Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Trace:
сервис_keycloak

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
сервис_keycloak [2025/05/13 16:34]
val [Kubernetes] 		сервис_keycloak [2025/10/10 11:42] (current)
val [Аутентификация пользователей WEB приложения]
Line 1: Line 1:
 ====== Сервис Keycloak ====== ====== Сервис Keycloak ======
  
 +  * [[Практические примеры Keycloak]]
 ===== Установка и запуск ===== ===== Установка и запуск =====
  
Line 19: Line 20:
  
 ==== docker-compose ==== ==== docker-compose ====
 +
 +  * Установка [[Технология Docker#​docker-compose]]
  
   * [[https://​swjm.blog/​deploying-keycloak-with-ssl-in-just-10-minutes-46073e5cf699|Deploying Keycloak with SSL in just 10 minutes!]]   * [[https://​swjm.blog/​deploying-keycloak-with-ssl-in-just-10-minutes-46073e5cf699|Deploying Keycloak with SSL in just 10 minutes!]]
Line 53: Line 56:
   keycloak:   keycloak:
     image: quay.io/​keycloak/​keycloak:​22.0.5     image: quay.io/​keycloak/​keycloak:​22.0.5
 +#    image: quay.io/​keycloak/​keycloak:​26.1.3
     container_name:​ keycloak     container_name:​ keycloak
     restart: always     restart: always
Line 68: Line 72:
       - KEYCLOAK_ADMIN=admin       - KEYCLOAK_ADMIN=admin
       - KEYCLOAK_ADMIN_PASSWORD=strongpassword       - KEYCLOAK_ADMIN_PASSWORD=strongpassword
 +#      - KC_BOOTSTRAP_ADMIN_USERNAME=admin
 +#      - KC_BOOTSTRAP_ADMIN_PASSWORD=strongpassword
       - KC_HTTPS_CERTIFICATE_FILE=/​wild.crt       - KC_HTTPS_CERTIFICATE_FILE=/​wild.crt
       - KC_HTTPS_CERTIFICATE_KEY_FILE=/​wild.key       - KC_HTTPS_CERTIFICATE_KEY_FILE=/​wild.key
 +#      - KC_PROXY_HEADERS=xforwarded
 #      - KC_DB=postgres #      - KC_DB=postgres
 #      - KC_DB_URL=jdbc:​postgresql://​postgres:​5432/​keycloak #      - KC_DB_URL=jdbc:​postgresql://​postgres:​5432/​keycloak
Line 93: Line 100:
  
 # docker logs keycloak -f # docker logs keycloak -f
 +
 +# ###docker inspect keycloak -f {{.NetworkSettings.Networks.root_default.IPAddress}}
  
 # ###docker exec -ti postgres_db psql -U keycloak # ###docker exec -ti postgres_db psql -U keycloak
Line 104: Line 113:
   * [[https://​github.com/​bitnami/​charts/​tree/​keycloak/​17.3.6/​bitnami/​keycloak]]   * [[https://​github.com/​bitnami/​charts/​tree/​keycloak/​17.3.6/​bitnami/​keycloak]]
   * [[https://​github.com/​helm/​helm/​issues/​11000|issues:​ helm search repo chart <​oci-repo/​oci-chart>​ --versions for OCI]]   * [[https://​github.com/​helm/​helm/​issues/​11000|issues:​ helm search repo chart <​oci-repo/​oci-chart>​ --versions for OCI]]
 +
 +  * [[Сервис PostgreSQL]]
 +  * Kubernetes [[Система Kubernetes#​secrets tls]]
  
 <​code>​ <​code>​
 ~/$ helm repo add bitnami https://​charts.bitnami.com/​bitnami;​ helm search repo bitnami/​keycloak --versions; helm repo remove bitnami ~/$ helm repo add bitnami https://​charts.bitnami.com/​bitnami;​ helm search repo bitnami/​keycloak --versions; helm repo remove bitnami
 +
 +~/$ KC_HC_VER=17.3.6
 +~/$ #​KC_HC_VER=25.2.0
  
 ~/$ mkdir keycloak; cd keycloak ~/$ mkdir keycloak; cd keycloak
  
-~/keycloak$ ###helm pull oci://​registry-1.docker.io/​bitnamicharts/​keycloak --version ​17.3.6+~/keycloak$ ###helm pull oci://​registry-1.docker.io/​bitnamicharts/​keycloak --version ​$KC_HC_VER
  
-~/keycloak$ helm template my-keycloak oci://​registry-1.docker.io/​bitnamicharts/​keycloak --version ​17.3.6 ​| tee keycloak.yaml | less+~/keycloak$ helm template my-keycloak oci://​registry-1.docker.io/​bitnamicharts/​keycloak --version ​$KC_HC_VER ​| tee keycloak.yaml | less
 /​PersistentVolumeClaim /​PersistentVolumeClaim
 </​code>​ </​code>​
Line 120: Line 135:
  
 <​code>​ <​code>​
-~/keycloak$ helm show values oci://​registry-1.docker.io/​bitnamicharts/​keycloak --version ​17.3.6 ​| tee values.yaml.orig+~/keycloak$ helm show values oci://​registry-1.docker.io/​bitnamicharts/​keycloak --version ​$KC_HC_VER ​| tee values.yaml.orig
    ​    ​
 ~/keycloak$ cat values.yaml ~/keycloak$ cat values.yaml
 </​code><​code>​ </​code><​code>​
 +global:
 +  security:
 +    allowInsecureImages:​ true
 +image:
 +  repository: bitnamilegacy/​keycloak
 +
 auth: auth:
   adminUser: admin   adminUser: admin
Line 133: Line 154:
   ingressClassName:​ nginx   ingressClassName:​ nginx
   hostname: keycloak.corp13.un   hostname: keycloak.corp13.un
 +#  tls: true
 +#  extraTls:
 +#  - hosts:
 +#    - keycloak.corp13.un
 +#    secretName: keycloak-tls
 +
 #​replicaCount:​ 2 #​replicaCount:​ 2
  
Line 175: Line 202:
 #    name: themes #    name: themes
 </​code><​code>​ </​code><​code>​
-~/keycloak$ ###helm template my-keycloak -f values.yaml oci://​registry-1.docker.io/​bitnamicharts/​keycloak -n my-keycloak-ns --version ​17.3.6 ​| less+~/keycloak$ ###helm template my-keycloak -f values.yaml oci://​registry-1.docker.io/​bitnamicharts/​keycloak -n my-keycloak-ns --version ​$KC_HC_VER ​| less
  
-~/keycloak$ helm upgrade my-keycloak -i -f values.yaml oci://​registry-1.docker.io/​bitnamicharts/​keycloak -n my-keycloak-ns --create-namespace ​--version 17.3.6+~/keycloak$ helm upgrade my-keycloak -i -f values.yaml oci://​registry-1.docker.io/​bitnamicharts/​keycloak -n my-keycloak-ns --version $KC_HC_VER ​--create-namespace
  
 ~/keycloak$ kubectl -n my-keycloak-ns get pods -o wide --watch ~/keycloak$ kubectl -n my-keycloak-ns get pods -o wide --watch
Line 226: Line 253:
     Client ID: any-client     Client ID: any-client
     Valid redirect URIs: *     Valid redirect URIs: *
 +    ​
 +может понадобиться включить
 +    Direct access grants
 </​code>​ </​code>​
  
Line 302: Line 332:
   username ->   username ->
     LDAP Attribute: sAMAccountName     LDAP Attribute: sAMAccountName
 +</​code>​
 +
 +=== FreeIPA ===
 +<​code>​
 +Vendor: Other
 +
 +Connection URL: ldap://​server.corpX.un
 +
 +Bind type: none
 +  или, для выгрузки email
 +Bind type: simple
 +Bind DN: uid=admin,​cn=users,​cn=accounts,​dc=corp13,​dc=un
 +
 +Edit mode: READ_ONLY
 +
 +Users DN: cn=users,​cn=compat,​dc=corpX,​dc=un
 +Users DN: cn=users,​cn=accounts,​dc=corpX,​dc=un
 +...
 +Username LDAP attribute: uid
 +...
 +RDN LDAP attribute: uid
 +...
 +UUID LDAP attribute: ipaAnchorUUID
 +UUID LDAP attribute: uid
 </​code>​ </​code>​
  
Line 361: Line 415:
         Value: readwrite         Value: readwrite
   ​   ​
 +</​code>​
 +
 +===== REST API =====
 +
 +  * [[https://​www.keycloak.org/​docs-api/​latest/​rest-api/​index.html]]
 +  * [[https://​jwt.io/​|JWT.IO allows you to decode, verify and generate JWT]]
 +  * [[https://​steve-mu.medium.com/​create-new-user-in-keycloak-with-admin-restful-api-e6e868b836b4]]
 +
 +  * [[Утилита jq]]
 +
 +<​code>​
 +$ cat keycloak.sh
 +</​code><​code>​
 +KEYCLOAK_URL=https://​kc.corp.un
 +KEYCLOAK_REALM=master
 +KEYCLOAK_USERNAME=admin
 +KEYCLOAK_PASSWORD=strongpassword
 +KEYCLOAK_CLIENT_ID=admin-cli
 +
 +ACCESS_TOKEN=$(curl -SskX POST "​${KEYCLOAK_URL}/​realms/​${KEYCLOAK_REALM}/​protocol/​openid-connect/​token"​ \
 + -d "​username=${KEYCLOAK_USERNAME}"​ \
 + -d "​password=${KEYCLOAK_PASSWORD}"​ \
 + -d "​grant_type=password"​ \
 + -d "​client_id=${KEYCLOAK_CLIENT_ID}"​ | jq -r '​.access_token'​)
 +
 +echo $ACCESS_TOKEN
 +
 +#exit 0
 +
 +#​USER_ID=6c43d042-2674-4bee-82a5-b31713a15093
 +
 +#curl -SskX GET "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/"​ \
 +# -H "​Authorization:​ Bearer ${ACCESS_TOKEN}"​ | jq
 +#curl -SskX GET "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/​${USER_ID}"​ \
 +#curl -SskX GET "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/?​q=username:​user1"​ \
 +
 +#curl -SskX POST "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/"​ \
 +# -H "​Content-Type:​ application/​json"​ \
 +# -H "​Authorization:​ Bearer ${ACCESS_TOKEN}"​ \
 +# -d '​{"​username":​ "​user1"​}'​
 +# --data-binary "​@user1.json"​
 +
 +#curl -SskX PUT "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/​${USER_ID}"​ \
 +# -H "​Content-Type:​ application/​json"​ \
 +# -H "​Authorization:​ Bearer ${ACCESS_TOKEN}"​ \
 +# --data-binary "​@user1.json"​
 +# -d '​{"​firstName":​ "​Ivan"​}'​
 +
 +#curl -kX PUT "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/​${USER_ID}/​reset-password"​ \
 +# -H "​Authorization:​ Bearer ${ACCESS_TOKEN}"​ \
 +# -H "​Content-Type:​ application/​json"​ \
 +# -d '{ "​type":​ "​password",​ "​temporary":​ false, "​value":​ "​kcpassword1"​ }'
 +
 +#curl -SskX DELETE "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/​${USER_ID}"​ \
 +# -H "​Authorization:​ Bearer ${ACCESS_TOKEN}"​
 +</​code><​code>​
 +$ cat user1.json
 +</​code><​code>​
 +  {
 +    "​username":​ "​user1",​
 +    "​email":​ "​user1@corp.un",​
 +    "​firstName":​ "​Иван",​
 +    "​lastName":​ "​Иванов",​
 +    "​enabled":​ true,
 +    "​emailVerified":​ true
 +  }
 </​code>​ </​code>​
  
сервис_keycloak.1747143276.txt.gz · Last modified: 2025/05/13 16:34 by val

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki