Shulou(Shulou.com)06/03 Report--

This article is about how to use SpringBoot/Angular to integrate Keycloak to achieve single sign-on. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Keycloak

Keycloak provides open source authentication and access management for modern applications and services, commonly known as authentication and authorization. Keycloak supports OpenID, OAuth 2.0 and SAML 2.0 protocols; supports user registration, user management and rights management; supports proxy OpenID, SAML 2.0 IDP, supports GitHub, LinkedIn and other third-party login, supports integration of LDAP and Active Directory;, supports custom authentication process, custom user interface, and supports internationalization.

Keycloak supports Java, C#, Python, Android, iOS, JavaScript, Nodejs and other platforms or languages, provides easy-to-use Adapter, and requires only a small amount of configuration and code to implement SSO.

Keycloak's new release, named Quarkus, is a Kurbernetes Native Java framework tailored for GraalVM and OpenJDK HotSpot and is scheduled to be officially released at the end of 2019.

Installation

Keycloak is built on WildFly application server. Download Standalone server distribution and decompress it from the official website and run bin/standalone.sh to start it. The H3 database is used by default, and you can modify the configuration to use other databases. See the official documentation for Standalone Clustered Mode, Domain Clustered Mode startup mode, and more configuration.

By default, the local URL is http://localhost:8080/auth, and you must create an admin user when you log in for the first time:

Log in to Admin Console http://localhost:8080/auth/admin/ directly:

Realm

In order to protect different applications, different Realm is usually created, and the data and configuration between each Realm are independent. The initially created Realm is Master,Master, which is the highest level of Realm. The admin user within the Master Realm (the user granted the admin role) has permission to view and manage any other realm. Therefore, it is not recommended to use master realm to manage users and applications, but only for Super Admin to create and manage realm. Each realm has a dedicated administrative console, and you can set your own administrator account, such as the heroes realm we created next, and the console URL is http://localhost:8080/auth/admin/heroes/console. To create a Heroes realm, click the drop-down menu in the upper left corner-"Add realm:

There are several configurable options in Login Tab: user registration, editing the user name, forgetting the password, remembering me, verifying email, logging in using email, requiring SSL.

Among them, Require SSL has three options: all requests, external requests, none, default is external requests, and should be configured as all requests in a production environment.

All all requests requests require access to external requests localhost through HTTPS and private IP without access to none through HTTPS. Any client does not need HTTPS

Themes Tab can configure interface themes and enable internationalization:

Tokens Tab can configure token signature algorithm, expiration time, and so on.

Client

Client is a trusted application in realm.

The following client is automatically created after the realm is created:

Account account management

If User-Managed Access is enabled in the Realm configuration, you can manage your own Resource:

Admin-cli brokerrealm-management presets realm administrative roles, which need to be assigned to the security-admin-console realm management console when creating a realm administrator

To create a heroes client, click Create at the top right of the Clients:

Client Protocol uses the default value of openid-connect. Access Type has three options: confidential, public, and bearer-only, leaving the default value of public. Confidential needs client secret, but we will use this client in web applications. We cannot transmit secret in a secure way. We must use public client. As long as we strictly use HTTPS, we can ensure security. Valid Redirect URIs enter http://localhost:4200/*.

Certification process:

Standard Flow, the Authorization Code Flow in OAuth 2.0 specification, is a recommended authentication process with high security. After keycloak verifies the user, an one-time and temporary Authorization Code redirection is added to the browser. With this Code, the browser exchanges token (identity, access and refresh token) Implicit Flow keycloak authentication users with keycloak, and then directly returns to identity and access token Direct Access Grants REST client to obtain token. Using HTTP Post request, the response result includes access and refresh token.

Call example. Request address: http://localhost:8080/auth/realms/heroes/protocol/openid-connect/token:

Client Scope

Client Scope defines the protocol mapping relationship, and keycloak predefines some Scope, and each client inherits automatically, so there is no need to define mapper repeatedly within the client. Client Scope is divided into default and optional. Default scope takes effect automatically, and optional scope takes effect only when it is specified.

Enabling optional scope requires the use of the scope parameter:

The appropriate properties cannot be displayed in the token or userinfo of the client until the appropriate scope is enabled or mapper is configured. For example, in the figure above, we have enabled phone number defined in phone scope,phone mapper:

If phoneNumber is defined in the user attribute, phone_number is displayed in token. You can view the effect in heroes client-> Client Scopes-> Evaluate:

Role 、 Group 、 User

Role

Role is divided into two levels: Realm, Client, default Realm Role:offline_access, uma_authorization.

Offline access

Offline access is defined in the OpenID specification, the user logs in to get the offline token, and the offline token can still be used after the user exits. It is very useful in many scenarios, such as daily offline backup of data. To get the offline token, you need to specify the offline_access Scope in addition to the offline_access role. By default, offline token does not expire, but it needs to be refreshed every 30 days. Offline token can undo:

Uma_authorization

Uma is an acronym for User-Managed Access, and Keycloak is a license server that conforms to UMA 2.0 features.

The relationship between Role, Group and User

User can belong to one or more Group,Role and can be granted to User and Group.

Create a Realm administrative user

Add a user:

Grant realm-management permissions:

Authentication

Keycloak pre-defines Browser, Direct Grant, Registration, Reset Credentials and other authentication processes, and users can also customize them. Take the Brower process as an example:

Required must be executed, Alternative must execute at least one, and Optional is up to the user to decide whether to enable it or not.

Identity ProviderADFSSalesforceSpring BootAngular reference documentation

Keycloak A Quick Guide to Using Keycloak with Spring Boot AD FS Docs Spring Boot and OAuth3 OAuth 2.0 Login Sample Spring Boot and OAuth3 with Keycloak Spring SAML Springboot Oauth3 Server builds Oauth3 Authentication Services How to Setup MS AD FS 3.0 as Brokered Identity Provider in Keycloak

Thank you for reading! On "how to use SpringBoot/Angular to integrate Keycloak to achieve single sign-on function" this article is shared here, I hope the above content can be of some help to you, so that you can learn more knowledge, if you think the article is good, you can share it out for more people to see it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.