User Tools
сервис_oauth2
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
сервис_oauth2 [2023/11/01 16:08] val [Keycloak] |
сервис_oauth2 [2023/11/07 08:20] val |
||
|---|---|---|---|
| Line 14: | Line 14: | ||
| ===== Keycloak ===== | ===== Keycloak ===== | ||
| + | |||
| + | ==== Установка и запуск ==== | ||
| + | |||
| + | * [[Пакет OpenSSL#Создание самоподписанного сертификата]] | ||
| + | |||
| + | === bare metal === | ||
| * [[https://www.keycloak.org/getting-started/getting-started-zip|Get started with Keycloak on bare metal]] | * [[https://www.keycloak.org/getting-started/getting-started-zip|Get started with Keycloak on bare metal]] | ||
| - | * [[https://www.janua.fr/using-apache2-mod_auth_openidc-module-with-keycloak-openid-connect/|Using apache2 mod_auth_openidc module with Keycloak (OpenID Connect)]] | + | * [[Сервис JRE]] |
| <code> | <code> | ||
| - | server.corp16.un:~/keycloak-22.0.5# bin/kc.sh start-dev --https-certific=/root/server.crt --https-certificate-key-file=/root/server.key | + | server# wget https://github.com/keycloak/keycloak/releases/download/22.0.5/keycloak-22.0.5.zip |
| + | |||
| + | server:~/keycloak-22.0.5# KEYCLOAK_ADMIN=root KEYCLOAK_ADMIN_PASSWORD='strongpassword' bin/kc.sh start-dev --https-certific=/root/server.crt --https-certificate-key-file=/root/server.key | ||
| + | </code> | ||
| + | |||
| + | === Docker === | ||
| + | |||
| + | * [[https://swjm.blog/deploying-keycloak-with-ssl-in-just-10-minutes-46073e5cf699|Deploying Keycloak with SSL in just 10 minutes!]] | ||
| + | * [[https://github.com/JMarkstrom/Keycloak/blob/main/files/keycloak.yml]] | ||
| + | |||
| + | <code> | ||
| + | server# cp /root/server.crt /etc/ssl/certs/ | ||
| + | server# cp /root/server.key /etc/ssl/private/ | ||
| + | |||
| + | server# chmod 750 /etc/ssl/private/ | ||
| + | server# chmod 640 /etc/ssl/private/server.key | ||
| + | server# chgrp -R docker /etc/ssl/private/ | ||
| + | |||
| + | </code> | ||
| + | |||
| + | ==== Подключение ==== | ||
| + | |||
| + | * https://server.corp13.un:8443/ | ||
| + | |||
| + | ==== Базовая конфигурация ==== | ||
| + | |||
| + | <code> | ||
| + | Create Realm->myrealm | ||
| + | Users | ||
| + | Add User | ||
| + | user1/password1 | ||
| + | </code> | ||
| + | |||
| + | ==== Аутентификация пользователей WEB приложения ==== | ||
| + | |||
| + | <code> | ||
| + | Create Client | ||
| + | Client ID: test-cgi | ||
| + | Valid redirect URIs: http://gate.corp13.un/cgi-bin/test-cgi | ||
| + | </code> | ||
| + | |||
| + | * [[Сервис HTTP#Управление доступом к HTTP серверу с использованием OAuth2 аутентификации]] | ||
| + | |||
| + | ==== Подключение БД пользователей Kerberos ==== | ||
| + | |||
| + | * [[https://habr.com/ru/companies/slurm/articles/661209/|Как настроить Kerberos аутентификации в Keycloak]] | ||
| + | |||
| + | * [[Настройка KDC серверов и клиентов#Настройка KDC]] | ||
| + | * [[Регистрация ключей принципалов в KDC#Регистрация принципалов пользователей в базе данных kerberos]] | ||
| + | * Создание принципала HTTP/server.corp13.un@CORP13.UN по аналогии с [[Аутентификация доступа к SQUID]] | ||
| + | |||
| + | <code> | ||
| + | User federation | ||
| + | Kerberos | ||
| + | UI display name: CORP13 | ||
| + | Kerberos realm: CORP13.UN | ||
| + | Server principal: HTTP/server.corp13.un@CORP13.UN | ||
| + | Key tab: /etc/krb5.keytab | ||
| + | Allow password authentication: yes | ||
| + | |||
| + | Authentication | ||
| + | browser | ||
| + | Kerberos: Disabled | ||
| + | (иначе появляется всплывающее окно аутентификации, можно оставить если пользователи в домене) | ||
| + | | ||
| </code> | </code> | ||
сервис_oauth2.txt · Last modified: 2023/11/07 09:39 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
