User Tools
сервис_keycloak
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
сервис_keycloak [2025/12/25 15:08] val [Kubernetes] |
сервис_keycloak [2026/03/21 06:19] (current) val [Аутентификация пользователей WEB приложения] |
||
|---|---|---|---|
| Line 115: | Line 115: | ||
| * [[Сервис PostgreSQL]] | * [[Сервис PostgreSQL]] | ||
| + | * Kubernetes [[Система Kubernetes#Ingress]] | ||
| * Kubernetes [[Система Kubernetes#secrets tls]] | * Kubernetes [[Система Kubernetes#secrets tls]] | ||
| <code> | <code> | ||
| ~/$ helm repo add bitnami https://charts.bitnami.com/bitnami; helm search repo bitnami/keycloak --versions; helm repo remove bitnami | ~/$ helm repo add bitnami https://charts.bitnami.com/bitnami; helm search repo bitnami/keycloak --versions; helm repo remove bitnami | ||
| - | ...403 Forbidden | + | Бывает...403 Forbidden |
| ~/$ KC_HC_VER=17.3.6 | ~/$ KC_HC_VER=17.3.6 | ||
| Line 134: | Line 135: | ||
| * Kubernetes [[Система Kubernetes#Volumes]] | * Kubernetes [[Система Kubernetes#Volumes]] | ||
| * [[https://www.keycloak.org/server/reverseproxy]] | * [[https://www.keycloak.org/server/reverseproxy]] | ||
| + | |||
| + | * !!! Вариант со встроенным postgres может завершиться ошибкой загрузки (не удается указать bitnamilegacy), можно заменить на внешний, устанавливаемый через [[Сервис PostgreSQL#Helm]] с указанием bitnamilegacy | ||
| <code> | <code> | ||
| Line 153: | Line 156: | ||
| ingress: | ingress: | ||
| enabled: true | enabled: true | ||
| - | ingressClassName: nginx | + | # ingressClassName: nginx |
| + | # ingressClassName: traefik | ||
| hostname: keycloak.corpX.un | hostname: keycloak.corpX.un | ||
| # tls: true | # tls: true | ||
| Line 253: | Line 257: | ||
| * [[https://www.keycloak.org/securing-apps/oidc-layers]] | * [[https://www.keycloak.org/securing-apps/oidc-layers]] | ||
| + | |||
| + | * [[Практические примеры Keycloak]] | ||
| <code> | <code> | ||
| Line 264: | Line 270: | ||
| Valid redirect URIs: * | Valid redirect URIs: * | ||
| | | ||
| - | может понадобиться включить | + | для проверки получения токена через curl понадобиться включить |
| Direct access grants | Direct access grants | ||
| - | | + | |
| для передачи списка групп в токене понадобится: | для передачи списка групп в токене понадобится: | ||
| Client scopes -> | Client scopes -> | ||
| Line 272: | Line 278: | ||
| Configure a new mapper: Groups Membership | Configure a new mapper: Groups Membership | ||
| Name: groups | Name: groups | ||
| - | Configure a new mapper: Audience !!! Для "подсовывания" токена в .kube/config | + | Configure a new mapper: Audience !!! Требуется kube-apiserver, проверяется "подстановкой" токена в .kube/config |
| - | Name (и везде): any-client | + | Name: any-client |
| + | Included Client Audience: any-client | ||
| + | Included Custom Audience: any-client | ||
| Clients -> any-client | Clients -> any-client | ||
| Line 286: | Line 294: | ||
| Token Claim Name: groups | Token Claim Name: groups | ||
| Full group path: No | Full group path: No | ||
| + | |||
| + | для ограничения доступа через client-secret можно настроить: | ||
| + | Client authentication: yes | ||
| + | Credentials | ||
| + | Client Authenticator: Client ID and Secret | ||
| + | Client Secret: будет сгенерирован, надо скопировать вместо "anystring" | ||
| </code> | </code> | ||
| Line 296: | Line 310: | ||
| <code> | <code> | ||
| - | webinar# curl -d "client_id=any-client" \ | + | $ curl -d "client_id=any-client" \ |
| -d "client_secret=anystring" \ | -d "client_secret=anystring" \ | ||
| -d "grant_type=password" \ | -d "grant_type=password" \ | ||
| Line 314: | Line 328: | ||
| <code> | <code> | ||
| -----BEGIN CERTIFICATE----- | -----BEGIN CERTIFICATE----- | ||
| - | ... | + | ...Второй сертификат... |
| -----END CERTIFICATE----- | -----END CERTIFICATE----- | ||
| </code> | </code> | ||
| Line 387: | Line 401: | ||
| Bind type: simple | Bind type: simple | ||
| Bind DN: uid=admin,cn=users,cn=accounts,dc=corpX,dc=un | Bind DN: uid=admin,cn=users,cn=accounts,dc=corpX,dc=un | ||
| + | Bind credentials: strongpassword | ||
| Edit mode: READ_ONLY | Edit mode: READ_ONLY | ||
| Line 409: | Line 424: | ||
| Mapper type: group-ldap-mapper | Mapper type: group-ldap-mapper | ||
| LDAP Groups DN: cn=groups,cn=accounts,dc=corpX,dc=un | LDAP Groups DN: cn=groups,cn=accounts,dc=corpX,dc=un | ||
| - | Relative creation DN: cn | + | Relative creation DN: cn ? |
| Group Name LDAP Attribute: cn | Group Name LDAP Attribute: cn | ||
сервис_keycloak.1766664533.txt.gz · Last modified: 2025/12/25 15:08 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
