Shulou(Shulou.com)06/02 Report--

This article focuses on "how to use keycloak". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn how to use keycloak.

The cas here is not the CAS in the Java concurrent package, and students who have done single sign-on (SSO) should be familiar with it. This thing is so old and ecologically so huge that I still feel scared when I think of it now. For a long time, to do single sign-on, you have to refer to CAS more or less, which is a headache.

Of course, we have another choice: keycloak, which is made by jboss. Everything produced by jboss is surprisingly heavy, and keycloak is no exception, covering the functions of various scenarios of permission authentication. This is understandable, after all, certification is a dirty and tiring work, it is not easy to package it.

As a result, although keycloak provides an easy-to-use control background, it is not easy to use if you do not understand some of the concepts of validation.

Today, xjjdog will have a quickstart to taste the taste of this permission service.

First, download its installation package.

Wget-c https://downloads.jboss.org/keycloak/11.0.2/keycloak-11.0.2.zip

Execute the. / standalone.sh file in the bin directory to start keycloak server. You can see it listening on port 9990.

At this point, you can't get any information by visiting this link, because there is no initial user in it. Just like Pangu at the beginning of time, we need a Pangu.

Initialize a user using the add-user.sh command. If you initialize admin, you need to enable it first. After initialization, you can set it in the access background.

Keycloak Server is deployed on port 8080 and can be accessed through the link below.

Http://127.0.0.1:8080/auth/

1. Create Realms

To use Keycloak, you need a Realm. Realm means domain, in which all users and permissions are independent. If these companies like, I can put all the users of JD.com and Taobao on one server.

The purpose of citing the above example is to illustrate that Realm is a quarantine measure. Mouse hovering in the upper left corner, click add realm to enter the creation page.

Creating a realm is easy, as long as you provide a name.

But don't be happy too soon. As a global configuration, it must have a lot of options. However, these are all custom enhancement uses, and we won't discuss it here.

two。 Create permission

Next, you will create two permission groups. Permissions are also easier to understand, just a string. We create two permissions, ROLE_ADMIN and ROLE_USER.

3. Create a user

It's time to create users. Click New in the Users tab to enter the creation directory. We create a user called xjjdog0 here.

Users also have a lot of options. We mainly focus on two parts. One is Credentials, which can update the password of the set user, and the other is Role Mappings, which can set the user's permissions. Let's all do it here and set the password of xjjdog0 to 123456.

Note that here is a small detail. If we update the user's password. On the main page set by the user, the word update Password will appear. It means that the user needs to update his or her own password before the user can actually use it. If you don't need to force the user to set a password, you can delete it.

Of course we deleted it.

4. Create client

If you want to authenticate in the field of xjjdog, you also need to get a clientid to identify yourself.

We have created a client called xjjdemo, which we will bring in later in the token interface.

5. The address of the test token interface to get the interface is:

Ip:port/auth/realms/icp/protocol/openid-connect/token

Here, according to the address information we set above, we can construct the request address of token as follows:

Http://localhost:8080/auth/realms/xjjdog/protocol/openid-connect/token

Use curl to get token.

Curl-XPOST-d 'client_id=xjjdemo&grant_type=password&scope=openid&username=xjjdog0&password=123456' http://localhost:8080/auth/realms/xjjdog/protocol/openid-connect/token

Parameters such as client_id,grant_type,username,password are provided. A json will be returned after sending a post request.

{"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItMXF4RW9NTU1ON29NM2NrZUhPaEowaFVZVGxQNThfMDNwMDYzV1hIVzQwIn0.eyJleHAiOjE2MDI2NTQ1NzMsImlhdCI6MTYwMjY1NDI3MywianRpIjoiMGQ1ZmZhNzgtZTQ5OS00MmFmLTgyMTUtNjgwODNiNjQ4ODRlIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL3hqamRvZyIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJjYWQ3NjNiMS01OTg3LTQzYTItOGQ4MC0yZDVlODY1ZGI3MTYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJ4ampkZW1vIiwic2Vzc2lvbl9zdGF0ZSI6ImQxMWQzOWM2LTBhMzItNDNlYi1iYTIyLTg1MzdlZWE4MDcwNiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIlJPTEVfVVNFUiIsIm9mZmxpbmVfYWNjZXNzIiwiUk9MRV9BRE1JTiIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoieGpqZG9nMCJ9.DVX3VtSjq-hSsjEWqudKIcZhSpIuuDyalRx0epD93HMX8ap5z_7LpeITdb3aRv3AFIBQe8d80SsDZwUIj9NSobyMo8US4ZF4cLyHEYsp881-vJInnrQ-vbnxwShsx1r1S8NO7dV1CP-aD8b611JBtzxV-P6GPbiZH283BFMnKFHQ68aox0_VYEx3dq3PA53LyM8-_rCElrpyTHk1dUdC7OluPgLx390m9H0TV_2aR9ufXGA4e-xW5fmOFvAHGlg_t3BoDVAduQkoy_wYHA_NbP3uRIOcC0pgOonAsspT2lXA_xkPU8oIpPvBQzcV4eWivm1WV_y6K4kOvn0ZJtkFmA", "expires_in": 300, "refresh_expires_in": 1800, "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjNGMwMzMzOC04MDU5LTRlNDItODYxMC1iYzkzMjNjZDY5NmIifQ.eyJleHAiOjE2MDI2NTYwNzMsImlhdCI6MTYwMjY1NDI3MywianRpIjoiNGE5ZjgxMGItMzc1ZC00OGRmLTg3YjYtN2UwODY4MmFhNDYxIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL3hqamRvZyIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9hdXRoL3JlYWxtcy94ampkb2ciLCJzdWIiOiJjYWQ3NjNiMS01OTg3LTQzYTItOGQ4MC0yZDVlODY1ZGI3MTYiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoieGpqZGVtbyIsInNlc3Npb25fc3RhdGUiOiJkMTFkMzljNi0wYTMyLTQzZWItYmEyMi04NTM3ZWVhODA3MDYiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIn0.mJYtSMQLgEDlzpX7_WC5pAF8s2DENZB1IBv20R2kZ8s", "token_type": "bearer" "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItMXF4RW9NTU1ON29NM2NrZUhPaEowaFVZVGxQNThfMDNwMDYzV1hIVzQwIn0.eyJleHAiOjE2MDI2NTQ1NzMsImlhdCI6MTYwMjY1NDI3MywiYXV0aF90aW1lIjowLCJqdGkiOiJmN2VjYjJlNi1mYmRlLTQ2ZjItOWE1Mi00YTEyMjlkYzQ5YjIiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMveGpqZG9nIiwiYXVkIjoieGpqZGVtbyIsInN1YiI6ImNhZDc2M2IxLTU5ODctNDNhMi04ZDgwLTJkNWU4NjVkYjcxNiIsInR5cCI6IklEIiwiYXpwIjoieGpqZGVtbyIsInNlc3Npb25fc3RhdGUiOiJkMTFkMzljNi0wYTMyLTQzZWItYmEyMi04NTM3ZWVhODA3MDYiLCJhdF9oYXNoIjoiM1h0eEhqTUQ5Q3FNdEwxcWFxTlFfZyIsImFjciI6IjEiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InhqamRvZzAifQ.EvUbCmrylfwFL0rhyX36nnxFNRTvtYZAkPYtLv6r8CCbolRHwNJDJflu44BpLQBJGD4UNFkvfsz1BmU-mAw5soxS7eaupOm8LGkUm_qmgj-qtH0eGRi4FlUq4Tw3gx4lGoyR1zNlt1dkcAhjNtyXkhZWjcjDownLgFajNrUCOUiFw1XZwBDPlyy5AQ8d1Kkc5RIF6zhy4bkXKp_fakTNWJPr2-C1xYcEssGOv81FVUajszmItnWP4SnJvzER_njpmnjg_b1lPMng-zMx-R7zgQrx06JStO0IKUd8hXSSmudpw652whR31cCWbTBhfNB2RH_Rnfrau2047WZ36I8zmg", "not-before-policy": 0, "session_state": "d11d39c6-0a32-43eb-ba22-8537eea80706", "scope": "openid email profile"}

Access_token and id_token look familiar, it uses. It is divided into three parts and looks like JWT format.

Use the tool to decode it, and it is, so it gets up in an instant.

There is still a lot of content in the playload area where you can see user information. This kind of token transmission on the network must be very wasteful. However, in the 21st century, this waste is acceptable.

Request the address below to verify the userinfo.

Curl-XPOST-d 'access_token= {token} 'http://localhost:8080/auth/realms/xjjdog/protocol/openid-connect/userinfo above

You will get the following words.

{"sub": "cad763b1-5987-43a2-8d80-2d5e865db716", "email_verified": false, "preferred_username": "xjjdog0"}

End can see that keycloak manages token in a stateless manner, based on the more advanced OAuth 2.0 and JSON Web Token (JWT) specifications. For Internet applications, it naturally has the ability to scale out.

The integration of keycloak into SpringBoot is very simple, and there is an official demo like this. The development of keycloak is also very active, and the master branch has just submitted code. Anyway, it's worth a try!

At this point, I believe you have a deeper understanding of "how to use keycloak". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.