aspnetcore 应用 接入Keycloak快速上手指南
登錄及身份認(rèn)證是現(xiàn)代web應(yīng)用最基本的功能之一,對于企業(yè)內(nèi)部的系統(tǒng),多個系統(tǒng)往往希望有一套SSO服務(wù)對企業(yè)用戶的登錄及身份認(rèn)證進(jìn)行統(tǒng)一的管理,提升用戶同時使用多個系統(tǒng)的體驗,Keycloak正是為此種場景而生。本文將簡明的介紹Keycloak的安裝、使用,并給出aspnetcore 應(yīng)用如何快速接入Keycloak的示例。
Keycloak是什么
Keycloak是一種面向現(xiàn)代應(yīng)用和服務(wù)的開源IAM(身份識別與訪問管理)解決方案
Keycloak提供了單點登錄(SSO)功能,支持OpenID Connect、OAuth 2.0、SAML 2.0標(biāo)準(zhǔn)協(xié)議,擁有簡單易用的管理控制臺,并提供對LDAP、Active Directory以及Github、Google等社交賬號登錄的支持,做到了非常簡單的開箱即用。
官網(wǎng):https://www.keycloak.org/
Keycloak常用核心概念介紹
首先通過官方的一張圖來了解下整體的核心概念
這里先只介紹4個最常用的核心概念:
Users: 用戶,使用并需要登錄系統(tǒng)的對象
Roles: 角色,用來對用戶的權(quán)限進(jìn)行管理
Clients: 客戶端,需要接入Keycloak并被Keycloak保護(hù)的應(yīng)用和服務(wù)
Realms: 領(lǐng)域,領(lǐng)域管理著一批用戶、證書、角色、組等,一個用戶只能屬于并且能登陸到一個域,域之間是互相獨立隔離的, 一個域只能管理它下面所屬的用戶
Keycloak服務(wù)安裝及配置
安裝Keycloak
Keycloak安裝有多種方式,這里使用Docker進(jìn)行快速安裝
登錄后復(fù)制
docker run -d --name keycloak \-p 8080:8080 \-e KEYCLOAK_USER=admin \-e KEYCLOAK_PASSWORD=admin \jboss/keycloak:13.0.0訪問http://localhost:8080并點擊Administration Console進(jìn)行登錄
?
?
創(chuàng)建Realm
創(chuàng)建一個新的realm: demo,后續(xù)所有的客戶端、用戶、角色等都在此realm中創(chuàng)建
創(chuàng)建客戶端
創(chuàng)建前端應(yīng)用客戶端
創(chuàng)建一個新的客戶端:KeycloakAuthaspnet,Access Type選擇confidential
關(guān)于客戶端的訪問類型(Access Type)
上面創(chuàng)建的客戶端的訪問類型分別是confidential,那么為什么分別選擇這種類型,實際不同的訪問類型有什么區(qū)別呢?
事實上,Keycloak目前的訪問類型共有3種:
confidential:適用于服務(wù)端應(yīng)用,且需要瀏覽器登錄以及需要通過密鑰獲取access token的場景。典型的使用場景就是服務(wù)端渲染的web系統(tǒng)。
public:適用于客戶端應(yīng)用,且需要瀏覽器登錄的場景。典型的使用場景就是前端web系統(tǒng),包括采用vue、react實現(xiàn)的前端項目等。
bearer-only:適用于服務(wù)端應(yīng)用,不需要瀏覽器登錄,只允許使用bearer token請求的場景。典型的使用場景就是restful api。
?
Access Type 里面選 Confidential,然后才有 Client Secret ,保存之后,會出現(xiàn)Credentials的Tab,記錄下這里的secret,后面要用到
?
創(chuàng)建用戶和角色
創(chuàng)建角色
創(chuàng)建2個角色:admin、user
還可以創(chuàng)建全局的角色
?
創(chuàng)建用戶
創(chuàng)建1個用戶:geffzhang
?
綁定用戶和角色
給geffzhang 用戶分配角色admin和user
?
aspnetcore 應(yīng)用集成Keycloak簡明指南
?
添加 Microsoft.AspNetCore.Authentication.OpenIdConnect? 和? Microsoft.AspNetCore.Identity 包
?
<Project Sdk="Microsoft.NET.Sdk.Web">
? <PropertyGroup>
???? <TargetFramework>net5.0</TargetFramework>
???? <UserSecretsId>afab524d-850e-499a-bc13-98f61ca0eb3b</UserSecretsId>
???? <DockerDefaultTargetOS>Linux</DockerDefaultTargetOS>
?? </PropertyGroup>
? <ItemGroup>
???? <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="5.0.5" />
???? <PackageReference Include="Microsoft.AspNetCore.Identity" Version="2.2.0" />
???? <PackageReference Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.10.8" />
???? <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="5.0.2" />
?? </ItemGroup>
</Project>
?
Appsettings.json
?
?
?
// This method gets called by the runtime. Use this method to add services to the container.
???? public void ConfigureServices(IServiceCollection services)
???? {
???????? services.AddControllersWithViews();
????????
???????? services.AddAuthentication(options =>
???????? {
???????????? //Sets cookie authentication scheme
???????????? options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
???????????? options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
???????????? options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
???????? })
??????? .AddCookie(cookie =>
???????? {
???????????? //Sets the cookie name and maxage, so the cookie is invalidated.
???????????? cookie.Cookie.Name = "keycloak.cookie";
???????????? cookie.Cookie.MaxAge = TimeSpan.FromMinutes(60);
???????????? cookie.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
???????????? cookie.SlidingExpiration = true;
???????? })
???????? .AddOpenIdConnect(options =>
???????? {
???????????? /*
????????????? * ASP.NET core uses the?http://*:5000?and?https://*:5001?ports for default communication with the OIDC middleware
????????????? * The app requires load balancing services to work with :80 or :443
????????????? * These needs to be added to the keycloak client, in order for the redirect to work.
????????????? * If you however intend to use the app by itself then,
????????????? * Change the ports in launchsettings.json, but beware to also change the options.CallbackPath and options.SignedOutCallbackPath!
????????????? * Use LB services whenever possible, to reduce the config hazzle :)
???????????? */
??????????? //Use default signin scheme
???????????? options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
???????????? //Keycloak server
???????????? options.Authority = Configuration.GetSection("Keycloak")["ServerRealm"];
???????????? //Keycloak client ID
???????????? options.ClientId = Configuration.GetSection("Keycloak")["ClientId"];
???????????? //Keycloak client secret
???????????? options.ClientSecret = Configuration.GetSection("Keycloak")["ClientSecret"];
???????????? //Keycloak .wellknown config origin to fetch config
???????????? options.MetadataAddress = Configuration.GetSection("Keycloak")["Metadata"];
???????????? //Require keycloak to use SSL
???????????? options.RequireHttpsMetadata = false;
???????????? options.GetClaimsFromUserInfoEndpoint = true;
???????????? options.Scope.Add("openid");
???????????? options.Scope.Add("profile");
???????????? //Save the token
???????????? options.SaveTokens = true;
???????????? //Token response type, will sometimes need to be changed to IdToken, depending on config.
???????????? options.ResponseType = OpenIdConnectResponseType.Code;
???????????? //SameSite is needed for Chrome/Firefox, as they will give http error 500 back, if not set to unspecified.
???????????? options.NonceCookie.SameSite = SameSiteMode.Unspecified;
???????????? options.CorrelationCookie.SameSite = SameSiteMode.Unspecified;
????????????
???????????? options.TokenValidationParameters = new TokenValidationParameters
???????????? {
???????????????? NameClaimType = "name",
???????????????? RoleClaimType = ClaimTypes.Role,
???????????????? ValidateIssuer = true
???????????? };
???????? });
??????? /*
????????? * For roles, that are defined in the keycloak, you need to use ClaimTypes.Role
????????? * You also need to configure keycloak, to set the correct name on each token.
????????? * Keycloak Admin Console -> Client Scopes -> roles -> mappers -> create
????????? * Name: "role client mapper" or whatever you prefer
????????? * Mapper Type: "User Client Role"
????????? * Multivalued: True
????????? * Token Claim Name: role
????????? * Add to access token: True
????????? */
???????
???????? /*
????????? * Policy based authentication
????????? */
??????? services.AddAuthorization(options =>
???????? {
???????????? //Create policy with more than one claim
???????????? options.AddPolicy("users", policy =>
???????????? policy.RequireAssertion(context =>
???????????? context.User.HasClaim(c =>
???????????????????? (c.Value == "user") || (c.Value == "admin"))));
???????????? //Create policy with only one claim
???????????? options.AddPolicy("admins", policy =>
???????????????? policy.RequireClaim(ClaimTypes.Role, "admin"));
???????????? //Create a policy with a claim that doesn't exist or you are unauthorized to
???????????? options.AddPolicy("noaccess", policy =>
???????????????? policy.RequireClaim(ClaimTypes.Role, "noaccess"));
???????? });
???????? /*
????????? * Non policy based authentication
????????? * Uncomment below and comment the policy p
????????? */
???????
???????? //services.AddAuthorization();
??? }
經(jīng)過上述的配置,通過oidc 很容易就接入到了Keycloak。具體代碼請參見:https://github.com/NanoFabricFX/AspNetCore-keycloak/tree/dotnet5。
?
運行效果,第一次訪問項目會跳轉(zhuǎn)Keycloak登錄頁
?
用戶登陸geffzhang
?
總結(jié)
Keycloak部署及接入簡單,輕量的同時功能又不失強大,非常適合企業(yè)內(nèi)部的SSO方案。在Identity Server4 收費的背景之下,微軟計劃在.NET 6里面繼續(xù)集成,已經(jīng)被社區(qū)罵的狗血噴頭https://devblogs.microsoft.com/aspnet/asp-net-core-6-and-authentication-servers/?
相關(guān)文章:
https://gruchalski.com/posts/2020-09-05-introduction-to-keycloak-authorization-services/
總結(jié)
以上是生活随笔為你收集整理的aspnetcore 应用 接入Keycloak快速上手指南的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 快速打造一个MINI自动发布系统
- 下一篇: 一句 Task.Result 就死锁,