Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Trace:
сервис_keycloak

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
сервис_keycloak [2025/07/15 15:39]
val [REST API] 		сервис_keycloak [2025/10/10 11:42] (current)
val [Аутентификация пользователей WEB приложения]
Line 1: Line 1:
 ====== Сервис Keycloak ====== ====== Сервис Keycloak ======
  
 +  * [[Практические примеры Keycloak]]
 ===== Установка и запуск ===== ===== Установка и запуск =====
  
Line 19: Line 20:
  
 ==== docker-compose ==== ==== docker-compose ====
 +
 +  * Установка [[Технология Docker#​docker-compose]]
  
   * [[https://​swjm.blog/​deploying-keycloak-with-ssl-in-just-10-minutes-46073e5cf699|Deploying Keycloak with SSL in just 10 minutes!]]   * [[https://​swjm.blog/​deploying-keycloak-with-ssl-in-just-10-minutes-46073e5cf699|Deploying Keycloak with SSL in just 10 minutes!]]
Line 53: Line 56:
   keycloak:   keycloak:
     image: quay.io/​keycloak/​keycloak:​22.0.5     image: quay.io/​keycloak/​keycloak:​22.0.5
 +#    image: quay.io/​keycloak/​keycloak:​26.1.3
     container_name:​ keycloak     container_name:​ keycloak
     restart: always     restart: always
Line 68: Line 72:
       - KEYCLOAK_ADMIN=admin       - KEYCLOAK_ADMIN=admin
       - KEYCLOAK_ADMIN_PASSWORD=strongpassword       - KEYCLOAK_ADMIN_PASSWORD=strongpassword
 +#      - KC_BOOTSTRAP_ADMIN_USERNAME=admin
 +#      - KC_BOOTSTRAP_ADMIN_PASSWORD=strongpassword
       - KC_HTTPS_CERTIFICATE_FILE=/​wild.crt       - KC_HTTPS_CERTIFICATE_FILE=/​wild.crt
       - KC_HTTPS_CERTIFICATE_KEY_FILE=/​wild.key       - KC_HTTPS_CERTIFICATE_KEY_FILE=/​wild.key
 +#      - KC_PROXY_HEADERS=xforwarded
 #      - KC_DB=postgres #      - KC_DB=postgres
 #      - KC_DB_URL=jdbc:​postgresql://​postgres:​5432/​keycloak #      - KC_DB_URL=jdbc:​postgresql://​postgres:​5432/​keycloak
Line 106: Line 113:
   * [[https://​github.com/​bitnami/​charts/​tree/​keycloak/​17.3.6/​bitnami/​keycloak]]   * [[https://​github.com/​bitnami/​charts/​tree/​keycloak/​17.3.6/​bitnami/​keycloak]]
   * [[https://​github.com/​helm/​helm/​issues/​11000|issues:​ helm search repo chart <​oci-repo/​oci-chart>​ --versions for OCI]]   * [[https://​github.com/​helm/​helm/​issues/​11000|issues:​ helm search repo chart <​oci-repo/​oci-chart>​ --versions for OCI]]
 +
 +  * [[Сервис PostgreSQL]]
 +  * Kubernetes [[Система Kubernetes#​secrets tls]]
  
 <​code>​ <​code>​
 ~/$ helm repo add bitnami https://​charts.bitnami.com/​bitnami;​ helm search repo bitnami/​keycloak --versions; helm repo remove bitnami ~/$ helm repo add bitnami https://​charts.bitnami.com/​bitnami;​ helm search repo bitnami/​keycloak --versions; helm repo remove bitnami
 +
 +~/$ KC_HC_VER=17.3.6
 +~/$ #​KC_HC_VER=25.2.0
  
 ~/$ mkdir keycloak; cd keycloak ~/$ mkdir keycloak; cd keycloak
  
-~/keycloak$ ###helm pull oci://​registry-1.docker.io/​bitnamicharts/​keycloak --version ​17.3.6+~/keycloak$ ###helm pull oci://​registry-1.docker.io/​bitnamicharts/​keycloak --version ​$KC_HC_VER
  
-~/keycloak$ helm template my-keycloak oci://​registry-1.docker.io/​bitnamicharts/​keycloak --version ​17.3.6 ​| tee keycloak.yaml | less+~/keycloak$ helm template my-keycloak oci://​registry-1.docker.io/​bitnamicharts/​keycloak --version ​$KC_HC_VER ​| tee keycloak.yaml | less
 /​PersistentVolumeClaim /​PersistentVolumeClaim
 </​code>​ </​code>​
Line 122: Line 135:
  
 <​code>​ <​code>​
-~/keycloak$ helm show values oci://​registry-1.docker.io/​bitnamicharts/​keycloak --version ​17.3.6 ​| tee values.yaml.orig+~/keycloak$ helm show values oci://​registry-1.docker.io/​bitnamicharts/​keycloak --version ​$KC_HC_VER ​| tee values.yaml.orig
    ​    ​
 ~/keycloak$ cat values.yaml ~/keycloak$ cat values.yaml
 </​code><​code>​ </​code><​code>​
 +global:
 +  security:
 +    allowInsecureImages:​ true
 +image:
 +  repository: bitnamilegacy/​keycloak
 +
 auth: auth:
   adminUser: admin   adminUser: admin
Line 135: Line 154:
   ingressClassName:​ nginx   ingressClassName:​ nginx
   hostname: keycloak.corp13.un   hostname: keycloak.corp13.un
 +#  tls: true
 +#  extraTls:
 +#  - hosts:
 +#    - keycloak.corp13.un
 +#    secretName: keycloak-tls
 +
 #​replicaCount:​ 2 #​replicaCount:​ 2
  
Line 177: Line 202:
 #    name: themes #    name: themes
 </​code><​code>​ </​code><​code>​
-~/keycloak$ ###helm template my-keycloak -f values.yaml oci://​registry-1.docker.io/​bitnamicharts/​keycloak -n my-keycloak-ns --version ​17.3.6 ​| less+~/keycloak$ ###helm template my-keycloak -f values.yaml oci://​registry-1.docker.io/​bitnamicharts/​keycloak -n my-keycloak-ns --version ​$KC_HC_VER ​| less
  
-~/keycloak$ helm upgrade my-keycloak -i -f values.yaml oci://​registry-1.docker.io/​bitnamicharts/​keycloak -n my-keycloak-ns --create-namespace ​--version 17.3.6+~/keycloak$ helm upgrade my-keycloak -i -f values.yaml oci://​registry-1.docker.io/​bitnamicharts/​keycloak -n my-keycloak-ns --version $KC_HC_VER ​--create-namespace
  
 ~/keycloak$ kubectl -n my-keycloak-ns get pods -o wide --watch ~/keycloak$ kubectl -n my-keycloak-ns get pods -o wide --watch
Line 228: Line 253:
     Client ID: any-client     Client ID: any-client
     Valid redirect URIs: *     Valid redirect URIs: *
 +    ​
 +может понадобиться включить
 +    Direct access grants
 </​code>​ </​code>​
  
Line 304: Line 332:
   username ->   username ->
     LDAP Attribute: sAMAccountName     LDAP Attribute: sAMAccountName
 +</​code>​
 +
 +=== FreeIPA ===
 +<​code>​
 +Vendor: Other
 +
 +Connection URL: ldap://​server.corpX.un
 +
 +Bind type: none
 +  или, для выгрузки email
 +Bind type: simple
 +Bind DN: uid=admin,​cn=users,​cn=accounts,​dc=corp13,​dc=un
 +
 +Edit mode: READ_ONLY
 +
 +Users DN: cn=users,​cn=compat,​dc=corpX,​dc=un
 +Users DN: cn=users,​cn=accounts,​dc=corpX,​dc=un
 +...
 +Username LDAP attribute: uid
 +...
 +RDN LDAP attribute: uid
 +...
 +UUID LDAP attribute: ipaAnchorUUID
 +UUID LDAP attribute: uid
 </​code>​ </​code>​
  
Line 369: Line 421:
   * [[https://​www.keycloak.org/​docs-api/​latest/​rest-api/​index.html]]   * [[https://​www.keycloak.org/​docs-api/​latest/​rest-api/​index.html]]
   * [[https://​jwt.io/​|JWT.IO allows you to decode, verify and generate JWT]]   * [[https://​jwt.io/​|JWT.IO allows you to decode, verify and generate JWT]]
 +  * [[https://​steve-mu.medium.com/​create-new-user-in-keycloak-with-admin-restful-api-e6e868b836b4]]
 +
   * [[Утилита jq]]   * [[Утилита jq]]
  
 <​code>​ <​code>​
-cat keycloak.sh+cat keycloak.sh
 </​code><​code>​ </​code><​code>​
 KEYCLOAK_URL=https://​kc.corp.un KEYCLOAK_URL=https://​kc.corp.un
 KEYCLOAK_REALM=master KEYCLOAK_REALM=master
 KEYCLOAK_USERNAME=admin KEYCLOAK_USERNAME=admin
- KEYCLOAK_PASSWORD=strongpassword+KEYCLOAK_PASSWORD=strongpassword
 KEYCLOAK_CLIENT_ID=admin-cli KEYCLOAK_CLIENT_ID=admin-cli
  
Line 390: Line 444:
 #exit 0 #exit 0
  
-#USER_ID=0066e764-c9d3-45b3-ada8-3252fb07cde5+#USER_ID=6c43d042-2674-4bee-82a5-b31713a15093
  
 #curl -SskX GET "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/"​ \ #curl -SskX GET "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/"​ \
-#curl -SskX GET "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/​${USER_ID}"​ \ 
-#curl -SskX GET "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/?​q=username:​admin"​ \ 
 # -H "​Authorization:​ Bearer ${ACCESS_TOKEN}"​ | jq # -H "​Authorization:​ Bearer ${ACCESS_TOKEN}"​ | jq
 +#curl -SskX GET "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/​${USER_ID}"​ \
 +#curl -SskX GET "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/?​q=username:​user1"​ \
  
 #curl -SskX POST "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/"​ \ #curl -SskX POST "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/"​ \
Line 401: Line 455:
 # -H "​Authorization:​ Bearer ${ACCESS_TOKEN}"​ \ # -H "​Authorization:​ Bearer ${ACCESS_TOKEN}"​ \
 # -d '​{"​username":​ "​user1"​}'​ # -d '​{"​username":​ "​user1"​}'​
 +# --data-binary "​@user1.json"​
  
 #curl -SskX PUT "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/​${USER_ID}"​ \ #curl -SskX PUT "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/​${USER_ID}"​ \
 # -H "​Content-Type:​ application/​json"​ \ # -H "​Content-Type:​ application/​json"​ \
 # -H "​Authorization:​ Bearer ${ACCESS_TOKEN}"​ \ # -H "​Authorization:​ Bearer ${ACCESS_TOKEN}"​ \
 +# --data-binary "​@user1.json"​
 # -d '​{"​firstName":​ "​Ivan"​}'​ # -d '​{"​firstName":​ "​Ivan"​}'​
  
-#curl -SskX DELETE "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/​${UPD_USER_ID}" \+#curl -kX PUT "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/​${USER_ID}/​reset-password"​ \ 
 +# -H "​Authorization:​ Bearer ${ACCESS_TOKEN}"​ \ 
 +# -H "​Content-Type:​ application/​json"​ \ 
 +# -d '{ "​type":​ "​password",​ "​temporary":​ false, "​value":​ "​kcpassword1"​ }' 
 + 
 +#curl -SskX DELETE "​${KEYCLOAK_URL}/​admin/​realms/​${KEYCLOAK_REALM}/​users/​${USER_ID}" \
 # -H "​Authorization:​ Bearer ${ACCESS_TOKEN}"​ # -H "​Authorization:​ Bearer ${ACCESS_TOKEN}"​
 +</​code><​code>​
 +$ cat user1.json
 +</​code><​code>​
 +  {
 +    "​username":​ "​user1",​
 +    "​email":​ "​user1@corp.un",​
 +    "​firstName":​ "​Иван",​
 +    "​lastName":​ "​Иванов",​
 +    "​enabled":​ true,
 +    "​emailVerified":​ true
 +  }
 </​code>​ </​code>​
  
сервис_keycloak.1752583172.txt.gz · Last modified: 2025/07/15 15:39 by val

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Run on Debian Driven by DokuWiki