Eclipse Che的用戶管理和權限
基礎
認證(Authentication)與授權(Authorization)
鑒權的過程是向用戶發起質詢(Challenge),完成身份驗證工作。
令牌:令牌是一個非常簡單的概念,它指的是在用戶通過身份驗證之后,為用戶分配的一個臨時憑證。在系統內部,各個子系統只需要以統一的方式正確識別和處理這個憑證即可完成對用戶的訪問和操作進行授權。
在Web安全系統中引入令牌的做法,有着與傳統場合一樣的妙用。在安全系統中,令牌經常用於包含安全上下文信息,例如被識別的用戶信息、令牌的頒發來源、令牌本身的有效期等。另外,在必要時可以由系統廢止令牌,在它下次被使用用於訪問、操作時,用戶被禁止。
在現代化Web系統的演進過程中,流行的方式是選用基於Web技術的“簡單”的技術來代替相對復雜、重量級的技術。典型地,比如使用JSON-RPC或REST接口代替了SOAP格式的服務調用,用微服務架構代替了SOA架構等等。而適用於Web技術的令牌標准就是Json Web Token(JWT),它規范了一種基於JSON的令牌的簡單格式,可用於安全地封裝安全上下文信息。
令牌在廣為使用的OAuth技術中被采用來完成授權的過程。OAuth是一種開放的授權模型,它規定了一種供資源擁有方與消費方之間簡單又直觀的交互方法,即從消費方向資源擁有方發起使用AccessToken(訪問令牌)簽名的HTTP請求。這種方式讓消費方應用在無需(也無法)獲得用戶憑據的情況下,只要用戶完成鑒權過程並同意消費方以自己的身份調用數據和操作,消費方就可以獲得能夠完成功能的訪問令牌。OAuth簡單的流程和自由的編程模型讓它很好地滿足了開放平台場景中授權第三方應用使用用戶數據的需求。不少互聯網公司建設開放平台,將它們的用戶在其平台上的數據以 API 的形式開放給第三方應用來使用,從而讓用戶享受更豐富的服務。
OAuth在各個開放平台的成功使用,令更多開發者了解到它,並被它簡單明確的流程所吸引。此外,OAuth協議規定的是授權模型,並不規定訪問令牌的數據格式,也不限制在整個登錄過程中需要使用的鑒權方法。人們很快發現,只要對OAuth進行合適的利用即可將其用於各種自有系統中的場景。例如,將 Web 服務視作資源擁有方,而將富Web應用或者移動應用視作消費方應用,就與開放平台的場景完全吻合。
OAuth與單點登陸(Todo)
OAuth與富客戶端應用(Todo)
OAuth2概念
角色
資源擁有者/resource owner
能夠將受保護的資源授權的實體,當資源擁有者為自然人時,它通常指終端用戶。
An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
資源服務器/resource server
承載着被保護資源的服務器,它能夠接受並響應使用訪問令牌的受保護資源請求。
The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
客戶端/client
代表資源擁有着並且以其授權去做出受保護資源請求的應用。術語“客戶端”並不意味着任何特定的實現特征(例如應用是否在服務端、桌面或是其他裝置上執行)。
An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).
授權服務器/authorization server
在客戶端成功地認證資源擁有着並獲得授權后向客戶端頒發訪問令牌的服務器。
The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
授權服務器和資源服務器之間的交互超出了OAuth規范的范圍。授權服務器可能與資源服務器時一個服務器,有可能時不同的實體。單個授權服務器可以頒發由多個資源服務器所接受的訪問令牌。
流程
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
授權類型
- 授權碼方式:code
- 簡化模式:token
- 密碼模式:password
- 客戶端模式:clientcredentials
Keycloak
用一句Keycloak官方語言來解釋,“為現代應用系統和服務提供開源的鑒權和授權訪問控制管理”。
keycloak@che
角色
- User 資源擁有者
- DashBoard/IDE 客戶端
- WSMaster/WSInstance 資源服務器
- KeyCloak 認證服務器
邏輯過程
- 回合一,請求登陸:
- 用戶訪問客戶端
- 客戶端重定向至授權服務器登錄
- 回合二,認證:
- 用戶輸入用戶名密碼,客戶端向授權服務器提交用戶授權信息,申請授權碼認證
- 授權服務器鑒權,返回授權碼
- 回合三,授權:
- 用戶訪問客戶端,要求客戶端獲取資源,客戶端申請訪問令牌
- 授權服務器返回訪問令牌
- 回合三,訪問資源:
- 客戶端持有訪問令牌,訪問資源
- 資源服務器合適訪問令牌
- 授權服務器返回授權結果
地址:http://[your-server]:5050/auth/
授權類型:authorization_code
會話詳細信息
准備:獲取認證服務器相關信息
Request URL: http://10.24.19.123:8080/api/keycloak/settings
Request Method: GET
Status Code: 200
Remote Address: 10.24.19.123:8080
Referrer Policy: no-referrer-when-downgrade
請求頭
GET /api/keycloak/settings HTTP/1.1
Host: 10.24.19.123:8080
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Referer: http://10.24.19.123:8080/dashboard/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=79FFDED6A2C0D33D19A2CC7D0DDE8FF9
回應
HTTP/1.1 200
Cache-Control: public, no-cache, no-store, no-transform
Content-Type: application/json
Transfer-Encoding: chunked
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Fri, 04 May 2018 09:04:39 GMT
第1次請求:獲取認證信息
服務端檢查用戶未登錄或登錄失效,重定向到服務器
第2次請求:客戶端請求登錄頁面
第2次請求,由UserAgent發送向Authorization Server,即客戶端申請認證的URI
- response_type:表示授權類型,必選項,此處的值固定為"code"
- client_id:表示客戶端的ID,必選項
- redirect_uri:表示重定向URI,可選項
- scope:表示申請的權限范圍,可選項
- state:表示客戶端的當前狀態,可以指定任意值,認證服務器會原封不動地返回這個值。
認證服務器響應登陸頁面
Request URL: http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/auth?client_id=che-public&redirect_uri=http%3A%2F%2F10.24.19.123%3A8080%2Fdashboard%2F&state=2fca0e61-60a6-4c1d-b650-c2d40764dbdd&nonce=ba39f3cf-dcc1-4786-8ba8-8c3d276703fd&response_mode=fragment&response_type=code&scope=openid
Request Method: GET
Status Code: 200 OK
Remote Address: 10.24.19.123:5050
Referrer Policy: no-referrer-when-downgrade
請求頭
GET /auth/realms/che/protocol/openid-connect/auth?client_id=che-public&redirect_uri=http%3A%2F%2F10.24.19.123%3A8080%2Fdashboard%2F&state=333f3e97-5dcc-448a-b19f-459d7d6e6dad&nonce=b074b1f5-274a-413e-83ac-88b527b84d19&response_mode=fragment&response_type=code&scope=openid HTTP/1.1
Host: 10.24.19.123:5050
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://10.24.19.123:8080/dashboard/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: AUTH_SESSION_ID=24d32bc7-c1bc-4a91-bd7f-9e599e4ec558.c4c3f8ccaa3a; KEYCLOAK_SESSION=che/430abffe-bb49-4e9a-ba49-dab91d06d628/24d32bc7-c1bc-4a91-bd7f-9e599e4ec558; KEYCLOAK_STATE_CHECKER=xsoy-OV-kqkjWRewfdNx91ON6zJDwr2FQrNtWblN_X4; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNTEyNzZkNGItNWI5Yi00NmJiLWE4ZjUtZmI5MzQ4NTVlMjBjIn0.eyJqdGkiOiJiNzZjYmNlZC02YjhlLTRkOWQtOTQ3ZS1lYzYyM2JlYTFiMGYiLCJleHAiOjE1MjUyODY3NzQsIm5iZiI6MCwiaWF0IjoxNTI1MjUwNzc0LCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwic3ViIjoiNDMwYWJmZmUtYmI0OS00ZTlhLWJhNDktZGFiOTFkMDZkNjI4IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMjRkMzJiYzctYzFiYy00YTkxLWJkN2YtOWU1OTllNGVjNTU4IiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.VFIEMH1qYgrXDO4EMwK4CzfFQktcmTLEY6sYza-c-HU
URL參數
client_id: che-public
redirect_uri: http://10.24.19.123:8080/dashboard/
state: 333f3e97-5dcc-448a-b19f-459d7d6e6dad
nonce: b074b1f5-274a-413e-83ac-88b527b84d19
response_mode: fragment
response_type: code
scope: openid
響應(包含會話初始信息)
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, max-age=0
X-Powered-By: Undertow/1
Set-Cookie: AUTH_SESSION_ID=b7fefb20-56be-4061-b6a7-bbd9df82ee74.c4c3f8ccaa3a; Version=1; Path=/auth/realms/che; HttpOnly
Set-Cookie: KC_RESTART=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNTEyNzZkNGItNWI5Yi00NmJiLWE4ZjUtZmI5MzQ4NTVlMjBjIn0.eyJjaWQiOiJjaGUtcHVibGljIiwicHR5Ijoib3BlbmlkLWNvbm5lY3QiLCJydXJpIjoiaHR0cDovLzEwLjI0LjE5LjEyMzo4MDgwL2Rhc2hib2FyZC8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCIsImlzcyI6Imh0dHA6Ly8xMC4yNC4xOS4xMjM6NTA1MC9hdXRoL3JlYWxtcy9jaGUiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsImNvZGVfY2hhbGxlbmdlX21ldGhvZCI6InBsYWluIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzEwLjI0LjE5LjEyMzo4MDgwL2Rhc2hib2FyZC8iLCJzdGF0ZSI6IjMzM2YzZTk3LTVkY2MtNDQ4YS1iMTlmLTQ1OWQ3ZDZlNmRhZCIsIm5vbmNlIjoiYjA3NGIxZjUtMjc0YS00MTNlLTgzYWMtODhiNTI3Yjg0ZDE5IiwicmVzcG9uc2VfbW9kZSI6ImZyYWdtZW50In19.hCYCk8dJbra0z01OWIyZJ0QD4WAit43nUd_QOiZEeYA; Version=1; Path=/auth/realms/che; HttpOnly
Set-Cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/che; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/che
Server: WildFly/11
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-src 'self'
Date: Wed, 02 May 2018 13:07:57 GMT
Connection: keep-alive
X-Robots-Tag: none
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Length: 3259
第3次,鑒權過程:提交用戶輸入的用戶名密碼;授權過程
瀏覽器向認證服務器發送用戶的認證信息
發起人 other
Request URL: http://10.24.19.123:5050/auth/realms/che/login-actions/authenticate?code=E0N__4TiHl6QAEM4lQ1n0RNn-cBsIlTWlcIDxBCk3BQ&execution=47a46c5e-9665-419c-888a-d0c730540c0b&client_id=che-public
Request Method: POST
Status Code: 302 Found
Remote Address: 10.24.19.123:5050
Referrer Policy: no-referrer-when-downgrade
請求
POST /auth/realms/che/login-actions/authenticate?code=E0N__4TiHl6QAEM4lQ1n0RNn-cBsIlTWlcIDxBCk3BQ&execution=47a46c5e-9665-419c-888a-d0c730540c0b&client_id=che-public HTTP/1.1
Host: 10.24.19.123:5050
Connection: keep-alive
Content-Length: 49
Pragma: no-cache
Cache-Control: no-cache
Origin: http://10.24.19.123:5050
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://10.24.19.123:5050/auth/realms/che/login-actions/authenticate?execution=47a46c5e-9665-419c-888a-d0c730540c0b&client_id=che-public
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: AUTH_SESSION_ID=8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e.c4c3f8ccaa3a; KC_RESTART=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNTEyNzZkNGItNWI5Yi00NmJiLWE4ZjUtZmI5MzQ4NTVlMjBjIn0.eyJjaWQiOiJjaGUtcHVibGljIiwicHR5Ijoib3BlbmlkLWNvbm5lY3QiLCJydXJpIjoiaHR0cDovLzEwLjI0LjE5LjEyMzo4MDgwL2Rhc2hib2FyZC8_cmVkaXJlY3RfZnJhZ21lbnQ9JTJGIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQiLCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJjb2RlX2NoYWxsZW5nZV9tZXRob2QiOiJwbGFpbiIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly8xMC4yNC4xOS4xMjM6ODA4MC9kYXNoYm9hcmQvP3JlZGlyZWN0X2ZyYWdtZW50PSUyRiIsInN0YXRlIjoiMTJjYzUyNGQtMjQwNS00NmU0LThhMjEtZDdmNWIyN2EzNWExIiwibm9uY2UiOiJkYjAyZDM5MC1lMTA1LTQ4NjEtODgzMi1iYzc5ZjRhYmE4ODgiLCJyZXNwb25zZV9tb2RlIjoiZnJhZ21lbnQifX0.9OAt31fvvQVvFvtldi5P7SU08nKWqn1aWO7UNP-xr-I
URL參數
code: E0N__4TiHl6QAEM4lQ1n0RNn-cBsIlTWlcIDxBCk3BQ
execution: 47a46c5e-9665-419c-888a-d0c730540c0b
client_id: che-public
表單數據
username: gibbonet
password: jp8576net
login: Log in
認證服務器回應授權碼,在響應頭的Location:URI參數
- code:表示授權碼,必選項。該碼的有效期應該很短,通常設為10分鍾,客戶端只能使用該碼一次,否則會被授權服務器拒絕。該碼與客戶端ID和重定向URI,是一一對應關系。
- state:如果客戶端的請求中包含這個參數,認證服務器的回應也必須一模一樣包含這個參數
響應(返回授權碼)
Status Code: 302 Found
Cache-Control: no-store, must-revalidate, max-age=0
X-Powered-By: Undertow/1
Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/che; HttpOnly
Set-Cookie: KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNTEyNzZkNGItNWI5Yi00NmJiLWE4ZjUtZmI5MzQ4NTVlMjBjIn0.eyJqdGkiOiI4YzgyYWRlYS1mYzU4LTQzNmUtOWQyYi1lY2U5YzU2YzEyMmMiLCJleHAiOjE1MjU0NTk3NDAsIm5iZiI6MCwiaWF0IjoxNTI1NDIzNzQwLCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwic3ViIjoiNDMwYWJmZmUtYmI0OS00ZTlhLWJhNDktZGFiOTFkMDZkNjI4IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOGNhNjUzZDYtOGViYy00MTA3LTk2YzItYjVjMmU5YmEyYTBlIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.qCH1QrZ2Ys7GFb8SPtv8VCZ72ZHTrJhggjJmqoHHWWc; Version=1; Path=/auth/realms/che; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=che/430abffe-bb49-4e9a-ba49-dab91d06d628/8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e; Version=1; Expires=Fri, 04-May-2018 18:49:00 GMT; Max-Age=36000; Path=/auth/realms/che
Set-Cookie: KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/che; HttpOnly
P3P: CP="This is not a P3P policy!"
Server: WildFly/11
Location: http://10.24.19.123:8080/dashboard/?redirect_fragment=%2F#state=12cc524d-2405-46e4-8a21-d7f5b27a35a1&code=uss.zGnOxX1kgyK8Eb2B6ow5xe0b0bmPq0fUhtblkBwlEHc.8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e.40162c8f-5c44-4b61-91cf-a6eac6b9e61a
Date: Fri, 04 May 2018 08:49:00 GMT
Connection: keep-alive
Content-Length: 0
問題:請求1和請求2如何關聯在一起?
第4次請求 授權過程:瀏覽器向認證服務器請求訪問令牌
客戶端向認證服務器申請令牌的HTTP請求,包含以下參數:
- grant_type:表示使用的授權模式,必選項,此處的值固定為"authorization_code"。
- code:表示上一步獲得的授權碼,必選項。
- redirect_uri:表示重定向URI,必選項,且必須與A步驟中的該參數值保持一致。
- client_id:表示客戶端ID,必選項。
發起人:keycloak
Request URL: http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/token
Request Method: POST
Status Code: 200 OK
Remote Address: 10.24.19.123:5050
Referrer Policy: no-referrer-when-downgrade
請求
POST /auth/realms/che/protocol/openid-connect/token HTTP/1.1
Host: 10.24.19.123:5050
Connection: keep-alive
Content-Length: 266
Pragma: no-cache
Cache-Control: no-cache
Origin: http://10.24.19.123:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Referer: http://10.24.19.123:8080/dashboard/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: AUTH_SESSION_ID=8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e.c4c3f8ccaa3a; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNTEyNzZkNGItNWI5Yi00NmJiLWE4ZjUtZmI5MzQ4NTVlMjBjIn0.eyJqdGkiOiI4YzgyYWRlYS1mYzU4LTQzNmUtOWQyYi1lY2U5YzU2YzEyMmMiLCJleHAiOjE1MjU0NTk3NDAsIm5iZiI6MCwiaWF0IjoxNTI1NDIzNzQwLCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwic3ViIjoiNDMwYWJmZmUtYmI0OS00ZTlhLWJhNDktZGFiOTFkMDZkNjI4IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOGNhNjUzZDYtOGViYy00MTA3LTk2YzItYjVjMmU5YmEyYTBlIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.qCH1QrZ2Ys7GFb8SPtv8VCZ72ZHTrJhggjJmqoHHWWc; KEYCLOAK_SESSION=che/430abffe-bb49-4e9a-ba49-dab91d06d628/8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e
表單數據
code: uss.zGnOxX1kgyK8Eb2B6ow5xe0b0bmPq0fUhtblkBwlEHc.8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e.40162c8f-5c44-4b61-91cf-a6eac6b9e61a
grant_type: authorization_code
client_id: che-public
redirect_uri: http://10.24.19.123:8080/dashboard/?redirect_fragment=%2F
認證服務器發送的HTTP回復,包含以下參數:
- access_token:表示訪問令牌,必選項。
- token_type:表示令牌類型,該值大小寫不敏感,必選項,可以是bearer類型或mac類型。
- expires_in:表示過期時間,單位為秒。如果省略該參數,必須其他方式設置過期時間。
- refresh_token:表示更新令牌,用來獲取下一次的訪問令牌,可選項。
- scope:表示權限范圍,如果與客戶端申請的范圍一致,此項可省略。
回應(返回令牌信息)
HTTP/1.1 200 OK
X-Powered-By: Undertow/1
Server: WildFly/11
Access-Control-Expose-Headers: Access-Control-Allow-Methods
Date: Fri, 04 May 2018 08:49:01 GMT
Connection: keep-alive
Access-Control-Allow-Origin: http://10.24.19.123:8080
Access-Control-Allow-Credentials: true
Content-Type: application/json
Content-Length: 3785
后續的請求
后續請求頭包含認證信息 Authorization
Request URL: http://10.24.19.123:8080/api/
Request Method: GET
Status Code: 200
Remote Address: 10.24.19.123:8080
Referrer Policy: no-referrer-when-downgrade
請求(包含訪問令牌)
GET /api/ HTTP/1.1
Host: 10.24.19.123:8080
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json, text/plain, */*
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlMjNGc3kzRlI5dnRUZms3TGlkX1lQOGU0cDNoY0psM20wQTRnckIzNnJJIn0.eyJqdGkiOiJkMWMyMWNmYy1jYTM3LTQ0OGQtYjEyNy1jYmM4YTIzMGRhNGQiLCJleHAiOjE1MjU0MjQwNDEsIm5iZiI6MCwiaWF0IjoxNTI1NDIzNzQxLCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwiYXVkIjoiY2hlLXB1YmxpYyIsInN1YiI6IjQzMGFiZmZlLWJiNDktNGU5YS1iYTQ5LWRhYjkxZDA2ZDYyOCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImNoZS1wdWJsaWMiLCJub25jZSI6ImRiMDJkMzkwLWUxMDUtNDg2MS04ODMyLWJjNzlmNGFiYTg4OCIsImF1dGhfdGltZSI6MTUyNTQyMzc0MCwic2Vzc2lvbl9zdGF0ZSI6IjhjYTY1M2Q2LThlYmMtNDEwNy05NmMyLWI1YzJlOWJhMmEwZSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEwLjI0LjE5LjEyMzo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJHaWJib24gTmV0IiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZ2liYm9uZXQiLCJnaXZlbl9uYW1lIjoiR2liYm9uIiwiZmFtaWx5X25hbWUiOiJOZXQiLCJlbWFpbCI6ImdpYmJvbm5ldEBzb2h1LmNvbSJ9.egRshba-lCuxIcwaU5tU3yHCfcsC07KchmfwIVhpB9ZKlROUiledG44hH11YpSZnyq7GKBfgJrHHDY4upIecD8tysS-eR6jp1dgz3qEUhT_Iaerahr-KY_e3dHERUpZ16IWYZyNTOu5KteX4SDh3Spxcp__IQbJLEv3TdfkVkIIVjDWknnLgrs1g4-0DhPmV_yF_GKnvODoeRrv87r0QgVrLNaj6ajPnIdemM9uuA0Eey3Hkf61TJvaL9GIKw4RMBl_o9nsZDHhhNJT1UhspPietY64O1P_ri21ccrGQyx6C6CmsflDsVagojLLTm4y2_o76HGZOQsUv3Q8iBqC9Iw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Referer: http://10.24.19.123:8080/dashboard/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=79FFDED6A2C0D33D19A2CC7D0DDE8FF9
響應
HTTP/1.1 200
Cache-Control: public, no-cache, no-store, no-transform
Content-Type: application/json
Transfer-Encoding: chunked
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Fri, 04 May 2018 08:49:01 GMT
{"rootResources":[{"path":"/organization/resource","regex":"/organization/resource(/.*)?","fqn":"org.eclipse.che.multiuser.organization.api.resource.OrganizationResourcesDistributionService"},{"path":"project-template","regex":"/project-template(/.*)?","fqn":"org.eclipse.che.api.project.server.template.ProjectTemplateService"},{"path":"/docs/swagger.{type:json|yaml}","regex":"/docs/swagger\\.(json|yaml)(/.*)?","fqn":"org.eclipse.che.swagger.rest.SwaggerSpecificationService"},{"path":"/resource/free","regex":"/resource/free(/.*)?","fqn":"org.eclipse.che.multiuser.resource.api.free.FreeResourcesLimitService"},{"path":"/organization","regex":"/organization(/.*)?","fqn":"org.eclipse.che.multiuser.organization.api.OrganizationService"},{"path":"/permissions","regex":"/permissions(/.*)?","fqn":"org.eclipse.che.multiuser.api.permission.server.PermissionsService"},{"path":"/preferences","regex":"/preferences(/.*)?","fqn":"org.eclipse.che.api.user.server.PreferencesService"},{"path":"/installer","regex":"/installer(/.*)?","fqn":"org.eclipse.che.api.installer.server.InstallerRegistryService"},{"path":"/workspace","regex":"/workspace(/.*)?","fqn":"org.eclipse.che.api.workspace.server.WorkspaceService"},{"path":"/activity","regex":"/activity(/.*)?","fqn":"org.eclipse.che.plugin.activity.WorkspaceActivityService"},{"path":"/keycloak","regex":"/keycloak(/.*)?","fqn":"org.eclipse.che.multiuser.keycloak.server.KeycloakConfigurationService"},{"path":"/resource","regex":"/resource(/.*)?","fqn":"org.eclipse.che.multiuser.resource.api.usage.ResourceService"},{"path":"/factory","regex":"/factory(/.*)?","fqn":"org.eclipse.che.api.factory.server.FactoryService"},{"path":"/profile","regex":"/profile(/.*)?","fqn":"org.eclipse.che.api.user.server.ProfileService"},{"path":"/logger","regex":"/logger(/.*)?","fqn":"org.eclipse.che.api.logger.LoggerService"},{"path":"/system","regex":"/system(/.*)?","fqn":"org.eclipse.che.api.system.server.SystemService"},{"path":"/oauth","regex":"/oauth(/.*)?","fqn":"org.eclipse.che.multiuser.keycloak.server.oauth2.KeycloakOAuthAuthenticationService"},{"path":"/stack","regex":"/stack(/.*)?","fqn":"org.eclipse.che.api.workspace.server.stack.StackService"},{"path":"/token","regex":"/token(/.*)?","fqn":"org.eclipse.che.multiuser.keycloak.token.provider.contoller.TokenController"},{"path":"/user","regex":"/user(/.*)?","fqn":"org.eclipse.che.api.user.server.UserService"},{"path":"/ssh","regex":"/ssh(/.*)?","fqn":"org.eclipse.che.api.ssh.server.SshService"},{"path":"/","regex":"(/.*)?","fqn":"org.eclipse.che.api.core.rest.ApiInfoService"}]}
問題:資源服務器如何處理該令牌?
更新令牌
Request URL: http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/token
Request Method: POST
Status Code: 200 OK
Remote Address: 10.24.19.123:5050
Referrer Policy: no-referrer-when-downgrade
請求頭
POST /auth/realms/che/protocol/openid-connect/token HTTP/1.1
Host: 10.24.19.123:5050
Connection: keep-alive
Content-Length: 1177
Pragma: no-cache
Cache-Control: no-cache
Origin: http://10.24.19.123:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Referer: http://10.24.19.123:8080/dashboard/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: AUTH_SESSION_ID=8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e.c4c3f8ccaa3a; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNTEyNzZkNGItNWI5Yi00NmJiLWE4ZjUtZmI5MzQ4NTVlMjBjIn0.eyJqdGkiOiI4YzgyYWRlYS1mYzU4LTQzNmUtOWQyYi1lY2U5YzU2YzEyMmMiLCJleHAiOjE1MjU0NTk3NDAsIm5iZiI6MCwiaWF0IjoxNTI1NDIzNzQwLCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwic3ViIjoiNDMwYWJmZmUtYmI0OS00ZTlhLWJhNDktZGFiOTFkMDZkNjI4IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOGNhNjUzZDYtOGViYy00MTA3LTk2YzItYjVjMmU5YmEyYTBlIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.qCH1QrZ2Ys7GFb8SPtv8VCZ72ZHTrJhggjJmqoHHWWc; KEYCLOAK_SESSION=che/430abffe-bb49-4e9a-ba49-dab91d06d628/8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e
表單數據(刷新令牌)
grant_type: refresh_token
refresh_token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlMjNGc3kzRlI5dnRUZms3TGlkX1lQOGU0cDNoY0psM20wQTRnckIzNnJJIn0.eyJqdGkiOiJiODFkM2QwOS1mMjVkLTQwMWYtODViYy1mZWUwNTJlZTcwZTIiLCJleHAiOjE1MjU0MjU1NDEsIm5iZiI6MCwiaWF0IjoxNTI1NDIzNzQxLCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwiYXVkIjoiY2hlLXB1YmxpYyIsInN1YiI6IjQzMGFiZmZlLWJiNDktNGU5YS1iYTQ5LWRhYjkxZDA2ZDYyOCIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJjaGUtcHVibGljIiwibm9uY2UiOiJkYjAyZDM5MC1lMTA1LTQ4NjEtODgzMi1iYzc5ZjRhYmE4ODgiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiI4Y2E2NTNkNi04ZWJjLTQxMDctOTZjMi1iNWMyZTliYTJhMGUiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19fQ.Fyuqm-WbE54vzod2MvFWZmli5x8u0CRpPP8Gn8Wjf5D7kUbvHSh93v4bka1Z75u2WaFm_VGKZZ4IUJE1j287lgwlgKv-nRQXJCzG5UoJx_flR1x9g1V5fzROUoOcrkn4NfS62B8TMAKOKMFbr_JsijewjtGupC2SmtWSNlpAG-QdDAWeIH2SLv8vPslwfGBTloeOlsdwS5fiwtLH3jLpfoDW7dhIBLo9IYltZ70tOoOnRV1QsdNm3lDee8mW_3cRkVQmN0TzBtm7Idb1_bHPyJdGkfMw8EjKHrTbdxmNcQdMlmFaTKbIMx0ahRYJJZLKgN0N0vvcEhVUfMl4foukxA
client_id: che-public
回應(返回訪問令牌)
HTTP/1.1 200 OK
X-Powered-By: Undertow/1
Server: WildFly/11
Access-Control-Expose-Headers: Access-Control-Allow-Methods
Date: Fri, 04 May 2018 09:01:52 GMT
Connection: keep-alive
Access-Control-Allow-Origin: http://10.24.19.123:8080
Access-Control-Allow-Credentials: true
Content-Type: application/json
Content-Length: 3785
登出
發起人 key
Request URL: http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2F10.24.19.123%3A8080%2Fdashboard%2F%23%2Faccount
Request Method: GET
Status Code: 302 Found
Remote Address: 10.24.19.123:5050
Referrer Policy: no-referrer-when-downgrade
請求頭
GET /auth/realms/che/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2F10.24.19.123%3A8080%2Fdashboard%2F%23%2Faccount HTTP/1.1
Host: 10.24.19.123:5050
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://10.24.19.123:8080/dashboard/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: AUTH_SESSION_ID=e8f55398-7e06-41b3-8bb8-8fd7acae96ce.c4c3f8ccaa3a; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNTEyNzZkNGItNWI5Yi00NmJiLWE4ZjUtZmI5MzQ4NTVlMjBjIn0.eyJqdGkiOiJhOWVjMzU5OC0yNjM2LTRlOWMtOTJlZi1iNDMwYjBjZDc4NTQiLCJleHAiOjE1MjU0NjA2NDksIm5iZiI6MCwiaWF0IjoxNTI1NDI0NjQ5LCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwic3ViIjoiNDMwYWJmZmUtYmI0OS00ZTlhLWJhNDktZGFiOTFkMDZkNjI4IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZThmNTUzOTgtN2UwNi00MWIzLThiYjgtOGZkN2FjYWU5NmNlIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.ECazlKhMT5wRtGF2khp6TBXqQ3G5mAe-GBRnGNPUb5E; KEYCLOAK_SESSION=che/430abffe-bb49-4e9a-ba49-dab91d06d628/e8f55398-7e06-41b3-8bb8-8fd7acae96ce
URL參數
redirect_uri: http://10.24.19.123:8080/dashboard/#/account
回應
HTTP/1.1 302 Found
Connection: keep-alive
X-Powered-By: Undertow/1
Set-Cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/che; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/che
Set-Cookie: KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/che; HttpOnly
Server: WildFly/11
Location: http://10.24.19.123:8080/dashboard/#/account
Content-Length: 0
Date: Fri, 04 May 2018 09:04:38 GMT
Che客戶端
源代碼路徑
$/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/multiuser.properties
$/selenium/che-selenium-test/src/main/java/org/eclipse/che/selenium/core/client/KeycloakSettings.java
$/workspace-loader/src/index.ts
$/ide/che-ide-gwt-app/target/classes/org/eclipse/che/ide/public/IDE.html
$/dashboard/src/app/index.module.ts
訪問地址
{
"che.keycloak.logout.endpoint":"http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/logout",
"che.keycloak.jwks.endpoint":"http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/certs",
"che.keycloak.token.endpoint":"http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/token",
"che.keycloak.userinfo.endpoint":"http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/userinfo",
"che.keycloak.profile.endpoint":"http://10.24.19.123:5050/auth/realms/che/account",
"che.keycloak.client_id":"che-public",
"che.keycloak.auth_server_url":"http://10.24.19.123:5050/auth",
"che.keycloak.password.endpoint":"http://10.24.19.123:5050/auth/realms/che/account/password",
"che.keycloak.realm":"che",
"che.keycloak.js_adapter_url":"http://10.24.19.123:5050/auth/js/keycloak.js",
"che.keycloak.use_nonce":"true"
}
推測
che.keycloak.auth_server_url 申請授權碼
che.keycloak.token.endpoint 獲取訪問令牌
che.keycloak.profile.endpoint 用戶信息查詢
配置
$/selenium/che-selenium-test/src/main/java/org/eclipse/che/selenium/core/client/KeycloakSettings.java
@SerializedName("che.keycloak.profile.endpoint")
private String keycloakProfileEndpoint;
$/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/keycloak/OIDCKeycloak.js
function setupOidcEndoints(oidcConfiguration) {
if (! oidcConfiguration) {
kc.endpoints = {
authorize: function() {
return getRealmUrl() + '/protocol/openid-connect/auth';
},
token: function() {
return getRealmUrl() + '/protocol/openid-connect/token';
},
logout: function() {
return getRealmUrl() + '/protocol/openid-connect/logout';
},
checkSessionIframe: function() {
return getRealmUrl() + '/protocol/openid-connect/login-status-iframe.html';
},
register: function() {
return getRealmUrl() + '/protocol/openid-connect/registrations';
},
userinfo: function() {
return getRealmUrl() + '/protocol/openid-connect/userinfo';
}
};
} else {
kc.endpoints = {
authorize: function() {
return oidcConfiguration.authorization_endpoint;
},
token: function() {
return oidcConfiguration.token_endpoint;
},
logout: function() {
if (!oidcConfiguration.end_session_endpoint) {
throw "Not supported by the OIDC server";
}
return oidcConfiguration.end_session_endpoint;
},
checkSessionIframe: function() {
if (!oidcConfiguration.check_session_iframe) {
throw "Not supported by the OIDC server";
}
return oidcConfiguration.check_session_iframe;
},
register: function() {
throw 'Redirection to "Register user" page not supported in standard OIDC mode';
},
userinfo: function() {
if (!oidcConfiguration.userinfo_endpoint) {
throw "Not supported by the OIDC server";
}
return oidcConfiguration.userinfo_endpoint;
}
}
}
}
Keycloak身份代理
[Identity Broker概述]https://www.keycloak.org/docs/3.2/server_admin/topics/identity-broker/overview.html
- OpenID Connect v1.0 Identity Providers
- SAML v2.0 Identity Providers
推薦使用OpenID協議。
社交賬號/Social
Social providers allow you to enable social authentication in your realm. Keycloak makes it easy to let users log in to your application using an existing account with a social network. Currently Facebook, Google, Twitter, GitHub, LinkedIn, Microsoft, and StackOverflow are supported with more planned for the future.
基於協議/Protocol-based
Protocol-based providers are those that rely on a specific protocol in order to authenticate and authorize users. They allow you to connect to any identity provider compliant with a specific protocol. Keycloak provides support for SAML v2.0 and OpenID Connect v1.0 protocols. It makes it easy to configure and broker any identity provider based on these open standards.