RHSSO和OIDC简介 (RHSSO & OIDC Intro)
I don't like duplications so I’d like to promote my friend’s (and colleague) article about RHSSO, OAuth, and OIDC as an introduction to the topic, and just jump right into the technical guide;
我不喜欢重复,所以我想宣传我朋友(和同事)有关RHSSO,OAuth和OIDC的文章作为该主题的介绍,而直接进入技术指南。
Essentially that guide is intended for those who’d like to install RHSSO/Keycloak (the upstream project) with Kerberos as an authentication mechanism instead of basic auth (username+password).
本质上,该指南适用于那些希望使用Kerberos作为身份验证机制而非基本auth(用户名和密码)的方式安装RHSSO / Keycloak(上游项目)的用户。
I found the official project’s documentation a bit lacking and I’d like to make your life easier.
我发现官方项目的文档有些缺乏,我想让您的生活更轻松。
![Image for post](https://img-blog.csdnimg.cn/img_convert/0f228a39b0d408ddb9e376e0ac8b1e0f.png)
架构概述 (Architecture Overview)
I installed the IDM (FreeIPA — the upstream project) as a container on a docker engine on a VM, and the RHSSO is installed on a VM of its own.
我将IDM(FreeIPA-上游项目)作为容器安装在VM上的docker引擎上,而RHSSO已安装在自己的VM上。
Furthermore, I configured the IDM as a DNS server as well for my environment (GCP).
此外,对于我的环境(GCP),我还将IDM配置为DNS服务器。
Our “application” for testing is going to be an API that RHSSO exposes (https://<rhsso-host>:8443/auth/realms/master/account) that initiates the login process of the RHSSO just like any other application.
我们用于测试的“应用程序”将是RHSSO公开的API(https:// <rhsso-host>:8443 / auth / realms / master / account),该API会像其他任何应用程序一样启动RHSSO的登录过程。
And finally, a VM client — a VM that is going to be an IDM-client with a Kerberos ticket, which it’ll receive after a successful login using a user that we will create in the IDM itself.
最后,一个VM客户端-一个将成为具有Kerberos票证的IDM客户端的VM,在使用我们将在IDM本身中创建的用户成功登录后,它将获得该票证。
Our final test is going to be:
我们的最终测试将是:
- Logging in to the VM client machine 登录虚拟机客户端
- Verifying Kerberos ticket granted successfully by the IDM 验证IDM成功授予的Kerberos票证
An attempt to access https://<rhsso-host>:8443/auth/realms/master/account
尝试访问https:// <rhsso-host>:8443 / auth / realms / master / account
- A successful login to the user-personal details site without entering username+password 成功登录到用户个人详细信息站点,而无需输入用户名和密码
Now with all of the opening out of the way, let’s get to work;
现在,所有的开放都已完成,让我们开始工作;
将IDM / FreeIPA安装为Docker容器 (Install IDM/FreeIPA as a docker container)
I really can’t say how much I appreciate good opensource projects, one of them made that specific part of my work much much easier.
我真的不能说我有多喜欢优秀的开源项目,其中一个使我的工作中的特定部分变得容易得多。
I had some configuration issues when I first tried to deploy it. It is quite important that the container will listen on the host’s IP address, and to enable all the ports both in the docker configuration and on the firewall-cmd on the machine itself. Also, some flags/options didn’t work as expected.
首次尝试部署它时,我遇