User Tools
сервис_keycloak
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
сервис_keycloak [2025/10/08 08:57] val [LDAP] |
сервис_keycloak [2025/12/25 15:08] (current) val [Kubernetes] |
||
|---|---|---|---|
| Line 119: | Line 119: | ||
| <code> | <code> | ||
| ~/$ helm repo add bitnami https://charts.bitnami.com/bitnami; helm search repo bitnami/keycloak --versions; helm repo remove bitnami | ~/$ helm repo add bitnami https://charts.bitnami.com/bitnami; helm search repo bitnami/keycloak --versions; helm repo remove bitnami | ||
| + | ...403 Forbidden | ||
| ~/$ KC_HC_VER=17.3.6 | ~/$ KC_HC_VER=17.3.6 | ||
| Line 148: | Line 149: | ||
| adminUser: admin | adminUser: admin | ||
| adminPassword: strongpassword | adminPassword: strongpassword | ||
| - | proxy: edge | + | #proxy: edge |
| #proxyHeaders: "xforwarded" | #proxyHeaders: "xforwarded" | ||
| ingress: | ingress: | ||
| enabled: true | enabled: true | ||
| ingressClassName: nginx | ingressClassName: nginx | ||
| - | hostname: keycloak.corp13.un | + | hostname: keycloak.corpX.un |
| # tls: true | # tls: true | ||
| # extraTls: | # extraTls: | ||
| # - hosts: | # - hosts: | ||
| - | # - keycloak.corp13.un | + | # - keycloak.corpX.un |
| # secretName: keycloak-tls | # secretName: keycloak-tls | ||
| Line 181: | Line 182: | ||
| # password: strongpassword | # password: strongpassword | ||
| - | #extraVolumeMounts: | + | ###extraVolumeMounts: |
| - | #- mountPath: /opt/bitnami/keycloak/themes | + | ###- mountPath: /opt/bitnami/keycloak/themes |
| - | # name: themes | + | ### name: themes |
| - | #extraVolumes: | + | ###extraVolumes: |
| - | #- emptyDir: {} | + | ###- emptyDir: {} |
| - | # name: themes | + | ### name: themes |
| #initContainers: | #initContainers: | ||
| Line 200: | Line 201: | ||
| # volumeMounts: | # volumeMounts: | ||
| # - mountPath: /opt/bitnami/keycloak/themes | # - mountPath: /opt/bitnami/keycloak/themes | ||
| - | # name: themes | + | ### name: themes |
| + | # name: empty-dir | ||
| + | # subPath: app-themes-dir | ||
| </code><code> | </code><code> | ||
| ~/keycloak$ ###helm template my-keycloak -f values.yaml oci://registry-1.docker.io/bitnamicharts/keycloak -n my-keycloak-ns --version $KC_HC_VER | less | ~/keycloak$ ###helm template my-keycloak -f values.yaml oci://registry-1.docker.io/bitnamicharts/keycloak -n my-keycloak-ns --version $KC_HC_VER | less | ||
| Line 210: | Line 214: | ||
| ~/keycloak# kubectl -n my-keycloak-ns logs statefulsets/my-keycloak -f | ~/keycloak# kubectl -n my-keycloak-ns logs statefulsets/my-keycloak -f | ||
| - | ~/keycloak$ curl -v http://kubeN/ -H "Host: keycloak.corp13.un" | + | ~/keycloak$ curl -v http://kubeN/ -H "Host: keycloak.corpX.un" |
| ~/keycloak$ ###kubectl -n my-keycloak-ns exec -ti my-keycloak-postgresql-0 -- psql -U postgres | ~/keycloak$ ###kubectl -n my-keycloak-ns exec -ti my-keycloak-postgresql-0 -- psql -U postgres | ||
| Line 231: | Line 235: | ||
| <code> | <code> | ||
| Create Realm->corpX | Create Realm->corpX | ||
| + | |||
| Users | Users | ||
| Add User | Add User | ||
| - | user1/kcpassword1 | + | user1/kcpassword1 (Temporary: off) |
| - | В новых версиях надо ФИО и email, иначе Account is not fully set up | + | В новых версиях обязательно ФИО и email, иначе, Account is not fully set up |
| + | |||
| + | Realm settings | ||
| + | Theme->Login theme->mytheme | ||
| </code> | </code> | ||
| Line 243: | Line 251: | ||
| ===== Аутентификация пользователей WEB приложения ===== | ===== Аутентификация пользователей WEB приложения ===== | ||
| + | |||
| + | * [[https://www.keycloak.org/securing-apps/oidc-layers]] | ||
| <code> | <code> | ||
| Line 253: | Line 263: | ||
| Client ID: any-client | Client ID: any-client | ||
| Valid redirect URIs: * | Valid redirect URIs: * | ||
| + | | ||
| + | может понадобиться включить | ||
| + | Direct access grants | ||
| + | | ||
| + | для передачи списка групп в токене понадобится: | ||
| + | Client scopes -> | ||
| + | Create client scope -> Name: groups | ||
| + | Configure a new mapper: Groups Membership | ||
| + | Name: groups | ||
| + | Configure a new mapper: Audience !!! Для "подсовывания" токена в .kube/config | ||
| + | Name (и везде): any-client | ||
| + | |||
| + | Clients -> any-client | ||
| + | Client scopes | ||
| + | Add client scopes to any-client: groups | ||
| + | Add: Default | ||
| + | | ||
| + | Include in token scope ? | ||
| + | | ||
| + | Add to lightweight access token ? | ||
| + | |||
| + | Token Claim Name: groups | ||
| + | Full group path: No | ||
| </code> | </code> | ||
| - | ==== Проверка ==== | + | ==== Проверка получения токена ==== |
| * [[Материалы по Windows#Windows CA для Linux сервисов]] | * [[Материалы по Windows#Windows CA для Linux сервисов]] | ||
| Line 268: | Line 301: | ||
| -d "username=user1" \ | -d "username=user1" \ | ||
| -d 'password=kcpassword1' \ | -d 'password=kcpassword1' \ | ||
| - | https://keycloak.corp13.un/realms/corp13/protocol/openid-connect/token | + | https://keycloak.corpX.un/realms/corpX/protocol/openid-connect/token |
| {"access_token":"..." ... | {"access_token":"..." ... | ||
| </code> | </code> | ||
| - | * [[https://jwt.io/|JWT.IO allows you to decode, verify and generate JWT]] | + | * [[https://jwt.io/|JWT.IO allows you to decode, verify and generate JWT]] |
| + | |||
| + | === Проверка подписи JWT === | ||
| + | |||
| + | * https://keycloak.corpX.un/realms/corpX/protocol/openid-connect/certs | ||
| + | |||
| + | <code> | ||
| + | -----BEGIN CERTIFICATE----- | ||
| + | ... | ||
| + | -----END CERTIFICATE----- | ||
| + | </code> | ||
| === Apache CGI приложение === | === Apache CGI приложение === | ||
| Line 332: | Line 375: | ||
| === FreeIPA === | === FreeIPA === | ||
| + | |||
| + | * [[https://itdraft.ru/2023/03/01/nastrojka-oauth-avtorizacii-cherez-keycloak-freeipa-v-dokuwiki/|Настройка oAuth авторизации через Keycloak+FreeIPA в DokuWiki]] | ||
| + | |||
| <code> | <code> | ||
| Vendor: Other | Vendor: Other | ||
| Line 338: | Line 384: | ||
| Bind type: none | Bind type: none | ||
| + | или, для выгрузки email | ||
| + | Bind type: simple | ||
| + | Bind DN: uid=admin,cn=users,cn=accounts,dc=corpX,dc=un | ||
| + | |||
| Edit mode: READ_ONLY | Edit mode: READ_ONLY | ||
| - | Users DN: cn=users,cn=compat,dc=corpX,dc=un | + | #Users DN: cn=users,cn=compat,dc=corpX,dc=un |
| Users DN: cn=users,cn=accounts,dc=corpX,dc=un | Users DN: cn=users,cn=accounts,dc=corpX,dc=un | ||
| ... | ... | ||
| Line 347: | Line 397: | ||
| RDN LDAP attribute: uid | RDN LDAP attribute: uid | ||
| ... | ... | ||
| - | UUID LDAP attribute: ipaAnchorUUID | + | #UUID LDAP attribute: ipaAnchorUUID |
| - | UUID LDAP attribute: uid | + | #UUID LDAP attribute: uid |
| + | UUID LDAP attribute: ipaUniqueID | ||
| + | |||
| + | Mappers -> | ||
| + | |||
| + | Name: first name | ||
| + | LDAP Attribute: givenname | ||
| + | |||
| + | Name: groups | ||
| + | Mapper type: group-ldap-mapper | ||
| + | LDAP Groups DN: cn=groups,cn=accounts,dc=corpX,dc=un | ||
| + | Relative creation DN: cn | ||
| + | Group Name LDAP Attribute: cn | ||
| </code> | </code> | ||
сервис_keycloak.1759903053.txt.gz · Last modified: 2025/10/08 08:57 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
