Not envy mandarin duck not envy fairy, a line of code half a day. Original: Taste of Little Sister (wechat official ID: XjjDog), welcome to share, please reserve the source.

The CAS here is not the CAS in Java and the packet, which is familiar to those who have done single sign-on (SSO). This thing is so old, and so ecological, that I still shudder when I think about it. For a long time, single sign-on, more or less referring to CAS, was a pain in the neck.

There’s another option, of course: KeyCloak, from JBoss. Everything jBoss makes is surprisingly heavy, and KeyCloak is no exception, covering all kinds of authentication scenarios. This is understandable, since authentication is a dirty and tiring job, and packaging it is not easy.

As a result, while KeyCloak provides an easy-to-use control background, it’s not easy to use without understanding some of the concepts of authentication.

Today, XJjDog has a Quickstart to get a taste of this privilege service.

First, download its installation package.

Wget -c https://downloads.jboss.org/keycloak/11.0.2/keycloak-11.0.2.zipCopy the code

To start the Keycloak Server, run the./standalone. Sh file in the bin directory. You can see it’s listening on port 9990.

At this point, there is no information to access the link because there is no initial user. Just like Pangu created the world, we need a Pangu.

Run the add-user.sh command to initialize a user. If you initialize admin, you need to enable it first. After initialization, Settings can be made in the access background.

The Keycloak Server is deployed on port 8080 and can be accessed through the following link.

http://127.0.0.1:8080/auth/
Copy the code

1. Create Realms

To use the cloak, you need to create a Realm. Realm stands for Realm, in which all users and permissions are independent. If these companies want to, I can put all the users of JINGdong and Taobao on one server.

So the point is that this Realm thing is an isolation measure. Hover over the top left corner and click Add Realm to go to the Create page.

Creating a Realm is as simple as providing a name.

But don’t count your chickens before they hatch. As a global configuration, its options are certainly numerous. However, these are all custom enhancements and we won’t discuss them here.

2. Create permissions

Next, you create two permission groups. Permissions are easier to understand, just a string. We create ROLE_ADMIN and ROLE_USER permissions.

3. Create a user

It’s time to create a user. Click New in the Users TAB to go to the Create directory. Let’s create a user called xjjdog0.

The user has a lot of options. We focus on two main parts. The Credentials are used to update and set user passwords. One is Role Mappings, where user permissions can be set. Set xjjdog0 password to 123456

Notice, there’s a little detail here. If we update the user’s password. On the main page of user Settings, the words Update Password will appear. It means that the user needs to update his password once before the user can actually use it. If you don’t need to force the user to set a password again, you can delete it.

We delete it, of course.

4. To create a client

To authenticate permissions in the xJJDog domain, you also need to get a Clientid that identifies you.

We have created a client called XjjDemo, which we will bring into the Token interface later.

5. Test the token interface

The address of the interface is:

ip:port/auth/realms/icp/protocol/openid-connect/token
Copy the code

Here, we can construct the request address of the token based on the address information set above:

http://localhost:8080/auth/realms/xjjdog/protocol/openid-connect/token
Copy the code

Use curl to retrieve tokens.

curl -XPOST -d 'client_id=xjjdemo&grant_type=password&scope=openid&username=xjjdog0&password=123456'  http://localhost:8080/auth/realms/xjjdog/protocol/openid-connect/token
Copy the code

The parameters client_id, grant_type, username, and password are provided. A JSON is returned after a POST request is sent.

{
	"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItMXF4RW9NTU1ON29NM2NrZUhPaEowaFVZVGxQNThfMDNwMDYzV1hIVzQwIn0.eyJleHA iOjE2MDI2NTQ1NzMsImlhdCI6MTYwMjY1NDI3MywianRpIjoiMGQ1ZmZhNzgtZTQ5OS00MmFmLTgyMTUtNjgwODNiNjQ4ODRlIiwiaXNzIjoiaHR0cDovL2x vY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL3hqamRvZyIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJjYWQ3NjNiMS01OTg3LTQzYTItOGQ4MC0yZDVlODY1ZGI 3MTYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJ4ampkZW1vIiwic2Vzc2lvbl9zdGF0ZSI6ImQxMWQzOWM2LTBhMzItNDNlYi1iYTIyLTg1MzdlZWE4MDcwNiI sImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIlJPTEVfVVNFUiIsIm9mZmxpbmVfYWNjZXNzIiw iUk9MRV9BRE1JTiIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCI sIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp mYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoieGpqZG9nMCJ9.DVX3VtSjq-hSsjEWqudKIcZhSpIuuDyalRx0epD93HMX8ap5z_7LpeITdb3aRv3AFIBQe8 d80SsDZwUIj9NSobyMo8US4ZF4cLyHEYsp881-vJInnrQ-vbnxwShsx1r1S8NO7dV1CP-aD8b611JBtzxV-P6GPbiZH283BFMnKFHQ68aox0_VYEx3dq3PA5 3LyM8-_rCElrpyTHk1dUdC7OluPgLx390m9H0TV_2aR9ufXGA4e-xW5fmOFvAHGlg_t3BoDVAduQkoy_wYHA_NbP3uRIOcC0pgOonAsspT2lXA_xkPU8oIpP vBQzcV4eWivm1WV_y6K4kOvn0ZJtkFmA"."expires_in": 300."refresh_expires_in": 1800."refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjNGMwMzMzOC04MDU5LTRlNDItODYxMC1iYzkzMjNjZDY5NmIifQ.eyJleHAiOjE2MDI2 NTYwNzMsImlhdCI6MTYwMjY1NDI3MywianRpIjoiNGE5ZjgxMGItMzc1ZC00OGRmLTg3YjYtN2UwODY4MmFhNDYxIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9z dDo4MDgwL2F1dGgvcmVhbG1zL3hqamRvZyIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9hdXRoL3JlYWxtcy94ampkb2ciLCJzdWIiOiJjYWQ3NjNi MS01OTg3LTQzYTItOGQ4MC0yZDVlODY1ZGI3MTYiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoieGpqZGVtbyIsInNlc3Npb25fc3RhdGUiOiJkMTFkMzljNi0w YTMyLTQzZWItYmEyMi04NTM3ZWVhODA3MDYiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIn0.mJYtSMQLgEDlzpX7_WC5pAF8s2DENZB1IBv20R2k Z8s"."token_type": "bearer"."id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItMXF4RW9NTU1ON29NM2NrZUhPaEowaFVZVGxQNThfMDNwMDYzV1hIVzQwIn0.eyJleHA iOjE2MDI2NTQ1NzMsImlhdCI6MTYwMjY1NDI3MywiYXV0aF90aW1lIjowLCJqdGkiOiJmN2VjYjJlNi1mYmRlLTQ2ZjItOWE1Mi00YTEyMjlkYzQ5YjIiLCJ pc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMveGpqZG9nIiwiYXVkIjoieGpqZGVtbyIsInN1YiI6ImNhZDc2M2IxLTU5ODctNDNhMi0 4ZDgwLTJkNWU4NjVkYjcxNiIsInR5cCI6IklEIiwiYXpwIjoieGpqZGVtbyIsInNlc3Npb25fc3RhdGUiOiJkMTFkMzljNi0wYTMyLTQzZWItYmEyMi04NTM 3ZWVhODA3MDYiLCJhdF9oYXNoIjoiM1h0eEhqTUQ5Q3FNdEwxcWFxTlFfZyIsImFjciI6IjEiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF9 1c2VybmFtZSI6InhqamRvZzAifQ.EvUbCmrylfwFL0rhyX36nnxFNRTvtYZAkPYtLv6r8CCbolRHwNJDJflu44BpLQBJGD4UNFkvfsz1BmU-mAw5soxS7eau pOm8LGkUm_qmgj-qtH0eGRi4FlUq4Tw3gx4lGoyR1zNlt1dkcAhjNtyXkhZWjcjDownLgFajNrUCOUiFw1XZwBDPlyy5AQ8d1Kkc5RIF6zhy4bkXKp_fakTN WJPr2-C1xYcEssGOv81FVUajszmItnWP4SnJvzER_njpmnjg_b1lPMng-zMx-R7zgQrx06JStO0IKUd8hXSSmudpw652whR31cCWbTBhfNB2RH_Rnfrau204 7WZ36I8zmg"."not-before-policy": 0."session_state": "d11d39c6-0a32-43eb-ba22-8537eea80706"."scope": "openid email profile"
}
Copy the code

Access_token and ID_token look familiar, it uses. Divided into three parts, it looks like JWT format.

Use tools to decode a look, as expected, so the instant up.

You can see there’s a lot of content in the Playload area. This kind of token must be very wasteful to transfer over the network. But in the 21st century, that waste is acceptable.

Request the address below to validate userinfo.

curl -XPOST -d  'Access_token ={token above}' http://localhost:8080/auth/realms/xjjdog/protocol/openid-connect/userinfo
Copy the code

You will get the following words.

{
	"sub": "cad763b1-5987-43a2-8d80-2d5e865db716"."email_verified": false."preferred_username": "xjjdog0"
}
Copy the code

End

As you can see, KeyCloak is stateless token management based on OAuth 2.0 and JSON Web Token(JWT) specifications. For Internet applications, it naturally has the ability of horizontal expansion.

Keycloak integration with SpringBoot is very simple and there is an official demo. Keycloak development is also very active, with the Master branch just committing code. All in all, it’s worth a try!

Xjjdog is a public account that doesn’t allow programmers to get sidetracked. Focus on infrastructure and Linux. Ten years architecture, ten billion daily flow, and you discuss the world of high concurrency, give you a different taste.