有专用的管理控制台,可以设置自已的管理员账号,比如接下来我们创建的heroes realm,控制台网址为http://localhost:8080/auth/admin/heroes/console 。
创建Heroes realm,点击左上角下拉菜单-》Add realm:
Login Tab中有多个可配置选项:用户注册、编辑用户名、忘记密码、记住我、验证email、使用email登录、需要SSL。
其中,Require SSL有三个选项:all requests、external requests、none,默认为external requests,在生产环境中应配置为all requests。
- all requests 所有请求都需通过HTTPS访问
- external requests localhost和私有IP不需通过HTTPS访问
- none 任何客户端都不需HTTPS
Themes Tab可以配置界面主题、启用国际化:
Tokens Tab可以配置token签名算法、过期时间等。
Client
Client是realm中受信任的应用。
创建realm后自动创建以下client:
- account 账户管理
- admin-cli
- broker
- realm-management 预置了realm管理角色,创建realm管理员时需要分配这些角色
- security-admin-console realm管理控制台
创建heroes client,点击Clients右上方的Create:
Client Protocol使用默认值openid-connect。Access Type有三个选项confidential、public、bearer-only,保持默认值public。confidential需要client secret,但我们将在web应用中使用此client,无法以安全的方式传输secret,必须使用public client,只要严格使用HTTPS,可以保证安全。Valid Redirect URIs输入 http://localhost:4200/* 。
认证流程:
- Standard Flow 即OAuth 2.0规范中的Authorization Code Flow,推荐使用的认证流程,安全性高。keycloak验证用户后附加一次性、临时的Authorization Code重定向到浏览器,浏览器凭此Code与keycloak交换token(identity、access和refresh token)
- Implicit Flow keycloak验证用户后直接返回identity和access token
- Direct Access Grants REST client获取token的方式,使用HTTP Post请求,响应结果包含access和refresh token
调用示例,请求地址:http://localhost:8080/auth/realms/heroes/protocol/openid-connect/token :
Client Scope
Client Scope定义了协议映射关系,keycloak预定义了一些Scope,每个client会自动继承,这样就不必在client内重复定义mapper了。Client Scope分为default和optional两种, default scope会自动生效,optional scope指定使用时才生效。
启用optional scope需要使用scope参数:
启用相应scope或配置mapper后,才能在client的token或userinfo中显示相应的属性。比如,上图中我们启用了phone scope,phone mapper中定义了phone number:
如果用户属性中定义了phoneNumber,在token中则会显示phone_number,可以在heroes client -> Client Scopes -> Evaluate查看效果:
Role、Group、User
Role分为两种级别:Realm、Client,默认Realm Role:offline_access、uma_authorization。
OpenID规范中定义了offline access,用户登录获得offline token,当用户退出后offline token仍可使用。在很多场景中是非常有用的,比如每日离线备份数据。要获得offline token除需offline_access角色外,还需指定offline_access Scope。默认,offline token不会过期,但需每30天刷新一次。offline token可以撤销:
uma_authorization User-Managed Access
Authentication
Identity Provider
ADFS
Salesforce
Spring Boot
Angular
Reference Documents
Keycloak
A Quick Guide to Using Keycloak with Spring Boot
AD FS Docs
Spring Boot and OAuth2
OAuth 2.0 Login Sample
Spring Boot and OAuth2 with Keycloak
Spring SAML
Springboot Oauth2 Server 搭建Oauth2认证服务
How to Setup MS AD FS 3.0 as Brokered Identity Provider in Keycloak