User Tools
сервис_keycloak
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
сервис_keycloak [2025/07/15 15:33] val [REST API] |
сервис_keycloak [2025/10/10 11:42] (current) val [Аутентификация пользователей WEB приложения] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Сервис Keycloak ====== | ====== Сервис Keycloak ====== | ||
| + | * [[Практические примеры Keycloak]] | ||
| ===== Установка и запуск ===== | ===== Установка и запуск ===== | ||
| Line 19: | Line 20: | ||
| ==== docker-compose ==== | ==== docker-compose ==== | ||
| + | |||
| + | * Установка [[Технология Docker#docker-compose]] | ||
| * [[https://swjm.blog/deploying-keycloak-with-ssl-in-just-10-minutes-46073e5cf699|Deploying Keycloak with SSL in just 10 minutes!]] | * [[https://swjm.blog/deploying-keycloak-with-ssl-in-just-10-minutes-46073e5cf699|Deploying Keycloak with SSL in just 10 minutes!]] | ||
| Line 53: | Line 56: | ||
| keycloak: | keycloak: | ||
| image: quay.io/keycloak/keycloak:22.0.5 | image: quay.io/keycloak/keycloak:22.0.5 | ||
| + | # image: quay.io/keycloak/keycloak:26.1.3 | ||
| container_name: keycloak | container_name: keycloak | ||
| restart: always | restart: always | ||
| Line 68: | Line 72: | ||
| - KEYCLOAK_ADMIN=admin | - KEYCLOAK_ADMIN=admin | ||
| - KEYCLOAK_ADMIN_PASSWORD=strongpassword | - KEYCLOAK_ADMIN_PASSWORD=strongpassword | ||
| + | # - KC_BOOTSTRAP_ADMIN_USERNAME=admin | ||
| + | # - KC_BOOTSTRAP_ADMIN_PASSWORD=strongpassword | ||
| - KC_HTTPS_CERTIFICATE_FILE=/wild.crt | - KC_HTTPS_CERTIFICATE_FILE=/wild.crt | ||
| - KC_HTTPS_CERTIFICATE_KEY_FILE=/wild.key | - KC_HTTPS_CERTIFICATE_KEY_FILE=/wild.key | ||
| + | # - KC_PROXY_HEADERS=xforwarded | ||
| # - KC_DB=postgres | # - KC_DB=postgres | ||
| # - KC_DB_URL=jdbc:postgresql://postgres:5432/keycloak | # - KC_DB_URL=jdbc:postgresql://postgres:5432/keycloak | ||
| Line 106: | Line 113: | ||
| * [[https://github.com/bitnami/charts/tree/keycloak/17.3.6/bitnami/keycloak]] | * [[https://github.com/bitnami/charts/tree/keycloak/17.3.6/bitnami/keycloak]] | ||
| * [[https://github.com/helm/helm/issues/11000|issues: helm search repo chart <oci-repo/oci-chart> --versions for OCI]] | * [[https://github.com/helm/helm/issues/11000|issues: helm search repo chart <oci-repo/oci-chart> --versions for OCI]] | ||
| + | |||
| + | * [[Сервис PostgreSQL]] | ||
| + | * Kubernetes [[Система Kubernetes#secrets tls]] | ||
| <code> | <code> | ||
| ~/$ helm repo add bitnami https://charts.bitnami.com/bitnami; helm search repo bitnami/keycloak --versions; helm repo remove bitnami | ~/$ helm repo add bitnami https://charts.bitnami.com/bitnami; helm search repo bitnami/keycloak --versions; helm repo remove bitnami | ||
| + | |||
| + | ~/$ KC_HC_VER=17.3.6 | ||
| + | ~/$ #KC_HC_VER=25.2.0 | ||
| ~/$ mkdir keycloak; cd keycloak | ~/$ mkdir keycloak; cd keycloak | ||
| - | ~/keycloak$ ###helm pull oci://registry-1.docker.io/bitnamicharts/keycloak --version 17.3.6 | + | ~/keycloak$ ###helm pull oci://registry-1.docker.io/bitnamicharts/keycloak --version $KC_HC_VER |
| - | ~/keycloak$ helm template my-keycloak oci://registry-1.docker.io/bitnamicharts/keycloak --version 17.3.6 | tee keycloak.yaml | less | + | ~/keycloak$ helm template my-keycloak oci://registry-1.docker.io/bitnamicharts/keycloak --version $KC_HC_VER | tee keycloak.yaml | less |
| /PersistentVolumeClaim | /PersistentVolumeClaim | ||
| </code> | </code> | ||
| Line 122: | Line 135: | ||
| <code> | <code> | ||
| - | ~/keycloak$ helm show values oci://registry-1.docker.io/bitnamicharts/keycloak --version 17.3.6 | tee values.yaml.orig | + | ~/keycloak$ helm show values oci://registry-1.docker.io/bitnamicharts/keycloak --version $KC_HC_VER | tee values.yaml.orig |
| | | ||
| ~/keycloak$ cat values.yaml | ~/keycloak$ cat values.yaml | ||
| </code><code> | </code><code> | ||
| + | global: | ||
| + | security: | ||
| + | allowInsecureImages: true | ||
| + | image: | ||
| + | repository: bitnamilegacy/keycloak | ||
| + | |||
| auth: | auth: | ||
| adminUser: admin | adminUser: admin | ||
| Line 135: | Line 154: | ||
| ingressClassName: nginx | ingressClassName: nginx | ||
| hostname: keycloak.corp13.un | hostname: keycloak.corp13.un | ||
| + | # tls: true | ||
| + | # extraTls: | ||
| + | # - hosts: | ||
| + | # - keycloak.corp13.un | ||
| + | # secretName: keycloak-tls | ||
| + | |||
| #replicaCount: 2 | #replicaCount: 2 | ||
| Line 177: | Line 202: | ||
| # name: themes | # name: themes | ||
| </code><code> | </code><code> | ||
| - | ~/keycloak$ ###helm template my-keycloak -f values.yaml oci://registry-1.docker.io/bitnamicharts/keycloak -n my-keycloak-ns --version 17.3.6 | less | + | ~/keycloak$ ###helm template my-keycloak -f values.yaml oci://registry-1.docker.io/bitnamicharts/keycloak -n my-keycloak-ns --version $KC_HC_VER | less |
| - | ~/keycloak$ helm upgrade my-keycloak -i -f values.yaml oci://registry-1.docker.io/bitnamicharts/keycloak -n my-keycloak-ns --create-namespace --version 17.3.6 | + | ~/keycloak$ helm upgrade my-keycloak -i -f values.yaml oci://registry-1.docker.io/bitnamicharts/keycloak -n my-keycloak-ns --version $KC_HC_VER --create-namespace |
| ~/keycloak$ kubectl -n my-keycloak-ns get pods -o wide --watch | ~/keycloak$ kubectl -n my-keycloak-ns get pods -o wide --watch | ||
| Line 228: | Line 253: | ||
| Client ID: any-client | Client ID: any-client | ||
| Valid redirect URIs: * | Valid redirect URIs: * | ||
| + | | ||
| + | может понадобиться включить | ||
| + | Direct access grants | ||
| </code> | </code> | ||
| Line 304: | Line 332: | ||
| username -> | username -> | ||
| LDAP Attribute: sAMAccountName | LDAP Attribute: sAMAccountName | ||
| + | </code> | ||
| + | |||
| + | === FreeIPA === | ||
| + | <code> | ||
| + | Vendor: Other | ||
| + | |||
| + | Connection URL: ldap://server.corpX.un | ||
| + | |||
| + | Bind type: none | ||
| + | или, для выгрузки email | ||
| + | Bind type: simple | ||
| + | Bind DN: uid=admin,cn=users,cn=accounts,dc=corp13,dc=un | ||
| + | |||
| + | Edit mode: READ_ONLY | ||
| + | |||
| + | Users DN: cn=users,cn=compat,dc=corpX,dc=un | ||
| + | Users DN: cn=users,cn=accounts,dc=corpX,dc=un | ||
| + | ... | ||
| + | Username LDAP attribute: uid | ||
| + | ... | ||
| + | RDN LDAP attribute: uid | ||
| + | ... | ||
| + | UUID LDAP attribute: ipaAnchorUUID | ||
| + | UUID LDAP attribute: uid | ||
| </code> | </code> | ||
| Line 368: | Line 420: | ||
| * [[https://www.keycloak.org/docs-api/latest/rest-api/index.html]] | * [[https://www.keycloak.org/docs-api/latest/rest-api/index.html]] | ||
| + | * [[https://jwt.io/|JWT.IO allows you to decode, verify and generate JWT]] | ||
| + | * [[https://steve-mu.medium.com/create-new-user-in-keycloak-with-admin-restful-api-e6e868b836b4]] | ||
| + | |||
| + | * [[Утилита jq]] | ||
| <code> | <code> | ||
| - | # cat keycloak.sh | + | $ cat keycloak.sh |
| </code><code> | </code><code> | ||
| KEYCLOAK_URL=https://kc.corp.un | KEYCLOAK_URL=https://kc.corp.un | ||
| KEYCLOAK_REALM=master | KEYCLOAK_REALM=master | ||
| KEYCLOAK_USERNAME=admin | KEYCLOAK_USERNAME=admin | ||
| - | KEYCLOAK_PASSWORD=strongpassword | + | KEYCLOAK_PASSWORD=strongpassword |
| KEYCLOAK_CLIENT_ID=admin-cli | KEYCLOAK_CLIENT_ID=admin-cli | ||
| Line 388: | Line 444: | ||
| #exit 0 | #exit 0 | ||
| - | #USER_ID=0066e764-c9d3-45b3-ada8-3252fb07cde5 | + | #USER_ID=6c43d042-2674-4bee-82a5-b31713a15093 |
| #curl -SskX GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/" \ | #curl -SskX GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/" \ | ||
| - | #curl -SskX GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${USER_ID}" \ | ||
| - | #curl -SskX GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/?q=username:admin" \ | ||
| # -H "Authorization: Bearer ${ACCESS_TOKEN}" | jq | # -H "Authorization: Bearer ${ACCESS_TOKEN}" | jq | ||
| + | #curl -SskX GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${USER_ID}" \ | ||
| + | #curl -SskX GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/?q=username:user1" \ | ||
| #curl -SskX POST "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/" \ | #curl -SskX POST "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/" \ | ||
| Line 399: | Line 455: | ||
| # -H "Authorization: Bearer ${ACCESS_TOKEN}" \ | # -H "Authorization: Bearer ${ACCESS_TOKEN}" \ | ||
| # -d '{"username": "user1"}' | # -d '{"username": "user1"}' | ||
| + | # --data-binary "@user1.json" | ||
| #curl -SskX PUT "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${USER_ID}" \ | #curl -SskX PUT "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${USER_ID}" \ | ||
| # -H "Content-Type: application/json" \ | # -H "Content-Type: application/json" \ | ||
| # -H "Authorization: Bearer ${ACCESS_TOKEN}" \ | # -H "Authorization: Bearer ${ACCESS_TOKEN}" \ | ||
| + | # --data-binary "@user1.json" | ||
| # -d '{"firstName": "Ivan"}' | # -d '{"firstName": "Ivan"}' | ||
| - | #curl -SskX DELETE "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${UPD_USER_ID}" \ | + | #curl -kX PUT "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${USER_ID}/reset-password" \ |
| + | # -H "Authorization: Bearer ${ACCESS_TOKEN}" \ | ||
| + | # -H "Content-Type: application/json" \ | ||
| + | # -d '{ "type": "password", "temporary": false, "value": "kcpassword1" }' | ||
| + | |||
| + | #curl -SskX DELETE "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${USER_ID}" \ | ||
| # -H "Authorization: Bearer ${ACCESS_TOKEN}" | # -H "Authorization: Bearer ${ACCESS_TOKEN}" | ||
| + | </code><code> | ||
| + | $ cat user1.json | ||
| + | </code><code> | ||
| + | { | ||
| + | "username": "user1", | ||
| + | "email": "user1@corp.un", | ||
| + | "firstName": "Иван", | ||
| + | "lastName": "Иванов", | ||
| + | "enabled": true, | ||
| + | "emailVerified": true | ||
| + | } | ||
| </code> | </code> | ||
сервис_keycloak.1752582794.txt.gz · Last modified: 2025/07/15 15:33 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
