Eclipse Che的用户管理和权限
基础
认证(Authentication)与授权(Authorization)
鉴权的过程是向用户发起质询(Challenge),完成身份验证工作。
令牌:令牌是一个非常简单的概念,它指的是在用户通过身份验证之后,为用户分配的一个临时凭证。在系统内部,各个子系统只需要以统一的方式正确识别和处理这个凭证即可完成对用户的访问和操作进行授权。
在Web安全系统中引入令牌的做法,有着与传统场合一样的妙用。在安全系统中,令牌经常用于包含安全上下文信息,例如被识别的用户信息、令牌的颁发来源、令牌本身的有效期等。另外,在必要时可以由系统废止令牌,在它下次被使用用于访问、操作时,用户被禁止。
在现代化Web系统的演进过程中,流行的方式是选用基于Web技术的“简单”的技术来代替相对复杂、重量级的技术。典型地,比如使用JSON-RPC或REST接口代替了SOAP格式的服务调用,用微服务架构代替了SOA架构等等。而适用于Web技术的令牌标准就是Json Web Token(JWT),它规范了一种基于JSON的令牌的简单格式,可用于安全地封装安全上下文信息。
令牌在广为使用的OAuth技术中被采用来完成授权的过程。OAuth是一种开放的授权模型,它规定了一种供资源拥有方与消费方之间简单又直观的交互方法,即从消费方向资源拥有方发起使用AccessToken(访问令牌)签名的HTTP请求。这种方式让消费方应用在无需(也无法)获得用户凭据的情况下,只要用户完成鉴权过程并同意消费方以自己的身份调用数据和操作,消费方就可以获得能够完成功能的访问令牌。OAuth简单的流程和自由的编程模型让它很好地满足了开放平台场景中授权第三方应用使用用户数据的需求。不少互联网公司建设开放平台,将它们的用户在其平台上的数据以 API 的形式开放给第三方应用来使用,从而让用户享受更丰富的服务。
OAuth在各个开放平台的成功使用,令更多开发者了解到它,并被它简单明确的流程所吸引。此外,OAuth协议规定的是授权模型,并不规定访问令牌的数据格式,也不限制在整个登录过程中需要使用的鉴权方法。人们很快发现,只要对OAuth进行合适的利用即可将其用于各种自有系统中的场景。例如,将 Web 服务视作资源拥有方,而将富Web应用或者移动应用视作消费方应用,就与开放平台的场景完全吻合。
OAuth与单点登陆(Todo)
OAuth与富客户端应用(Todo)
OAuth2概念
角色
资源拥有者/resource owner
能够将受保护的资源授权的实体,当资源拥有者为自然人时,它通常指终端用户。
An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
资源服务器/resource server
承载着被保护资源的服务器,它能够接受并响应使用访问令牌的受保护资源请求。
The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
客户端/client
代表资源拥有着并且以其授权去做出受保护资源请求的应用。术语“客户端”并不意味着任何特定的实现特征(例如应用是否在服务端、桌面或是其他装置上执行)。
An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).
授权服务器/authorization server
在客户端成功地认证资源拥有着并获得授权后向客户端颁发访问令牌的服务器。
The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
授权服务器和资源服务器之间的交互超出了OAuth规范的范围。授权服务器可能与资源服务器时一个服务器,有可能时不同的实体。单个授权服务器可以颁发由多个资源服务器所接受的访问令牌。
流程
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
授权类型
- 授权码方式:code
- 简化模式:token
- 密码模式:password
- 客户端模式:clientcredentials
Keycloak
用一句Keycloak官方语言来解释,“为现代应用系统和服务提供开源的鉴权和授权访问控制管理”。
keycloak@che
角色
- User 资源拥有者
- DashBoard/IDE 客户端
- WSMaster/WSInstance 资源服务器
- KeyCloak 认证服务器
逻辑过程
- 回合一,请求登陆:
- 用户访问客户端
- 客户端重定向至授权服务器登录
- 回合二,认证:
- 用户输入用户名密码,客户端向授权服务器提交用户授权信息,申请授权码认证
- 授权服务器鉴权,返回授权码
- 回合三,授权:
- 用户访问客户端,要求客户端获取资源,客户端申请访问令牌
- 授权服务器返回访问令牌
- 回合三,访问资源:
- 客户端持有访问令牌,访问资源
- 资源服务器合适访问令牌
- 授权服务器返回授权结果
地址:http://[your-server]:5050/auth/
授权类型:authorization_code
会话详细信息
准备:获取认证服务器相关信息
Request URL: http://10.24.19.123:8080/api/keycloak/settings
Request Method: GET
Status Code: 200
Remote Address: 10.24.19.123:8080
Referrer Policy: no-referrer-when-downgrade
请求头
GET /api/keycloak/settings HTTP/1.1
Host: 10.24.19.123:8080
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Referer: http://10.24.19.123:8080/dashboard/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=79FFDED6A2C0D33D19A2CC7D0DDE8FF9
回应
HTTP/1.1 200
Cache-Control: public, no-cache, no-store, no-transform
Content-Type: application/json
Transfer-Encoding: chunked
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Fri, 04 May 2018 09:04:39 GMT
第1次请求:获取认证信息
服务端检查用户未登录或登录失效,重定向到服务器
第2次请求:客户端请求登录页面
第2次请求,由UserAgent发送向Authorization Server,即客户端申请认证的URI
- response_type:表示授权类型,必选项,此处的值固定为"code"
- client_id:表示客户端的ID,必选项
- redirect_uri:表示重定向URI,可选项
- scope:表示申请的权限范围,可选项
- state:表示客户端的当前状态,可以指定任意值,认证服务器会原封不动地返回这个值。
认证服务器响应登陆页面
Request URL: http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/auth?client_id=che-public&redirect_uri=http%3A%2F%2F10.24.19.123%3A8080%2Fdashboard%2F&state=2fca0e61-60a6-4c1d-b650-c2d40764dbdd&nonce=ba39f3cf-dcc1-4786-8ba8-8c3d276703fd&response_mode=fragment&response_type=code&scope=openid
Request Method: GET
Status Code: 200 OK
Remote Address: 10.24.19.123:5050
Referrer Policy: no-referrer-when-downgrade
请求头
GET /auth/realms/che/protocol/openid-connect/auth?client_id=che-public&redirect_uri=http%3A%2F%2F10.24.19.123%3A8080%2Fdashboard%2F&state=333f3e97-5dcc-448a-b19f-459d7d6e6dad&nonce=b074b1f5-274a-413e-83ac-88b527b84d19&response_mode=fragment&response_type=code&scope=openid HTTP/1.1
Host: 10.24.19.123:5050
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://10.24.19.123:8080/dashboard/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: AUTH_SESSION_ID=24d32bc7-c1bc-4a91-bd7f-9e599e4ec558.c4c3f8ccaa3a; KEYCLOAK_SESSION=che/430abffe-bb49-4e9a-ba49-dab91d06d628/24d32bc7-c1bc-4a91-bd7f-9e599e4ec558; KEYCLOAK_STATE_CHECKER=xsoy-OV-kqkjWRewfdNx91ON6zJDwr2FQrNtWblN_X4; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNTEyNzZkNGItNWI5Yi00NmJiLWE4ZjUtZmI5MzQ4NTVlMjBjIn0.eyJqdGkiOiJiNzZjYmNlZC02YjhlLTRkOWQtOTQ3ZS1lYzYyM2JlYTFiMGYiLCJleHAiOjE1MjUyODY3NzQsIm5iZiI6MCwiaWF0IjoxNTI1MjUwNzc0LCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwic3ViIjoiNDMwYWJmZmUtYmI0OS00ZTlhLWJhNDktZGFiOTFkMDZkNjI4IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiMjRkMzJiYzctYzFiYy00YTkxLWJkN2YtOWU1OTllNGVjNTU4IiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.VFIEMH1qYgrXDO4EMwK4CzfFQktcmTLEY6sYza-c-HU
URL参数
client_id: che-public
redirect_uri: http://10.24.19.123:8080/dashboard/
state: 333f3e97-5dcc-448a-b19f-459d7d6e6dad
nonce: b074b1f5-274a-413e-83ac-88b527b84d19
response_mode: fragment
response_type: code
scope: openid
响应(包含会话初始信息)
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, max-age=0
X-Powered-By: Undertow/1
Set-Cookie: AUTH_SESSION_ID=b7fefb20-56be-4061-b6a7-bbd9df82ee74.c4c3f8ccaa3a; Version=1; Path=/auth/realms/che; HttpOnly
Set-Cookie: KC_RESTART=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNTEyNzZkNGItNWI5Yi00NmJiLWE4ZjUtZmI5MzQ4NTVlMjBjIn0.eyJjaWQiOiJjaGUtcHVibGljIiwicHR5Ijoib3BlbmlkLWNvbm5lY3QiLCJydXJpIjoiaHR0cDovLzEwLjI0LjE5LjEyMzo4MDgwL2Rhc2hib2FyZC8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJzY29wZSI6Im9wZW5pZCIsImlzcyI6Imh0dHA6Ly8xMC4yNC4xOS4xMjM6NTA1MC9hdXRoL3JlYWxtcy9jaGUiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsImNvZGVfY2hhbGxlbmdlX21ldGhvZCI6InBsYWluIiwicmVkaXJlY3RfdXJpIjoiaHR0cDovLzEwLjI0LjE5LjEyMzo4MDgwL2Rhc2hib2FyZC8iLCJzdGF0ZSI6IjMzM2YzZTk3LTVkY2MtNDQ4YS1iMTlmLTQ1OWQ3ZDZlNmRhZCIsIm5vbmNlIjoiYjA3NGIxZjUtMjc0YS00MTNlLTgzYWMtODhiNTI3Yjg0ZDE5IiwicmVzcG9uc2VfbW9kZSI6ImZyYWdtZW50In19.hCYCk8dJbra0z01OWIyZJ0QD4WAit43nUd_QOiZEeYA; Version=1; Path=/auth/realms/che; HttpOnly
Set-Cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/che; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/che
Server: WildFly/11
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-src 'self'
Date: Wed, 02 May 2018 13:07:57 GMT
Connection: keep-alive
X-Robots-Tag: none
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Length: 3259
第3次,鉴权过程:提交用户输入的用户名密码;授权过程
浏览器向认证服务器发送用户的认证信息
发起人 other
Request URL: http://10.24.19.123:5050/auth/realms/che/login-actions/authenticate?code=E0N__4TiHl6QAEM4lQ1n0RNn-cBsIlTWlcIDxBCk3BQ&execution=47a46c5e-9665-419c-888a-d0c730540c0b&client_id=che-public
Request Method: POST
Status Code: 302 Found
Remote Address: 10.24.19.123:5050
Referrer Policy: no-referrer-when-downgrade
请求
POST /auth/realms/che/login-actions/authenticate?code=E0N__4TiHl6QAEM4lQ1n0RNn-cBsIlTWlcIDxBCk3BQ&execution=47a46c5e-9665-419c-888a-d0c730540c0b&client_id=che-public HTTP/1.1
Host: 10.24.19.123:5050
Connection: keep-alive
Content-Length: 49
Pragma: no-cache
Cache-Control: no-cache
Origin: http://10.24.19.123:5050
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://10.24.19.123:5050/auth/realms/che/login-actions/authenticate?execution=47a46c5e-9665-419c-888a-d0c730540c0b&client_id=che-public
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: AUTH_SESSION_ID=8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e.c4c3f8ccaa3a; KC_RESTART=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNTEyNzZkNGItNWI5Yi00NmJiLWE4ZjUtZmI5MzQ4NTVlMjBjIn0.eyJjaWQiOiJjaGUtcHVibGljIiwicHR5Ijoib3BlbmlkLWNvbm5lY3QiLCJydXJpIjoiaHR0cDovLzEwLjI0LjE5LjEyMzo4MDgwL2Rhc2hib2FyZC8_cmVkaXJlY3RfZnJhZ21lbnQ9JTJGIiwiYWN0IjoiQVVUSEVOVElDQVRFIiwibm90ZXMiOnsic2NvcGUiOiJvcGVuaWQiLCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJjb2RlX2NoYWxsZW5nZV9tZXRob2QiOiJwbGFpbiIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly8xMC4yNC4xOS4xMjM6ODA4MC9kYXNoYm9hcmQvP3JlZGlyZWN0X2ZyYWdtZW50PSUyRiIsInN0YXRlIjoiMTJjYzUyNGQtMjQwNS00NmU0LThhMjEtZDdmNWIyN2EzNWExIiwibm9uY2UiOiJkYjAyZDM5MC1lMTA1LTQ4NjEtODgzMi1iYzc5ZjRhYmE4ODgiLCJyZXNwb25zZV9tb2RlIjoiZnJhZ21lbnQifX0.9OAt31fvvQVvFvtldi5P7SU08nKWqn1aWO7UNP-xr-I
URL参数
code: E0N__4TiHl6QAEM4lQ1n0RNn-cBsIlTWlcIDxBCk3BQ
execution: 47a46c5e-9665-419c-888a-d0c730540c0b
client_id: che-public
表单数据
username: gibbonet
password: jp8576net
login: Log in
认证服务器回应授权码,在响应头的Location:URI参数
- code:表示授权码,必选项。该码的有效期应该很短,通常设为10分钟,客户端只能使用该码一次,否则会被授权服务器拒绝。该码与客户端ID和重定向URI,是一一对应关系。
- state:如果客户端的请求中包含这个参数,认证服务器的回应也必须一模一样包含这个参数
响应(返回授权码)
Status Code: 302 Found
Cache-Control: no-store, must-revalidate, max-age=0
X-Powered-By: Undertow/1
Set-Cookie: KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/che; HttpOnly
Set-Cookie: KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNTEyNzZkNGItNWI5Yi00NmJiLWE4ZjUtZmI5MzQ4NTVlMjBjIn0.eyJqdGkiOiI4YzgyYWRlYS1mYzU4LTQzNmUtOWQyYi1lY2U5YzU2YzEyMmMiLCJleHAiOjE1MjU0NTk3NDAsIm5iZiI6MCwiaWF0IjoxNTI1NDIzNzQwLCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwic3ViIjoiNDMwYWJmZmUtYmI0OS00ZTlhLWJhNDktZGFiOTFkMDZkNjI4IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOGNhNjUzZDYtOGViYy00MTA3LTk2YzItYjVjMmU5YmEyYTBlIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.qCH1QrZ2Ys7GFb8SPtv8VCZ72ZHTrJhggjJmqoHHWWc; Version=1; Path=/auth/realms/che; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=che/430abffe-bb49-4e9a-ba49-dab91d06d628/8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e; Version=1; Expires=Fri, 04-May-2018 18:49:00 GMT; Max-Age=36000; Path=/auth/realms/che
Set-Cookie: KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/che; HttpOnly
P3P: CP="This is not a P3P policy!"
Server: WildFly/11
Location: http://10.24.19.123:8080/dashboard/?redirect_fragment=%2F#state=12cc524d-2405-46e4-8a21-d7f5b27a35a1&code=uss.zGnOxX1kgyK8Eb2B6ow5xe0b0bmPq0fUhtblkBwlEHc.8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e.40162c8f-5c44-4b61-91cf-a6eac6b9e61a
Date: Fri, 04 May 2018 08:49:00 GMT
Connection: keep-alive
Content-Length: 0
问题:请求1和请求2如何关联在一起?
第4次请求 授权过程:浏览器向认证服务器请求访问令牌
客户端向认证服务器申请令牌的HTTP请求,包含以下参数:
- grant_type:表示使用的授权模式,必选项,此处的值固定为"authorization_code"。
- code:表示上一步获得的授权码,必选项。
- redirect_uri:表示重定向URI,必选项,且必须与A步骤中的该参数值保持一致。
- client_id:表示客户端ID,必选项。
发起人:keycloak
Request URL: http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/token
Request Method: POST
Status Code: 200 OK
Remote Address: 10.24.19.123:5050
Referrer Policy: no-referrer-when-downgrade
请求
POST /auth/realms/che/protocol/openid-connect/token HTTP/1.1
Host: 10.24.19.123:5050
Connection: keep-alive
Content-Length: 266
Pragma: no-cache
Cache-Control: no-cache
Origin: http://10.24.19.123:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Referer: http://10.24.19.123:8080/dashboard/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: AUTH_SESSION_ID=8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e.c4c3f8ccaa3a; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNTEyNzZkNGItNWI5Yi00NmJiLWE4ZjUtZmI5MzQ4NTVlMjBjIn0.eyJqdGkiOiI4YzgyYWRlYS1mYzU4LTQzNmUtOWQyYi1lY2U5YzU2YzEyMmMiLCJleHAiOjE1MjU0NTk3NDAsIm5iZiI6MCwiaWF0IjoxNTI1NDIzNzQwLCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwic3ViIjoiNDMwYWJmZmUtYmI0OS00ZTlhLWJhNDktZGFiOTFkMDZkNjI4IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOGNhNjUzZDYtOGViYy00MTA3LTk2YzItYjVjMmU5YmEyYTBlIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.qCH1QrZ2Ys7GFb8SPtv8VCZ72ZHTrJhggjJmqoHHWWc; KEYCLOAK_SESSION=che/430abffe-bb49-4e9a-ba49-dab91d06d628/8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e
表单数据
code: uss.zGnOxX1kgyK8Eb2B6ow5xe0b0bmPq0fUhtblkBwlEHc.8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e.40162c8f-5c44-4b61-91cf-a6eac6b9e61a
grant_type: authorization_code
client_id: che-public
redirect_uri: http://10.24.19.123:8080/dashboard/?redirect_fragment=%2F
认证服务器发送的HTTP回复,包含以下参数:
- access_token:表示访问令牌,必选项。
- token_type:表示令牌类型,该值大小写不敏感,必选项,可以是bearer类型或mac类型。
- expires_in:表示过期时间,单位为秒。如果省略该参数,必须其他方式设置过期时间。
- refresh_token:表示更新令牌,用来获取下一次的访问令牌,可选项。
- scope:表示权限范围,如果与客户端申请的范围一致,此项可省略。
回应(返回令牌信息)
HTTP/1.1 200 OK
X-Powered-By: Undertow/1
Server: WildFly/11
Access-Control-Expose-Headers: Access-Control-Allow-Methods
Date: Fri, 04 May 2018 08:49:01 GMT
Connection: keep-alive
Access-Control-Allow-Origin: http://10.24.19.123:8080
Access-Control-Allow-Credentials: true
Content-Type: application/json
Content-Length: 3785
后续的请求
后续请求头包含认证信息 Authorization
Request URL: http://10.24.19.123:8080/api/
Request Method: GET
Status Code: 200
Remote Address: 10.24.19.123:8080
Referrer Policy: no-referrer-when-downgrade
请求(包含访问令牌)
GET /api/ HTTP/1.1
Host: 10.24.19.123:8080
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json, text/plain, */*
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlMjNGc3kzRlI5dnRUZms3TGlkX1lQOGU0cDNoY0psM20wQTRnckIzNnJJIn0.eyJqdGkiOiJkMWMyMWNmYy1jYTM3LTQ0OGQtYjEyNy1jYmM4YTIzMGRhNGQiLCJleHAiOjE1MjU0MjQwNDEsIm5iZiI6MCwiaWF0IjoxNTI1NDIzNzQxLCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwiYXVkIjoiY2hlLXB1YmxpYyIsInN1YiI6IjQzMGFiZmZlLWJiNDktNGU5YS1iYTQ5LWRhYjkxZDA2ZDYyOCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImNoZS1wdWJsaWMiLCJub25jZSI6ImRiMDJkMzkwLWUxMDUtNDg2MS04ODMyLWJjNzlmNGFiYTg4OCIsImF1dGhfdGltZSI6MTUyNTQyMzc0MCwic2Vzc2lvbl9zdGF0ZSI6IjhjYTY1M2Q2LThlYmMtNDEwNy05NmMyLWI1YzJlOWJhMmEwZSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovLzEwLjI0LjE5LjEyMzo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJHaWJib24gTmV0IiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZ2liYm9uZXQiLCJnaXZlbl9uYW1lIjoiR2liYm9uIiwiZmFtaWx5X25hbWUiOiJOZXQiLCJlbWFpbCI6ImdpYmJvbm5ldEBzb2h1LmNvbSJ9.egRshba-lCuxIcwaU5tU3yHCfcsC07KchmfwIVhpB9ZKlROUiledG44hH11YpSZnyq7GKBfgJrHHDY4upIecD8tysS-eR6jp1dgz3qEUhT_Iaerahr-KY_e3dHERUpZ16IWYZyNTOu5KteX4SDh3Spxcp__IQbJLEv3TdfkVkIIVjDWknnLgrs1g4-0DhPmV_yF_GKnvODoeRrv87r0QgVrLNaj6ajPnIdemM9uuA0Eey3Hkf61TJvaL9GIKw4RMBl_o9nsZDHhhNJT1UhspPietY64O1P_ri21ccrGQyx6C6CmsflDsVagojLLTm4y2_o76HGZOQsUv3Q8iBqC9Iw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Referer: http://10.24.19.123:8080/dashboard/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=79FFDED6A2C0D33D19A2CC7D0DDE8FF9
响应
HTTP/1.1 200
Cache-Control: public, no-cache, no-store, no-transform
Content-Type: application/json
Transfer-Encoding: chunked
Content-Encoding: gzip
Vary: Accept-Encoding
Date: Fri, 04 May 2018 08:49:01 GMT
{"rootResources":[{"path":"/organization/resource","regex":"/organization/resource(/.*)?","fqn":"org.eclipse.che.multiuser.organization.api.resource.OrganizationResourcesDistributionService"},{"path":"project-template","regex":"/project-template(/.*)?","fqn":"org.eclipse.che.api.project.server.template.ProjectTemplateService"},{"path":"/docs/swagger.{type:json|yaml}","regex":"/docs/swagger\.(json|yaml)(/.*)?","fqn":"org.eclipse.che.swagger.rest.SwaggerSpecificationService"},{"path":"/resource/free","regex":"/resource/free(/.*)?","fqn":"org.eclipse.che.multiuser.resource.api.free.FreeResourcesLimitService"},{"path":"/organization","regex":"/organization(/.*)?","fqn":"org.eclipse.che.multiuser.organization.api.OrganizationService"},{"path":"/permissions","regex":"/permissions(/.*)?","fqn":"org.eclipse.che.multiuser.api.permission.server.PermissionsService"},{"path":"/preferences","regex":"/preferences(/.*)?","fqn":"org.eclipse.che.api.user.server.PreferencesService"},{"path":"/installer","regex":"/installer(/.*)?","fqn":"org.eclipse.che.api.installer.server.InstallerRegistryService"},{"path":"/workspace","regex":"/workspace(/.*)?","fqn":"org.eclipse.che.api.workspace.server.WorkspaceService"},{"path":"/activity","regex":"/activity(/.*)?","fqn":"org.eclipse.che.plugin.activity.WorkspaceActivityService"},{"path":"/keycloak","regex":"/keycloak(/.*)?","fqn":"org.eclipse.che.multiuser.keycloak.server.KeycloakConfigurationService"},{"path":"/resource","regex":"/resource(/.*)?","fqn":"org.eclipse.che.multiuser.resource.api.usage.ResourceService"},{"path":"/factory","regex":"/factory(/.*)?","fqn":"org.eclipse.che.api.factory.server.FactoryService"},{"path":"/profile","regex":"/profile(/.*)?","fqn":"org.eclipse.che.api.user.server.ProfileService"},{"path":"/logger","regex":"/logger(/.*)?","fqn":"org.eclipse.che.api.logger.LoggerService"},{"path":"/system","regex":"/system(/.*)?","fqn":"org.eclipse.che.api.system.server.SystemService"},{"path":"/oauth","regex":"/oauth(/.*)?","fqn":"org.eclipse.che.multiuser.keycloak.server.oauth2.KeycloakOAuthAuthenticationService"},{"path":"/stack","regex":"/stack(/.*)?","fqn":"org.eclipse.che.api.workspace.server.stack.StackService"},{"path":"/token","regex":"/token(/.*)?","fqn":"org.eclipse.che.multiuser.keycloak.token.provider.contoller.TokenController"},{"path":"/user","regex":"/user(/.*)?","fqn":"org.eclipse.che.api.user.server.UserService"},{"path":"/ssh","regex":"/ssh(/.*)?","fqn":"org.eclipse.che.api.ssh.server.SshService"},{"path":"/","regex":"(/.*)?","fqn":"org.eclipse.che.api.core.rest.ApiInfoService"}]}
问题:资源服务器如何处理该令牌?
更新令牌
Request URL: http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/token
Request Method: POST
Status Code: 200 OK
Remote Address: 10.24.19.123:5050
Referrer Policy: no-referrer-when-downgrade
请求头
POST /auth/realms/che/protocol/openid-connect/token HTTP/1.1
Host: 10.24.19.123:5050
Connection: keep-alive
Content-Length: 1177
Pragma: no-cache
Cache-Control: no-cache
Origin: http://10.24.19.123:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Referer: http://10.24.19.123:8080/dashboard/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: AUTH_SESSION_ID=8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e.c4c3f8ccaa3a; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNTEyNzZkNGItNWI5Yi00NmJiLWE4ZjUtZmI5MzQ4NTVlMjBjIn0.eyJqdGkiOiI4YzgyYWRlYS1mYzU4LTQzNmUtOWQyYi1lY2U5YzU2YzEyMmMiLCJleHAiOjE1MjU0NTk3NDAsIm5iZiI6MCwiaWF0IjoxNTI1NDIzNzQwLCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwic3ViIjoiNDMwYWJmZmUtYmI0OS00ZTlhLWJhNDktZGFiOTFkMDZkNjI4IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOGNhNjUzZDYtOGViYy00MTA3LTk2YzItYjVjMmU5YmEyYTBlIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.qCH1QrZ2Ys7GFb8SPtv8VCZ72ZHTrJhggjJmqoHHWWc; KEYCLOAK_SESSION=che/430abffe-bb49-4e9a-ba49-dab91d06d628/8ca653d6-8ebc-4107-96c2-b5c2e9ba2a0e
表单数据(刷新令牌)
grant_type: refresh_token
refresh_token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlMjNGc3kzRlI5dnRUZms3TGlkX1lQOGU0cDNoY0psM20wQTRnckIzNnJJIn0.eyJqdGkiOiJiODFkM2QwOS1mMjVkLTQwMWYtODViYy1mZWUwNTJlZTcwZTIiLCJleHAiOjE1MjU0MjU1NDEsIm5iZiI6MCwiaWF0IjoxNTI1NDIzNzQxLCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwiYXVkIjoiY2hlLXB1YmxpYyIsInN1YiI6IjQzMGFiZmZlLWJiNDktNGU5YS1iYTQ5LWRhYjkxZDA2ZDYyOCIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJjaGUtcHVibGljIiwibm9uY2UiOiJkYjAyZDM5MC1lMTA1LTQ4NjEtODgzMi1iYzc5ZjRhYmE4ODgiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiI4Y2E2NTNkNi04ZWJjLTQxMDctOTZjMi1iNWMyZTliYTJhMGUiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19fQ.Fyuqm-WbE54vzod2MvFWZmli5x8u0CRpPP8Gn8Wjf5D7kUbvHSh93v4bka1Z75u2WaFm_VGKZZ4IUJE1j287lgwlgKv-nRQXJCzG5UoJx_flR1x9g1V5fzROUoOcrkn4NfS62B8TMAKOKMFbr_JsijewjtGupC2SmtWSNlpAG-QdDAWeIH2SLv8vPslwfGBTloeOlsdwS5fiwtLH3jLpfoDW7dhIBLo9IYltZ70tOoOnRV1QsdNm3lDee8mW_3cRkVQmN0TzBtm7Idb1_bHPyJdGkfMw8EjKHrTbdxmNcQdMlmFaTKbIMx0ahRYJJZLKgN0N0vvcEhVUfMl4foukxA
client_id: che-public
回应(返回访问令牌)
HTTP/1.1 200 OK
X-Powered-By: Undertow/1
Server: WildFly/11
Access-Control-Expose-Headers: Access-Control-Allow-Methods
Date: Fri, 04 May 2018 09:01:52 GMT
Connection: keep-alive
Access-Control-Allow-Origin: http://10.24.19.123:8080
Access-Control-Allow-Credentials: true
Content-Type: application/json
Content-Length: 3785
登出
发起人 key
Request URL: http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2F10.24.19.123%3A8080%2Fdashboard%2F%23%2Faccount
Request Method: GET
Status Code: 302 Found
Remote Address: 10.24.19.123:5050
Referrer Policy: no-referrer-when-downgrade
请求头
GET /auth/realms/che/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2F10.24.19.123%3A8080%2Fdashboard%2F%23%2Faccount HTTP/1.1
Host: 10.24.19.123:5050
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://10.24.19.123:8080/dashboard/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: AUTH_SESSION_ID=e8f55398-7e06-41b3-8bb8-8fd7acae96ce.c4c3f8ccaa3a; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiNTEyNzZkNGItNWI5Yi00NmJiLWE4ZjUtZmI5MzQ4NTVlMjBjIn0.eyJqdGkiOiJhOWVjMzU5OC0yNjM2LTRlOWMtOTJlZi1iNDMwYjBjZDc4NTQiLCJleHAiOjE1MjU0NjA2NDksIm5iZiI6MCwiaWF0IjoxNTI1NDI0NjQ5LCJpc3MiOiJodHRwOi8vMTAuMjQuMTkuMTIzOjUwNTAvYXV0aC9yZWFsbXMvY2hlIiwic3ViIjoiNDMwYWJmZmUtYmI0OS00ZTlhLWJhNDktZGFiOTFkMDZkNjI4IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZThmNTUzOTgtN2UwNi00MWIzLThiYjgtOGZkN2FjYWU5NmNlIiwicmVzb3VyY2VfYWNjZXNzIjp7fX0.ECazlKhMT5wRtGF2khp6TBXqQ3G5mAe-GBRnGNPUb5E; KEYCLOAK_SESSION=che/430abffe-bb49-4e9a-ba49-dab91d06d628/e8f55398-7e06-41b3-8bb8-8fd7acae96ce
URL参数
redirect_uri: http://10.24.19.123:8080/dashboard/#/account
回应
HTTP/1.1 302 Found
Connection: keep-alive
X-Powered-By: Undertow/1
Set-Cookie: KEYCLOAK_IDENTITY=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/che; HttpOnly
Set-Cookie: KEYCLOAK_SESSION=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/che
Set-Cookie: KEYCLOAK_REMEMBER_ME=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=/auth/realms/che; HttpOnly
Server: WildFly/11
Location: http://10.24.19.123:8080/dashboard/#/account
Content-Length: 0
Date: Fri, 04 May 2018 09:04:38 GMT
Che客户端
源代码路径
$/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che/multiuser.properties
$/selenium/che-selenium-test/src/main/java/org/eclipse/che/selenium/core/client/KeycloakSettings.java
$/workspace-loader/src/index.ts
$/ide/che-ide-gwt-app/target/classes/org/eclipse/che/ide/public/IDE.html
$/dashboard/src/app/index.module.ts
访问地址
{
"che.keycloak.logout.endpoint":"http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/logout",
"che.keycloak.jwks.endpoint":"http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/certs",
"che.keycloak.token.endpoint":"http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/token",
"che.keycloak.userinfo.endpoint":"http://10.24.19.123:5050/auth/realms/che/protocol/openid-connect/userinfo",
"che.keycloak.profile.endpoint":"http://10.24.19.123:5050/auth/realms/che/account",
"che.keycloak.client_id":"che-public",
"che.keycloak.auth_server_url":"http://10.24.19.123:5050/auth",
"che.keycloak.password.endpoint":"http://10.24.19.123:5050/auth/realms/che/account/password",
"che.keycloak.realm":"che",
"che.keycloak.js_adapter_url":"http://10.24.19.123:5050/auth/js/keycloak.js",
"che.keycloak.use_nonce":"true"
}
推测
che.keycloak.auth_server_url 申请授权码
che.keycloak.token.endpoint 获取访问令牌
che.keycloak.profile.endpoint 用户信息查询
配置
$/selenium/che-selenium-test/src/main/java/org/eclipse/che/selenium/core/client/KeycloakSettings.java
@SerializedName("che.keycloak.profile.endpoint")
private String keycloakProfileEndpoint;
$/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/keycloak/OIDCKeycloak.js
function setupOidcEndoints(oidcConfiguration) {
if (! oidcConfiguration) {
kc.endpoints = {
authorize: function() {
return getRealmUrl() + '/protocol/openid-connect/auth';
},
token: function() {
return getRealmUrl() + '/protocol/openid-connect/token';
},
logout: function() {
return getRealmUrl() + '/protocol/openid-connect/logout';
},
checkSessionIframe: function() {
return getRealmUrl() + '/protocol/openid-connect/login-status-iframe.html';
},
register: function() {
return getRealmUrl() + '/protocol/openid-connect/registrations';
},
userinfo: function() {
return getRealmUrl() + '/protocol/openid-connect/userinfo';
}
};
} else {
kc.endpoints = {
authorize: function() {
return oidcConfiguration.authorization_endpoint;
},
token: function() {
return oidcConfiguration.token_endpoint;
},
logout: function() {
if (!oidcConfiguration.end_session_endpoint) {
throw "Not supported by the OIDC server";
}
return oidcConfiguration.end_session_endpoint;
},
checkSessionIframe: function() {
if (!oidcConfiguration.check_session_iframe) {
throw "Not supported by the OIDC server";
}
return oidcConfiguration.check_session_iframe;
},
register: function() {
throw 'Redirection to "Register user" page not supported in standard OIDC mode';
},
userinfo: function() {
if (!oidcConfiguration.userinfo_endpoint) {
throw "Not supported by the OIDC server";
}
return oidcConfiguration.userinfo_endpoint;
}
}
}
}
Keycloak身份代理
[Identity Broker概述]https://www.keycloak.org/docs/3.2/server_admin/topics/identity-broker/overview.html
- OpenID Connect v1.0 Identity Providers
- SAML v2.0 Identity Providers
推荐使用OpenID协议。
社交账号/Social
Social providers allow you to enable social authentication in your realm. Keycloak makes it easy to let users log in to your application using an existing account with a social network. Currently Facebook, Google, Twitter, GitHub, LinkedIn, Microsoft, and StackOverflow are supported with more planned for the future.
基于协议/Protocol-based
Protocol-based providers are those that rely on a specific protocol in order to authenticate and authorize users. They allow you to connect to any identity provider compliant with a specific protocol. Keycloak provides support for SAML v2.0 and OpenID Connect v1.0 protocols. It makes it easy to configure and broker any identity provider based on these open standards.