This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
сервис_oauth2 [2022/05/17 07:59] val [OpenID Connect authentication module for Apache] |
сервис_oauth2 [2023/11/07 08:20] val |
||
---|---|---|---|
Line 7: | Line 7: | ||
* [[https://www.ory.sh/run-oauth2-server-open-source-api-security/|ORY Hydra Run your own OAuth2 Server]] | * [[https://www.ory.sh/run-oauth2-server-open-source-api-security/|ORY Hydra Run your own OAuth2 Server]] | ||
* [[https://www.ory.sh/hydra/docs/5min-tutorial/|ORY Hydra 5 Minute Tutorial]] | * [[https://www.ory.sh/hydra/docs/5min-tutorial/|ORY Hydra 5 Minute Tutorial]] | ||
+ | * [[https://github.com/goauthentik/authentik]] | ||
===== Gitlab ===== | ===== Gitlab ===== | ||
- | * [[Инструмент GitLab]] | + | * Инструмент GitLab [[Инструмент GitLab#Сервер OAuth2]] |
- | ===== OpenID Connect authentication module for Apache ===== | + | ===== Keycloak ===== |
- | * [[https://github.com/zmartzone/mod_auth_openidc|Аuthenticates users of a web site against an OpenID Connect Identity Provider or an OAuth 2.0 Authorization Server]] | + | ==== Установка и запуск ==== |
+ | |||
+ | * [[Пакет OpenSSL#Создание самоподписанного сертификата]] | ||
+ | |||
+ | === bare metal === | ||
+ | |||
+ | * [[https://www.keycloak.org/getting-started/getting-started-zip|Get started with Keycloak on bare metal]] | ||
+ | * [[Сервис JRE]] | ||
<code> | <code> | ||
- | # apt install libapache2-mod-auth-openidc | + | server# wget https://github.com/keycloak/keycloak/releases/download/22.0.5/keycloak-22.0.5.zip |
+ | |||
+ | server:~/keycloak-22.0.5# KEYCLOAK_ADMIN=root KEYCLOAK_ADMIN_PASSWORD='strongpassword' bin/kc.sh start-dev --https-certific=/root/server.crt --https-certificate-key-file=/root/server.key | ||
</code> | </code> | ||
- | ==== GitLab ==== | + | === Docker === |
- | * [[https://github.com/zmartzone/mod_auth_openidc/wiki/GitLab-OAuth2]] | + | * [[https://swjm.blog/deploying-keycloak-with-ssl-in-just-10-minutes-46073e5cf699|Deploying Keycloak with SSL in just 10 minutes!]] |
+ | * [[https://github.com/JMarkstrom/Keycloak/blob/main/files/keycloak.yml]] | ||
<code> | <code> | ||
- | # cat /etc/apache2/sites-available/default-ssl.conf | + | server# cp /root/server.crt /etc/ssl/certs/ |
- | </code><code> | + | server# cp /root/server.key /etc/ssl/private/ |
- | ... | + | |
- | OIDCProviderMetadataURL https://gitlab.bmstu.ru/.well-known/openid-configuration | + | server# chmod 750 /etc/ssl/private/ |
- | OIDCClientID 802..........................................................4c8 | + | server# chmod 640 /etc/ssl/private/server.key |
- | OIDCClientSecret 991..........................................................5e7 | + | server# chgrp -R docker /etc/ssl/private/ |
- | OIDCRedirectURI https://val.bmstu.ru/auth-test | + | |
- | OIDCCryptoPassphrase h...any.....string.....j | + | |
- | <Directory /home/val/auth-test> | ||
- | Options ExecCGI Indexes FollowSymLinks | ||
- | AddHandler cgi-script .cgi | ||
- | DirectoryIndex env.cgi | ||
- | AuthType openid-connect | ||
- | Require valid-user | ||
- | </Directory> | ||
- | Alias /auth-test "/home/val/auth-test" | ||
- | ... | ||
</code> | </code> | ||
- | ==== Тестирование ==== | + | ==== Подключение ==== |
- | * !!! В настройках URL без финального "/", при подключении обязательно с ним !!! | + | * https://server.corp13.un:8443/ |
+ | |||
+ | ==== Базовая конфигурация ==== | ||
<code> | <code> | ||
- | https://val.bmstu.ru/auth-test/ | + | Create Realm->myrealm |
+ | Users | ||
+ | Add User | ||
+ | user1/password1 | ||
+ | </code> | ||
+ | |||
+ | ==== Аутентификация пользователей WEB приложения ==== | ||
+ | |||
+ | <code> | ||
+ | Create Client | ||
+ | Client ID: test-cgi | ||
+ | Valid redirect URIs: http://gate.corp13.un/cgi-bin/test-cgi | ||
+ | </code> | ||
+ | |||
+ | * [[Сервис HTTP#Управление доступом к HTTP серверу с использованием OAuth2 аутентификации]] | ||
+ | |||
+ | ==== Подключение БД пользователей Kerberos ==== | ||
+ | |||
+ | * [[https://habr.com/ru/companies/slurm/articles/661209/|Как настроить Kerberos аутентификации в Keycloak]] | ||
+ | |||
+ | * [[Настройка KDC серверов и клиентов#Настройка KDC]] | ||
+ | * [[Регистрация ключей принципалов в KDC#Регистрация принципалов пользователей в базе данных kerberos]] | ||
+ | * Создание принципала HTTP/server.corp13.un@CORP13.UN по аналогии с [[Аутентификация доступа к SQUID]] | ||
+ | |||
+ | <code> | ||
+ | User federation | ||
+ | Kerberos | ||
+ | UI display name: CORP13 | ||
+ | Kerberos realm: CORP13.UN | ||
+ | Server principal: HTTP/server.corp13.un@CORP13.UN | ||
+ | Key tab: /etc/krb5.keytab | ||
+ | Allow password authentication: yes | ||
+ | |||
+ | Authentication | ||
+ | browser | ||
+ | Kerberos: Disabled | ||
+ | (иначе появляется всплывающее окно аутентификации, можно оставить если пользователи в домене) | ||
+ | | ||
</code> | </code> |