Keycloak \u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u8eab\u4efd\u4e0e\u8bbf\u95ee\u7ba1\u7406\uff08IAM\uff09\u89e3\u51b3\u65b9\u6848\uff0c\u5b83\u5e2e\u6211\u4eec\u641e\u5b9a\u767b\u5f55\u3001\u5355\u70b9\u767b\u5f55\uff08SSO\uff09\u3001\u6ce8\u518c\u3001\u793e\u4ea4\u767b\u5f55\u3001MFA\u3001\u591a\u79df\u6237\u7b49\u7b49\u2014\u2014\u7b80\u5355\u8bf4\uff0c\u5c31\u662f\u628a\u201c\u600e\u4e48\u767b\u5f55\u201d\u7684\u9505\u4ea4\u7ed9\u5b83\uff0c\u6211\u4eec\u4e13\u6ce8\u4e8e\u5199\u4e1a\u52a1\u4ee3\u7801\u5c31\u884c\u4e86\u3002<\/p>\n
\u4f60\u53ef\u4ee5\u628a\u5b83\u60f3\u8c61\u6210\u201c\u7edf\u4e00\u8ba4\u8bc1\u4e2d\u5fc3\u201d\uff0c\u4f60\u5e94\u7528\u91cc\u6240\u6709\u5173\u4e8e\u201c\u7528\u6237\u662f\u8c01\u201d\u201c\u6709\u6ca1\u6709\u6743\u9650\u201d\u7684\u95ee\u9898\uff0c\u90fd\u53ef\u4ee5\u4e22\u7ed9\u5b83\u6765\u5904\u7406\u3002<\/p>\n
+-------------+ +--------------------+ +-------------+\n| \u6d4f\u89c8\u5668 | <---> | \u524d\u7aef Vue \u5e94\u7528 | <---> | |\n+-------------+ +--------------------+ | |\n | Keycloak |\n+-------------+ +--------------------+ | |\n| Python | <---> | \u540e\u7aef FastAPI | <---> | |\n+-------------+ +--------------------+ +-------------+<\/code><\/pre>\n\n- \u524d\u7aef\u8df3\u8f6c Keycloak \u767b\u5f55\uff1b<\/li>\n
- \u767b\u5f55\u6210\u529f\u540e\uff0c\u62ff\u5230 token\uff1b<\/li>\n
- \u540e\u7aef\u7528\u8fd9\u4e2a token \u9a8c\u8bc1\u8eab\u4efd\u3001\u83b7\u53d6\u7528\u6237\u4fe1\u606f\u3002<\/li>\n<\/ul>\n
\u4e09\u3001\u5b89\u88c5 Keycloak\uff08\u5bb9\u5668\u7248\uff09<\/h2>\n
\u7528 Docker \u5b89\u88c5\u6700\u7b80\u5355\uff0c\u4ee5\u4e0b\u662f\u5feb\u901f\u4e0a\u624b\u547d\u4ee4\uff1a<\/p>\n
docker run -d \\\n --name keycloak \\\n -p 8080:8080 \\\n -e KEYCLOAK_ADMIN=admin \\\n -e KEYCLOAK_ADMIN_PASSWORD=admin \\\n quay.io\/keycloak\/keycloak:24.0.1 \\\n start-dev<\/code><\/pre>\n\u7136\u540e\u8bbf\u95ee\uff1ahttp:\/\/localhost:8080<\/a>
\n\u4f7f\u7528 admin\/admin<\/code> \u767b\u5f55 Keycloak \u7ba1\u7406\u63a7\u5236\u53f0\u3002<\/p>\n\u56db\u3001\u914d\u7f6e Realm\u3001Client \u548c\u7528\u6237<\/h2>\n\n- \u767b\u5f55\u63a7\u5236\u53f0\uff0c\u521b\u5efa\u4e00\u4e2a Realm\uff08\u53ef\u4ee5\u7406\u89e3\u6210\u4e00\u4e2a\u201c\u7528\u6237\u7a7a\u95f4\u201d\uff09\uff1b<\/li>\n
- \u5728 Realm \u4e0b\u521b\u5efa\u4e00\u4e2a Client\uff08\u6bd4\u5982\u53eb
my-app<\/code>\uff09\uff1b\n\n- \u7c7b\u578b\uff1aOpenID Connect<\/li>\n
- Client ID:
my-app<\/code><\/li>\n- Root URL:
http:\/\/localhost:5173<\/code><\/li>\n- Valid Redirect URIs:
http:\/\/localhost:5173\/*<\/code><\/li>\n<\/ul>\n<\/li>\n- \u521b\u5efa\u7528\u6237\u5e76\u8bbe\u7f6e\u5bc6\u7801\uff1b<\/li>\n
- \u7ed9 Client \u542f\u7528 \u6807\u51c6\u6d41\uff08Authorization Code Flow\uff09<\/strong>\uff1b<\/li>\n
- \u6253\u5f00
Credentials<\/code> \u8bb0\u4e0b Client Secret<\/code>\u3002<\/li>\n<\/ol>\n
\n\u4e94\u3001\u540e\u7aef\uff08Python FastAPI \u793a\u4f8b\uff09<\/h2>\n\u5b89\u88c5\u4f9d\u8d56\uff1a<\/h3>\npip install fastapi uvicorn python-dotenv httpx<\/code><\/pre>\n\u521b\u5efa .env<\/code> \u6587\u4ef6\uff1a<\/h3>\nKEYCLOAK_CLIENT_ID=my-app\nKEYCLOAK_CLIENT_SECRET=\u4f60\u7684\u5bc6\u94a5\nKEYCLOAK_REALM=your-realm\nKEYCLOAK_URL=http:\/\/localhost:8080\nREDIRECT_URI=http:\/\/localhost:8000\/auth\/callback<\/code><\/pre>\n\u521b\u5efa main.py<\/code>\uff1a<\/h3>\nimport os\nfrom fastapi import FastAPI, Request, HTTPException\nfrom fastapi.responses import RedirectResponse, JSONResponse\nfrom dotenv import load_dotenv\nimport httpx\n\nload_dotenv()\n\napp = FastAPI()\n\nCLIENT_ID = os.getenv("KEYCLOAK_CLIENT_ID")\nCLIENT_SECRET = os.getenv("KEYCLOAK_CLIENT_SECRET")\nREALM = os.getenv("KEYCLOAK_REALM")\nKEYCLOAK_URL = os.getenv("KEYCLOAK_URL")\nREDIRECT_URI = os.getenv("REDIRECT_URI")\n\n@app.get("\/auth\/login")\ndef login():\n return RedirectResponse(\n f"{KEYCLOAK_URL}\/realms\/{REALM}\/protocol\/openid-connect\/auth"\n f"?client_id={CLIENT_ID}&response_type=code&redirect_uri={REDIRECT_URI}"\n )\n\n@app.get("\/auth\/callback")\nasync def callback(code: str):\n async with httpx.AsyncClient() as client:\n token_resp = await client.post(\n f"{KEYCLOAK_URL}\/realms\/{REALM}\/protocol\/openid-connect\/token",\n data={\n "client_id": CLIENT_ID,\n "client_secret": CLIENT_SECRET,\n "code": code,\n "grant_type": "authorization_code",\n "redirect_uri": REDIRECT_URI,\n },\n headers={"Content-Type": "application\/x-www-form-urlencoded"},\n )\n token_json = token_resp.json()\n access_token = token_json.get("access_token")\n return RedirectResponse(f"http:\/\/localhost:5173?access_token={access_token}")\n\n@app.get("\/api\/me")\nasync def get_user(request: Request):\n auth = request.headers.get("Authorization")\n if not auth:\n raise HTTPException(status_code=401, detail="Missing token")\n\n token = auth.split(" ")[1]\n async with httpx.AsyncClient() as client:\n userinfo_resp = await client.get(\n f"{KEYCLOAK_URL}\/realms\/{REALM}\/protocol\/openid-connect\/userinfo",\n headers={"Authorization": f"Bearer {token}"}\n )\n return userinfo_resp.json()<\/code><\/pre>\n
\n\u516d\u3001\u524d\u7aef\uff08Vue.js\uff09<\/h2>\n\u5b89\u88c5 Vue \u9879\u76ee<\/h3>\nnpm init vue@latest\ncd your-project\nnpm install axios<\/code><\/pre>\n\u4fee\u6539 App.vue<\/code><\/h3>\n<script setup>\nimport { ref, onMounted } from 'vue'\nimport axios from 'axios'\n\nconst user = ref(null)\n\nconst login = () => {\n window.location.href = 'http:\/\/localhost:8000\/auth\/login'\n}\n\nconst logout = () => {\n localStorage.removeItem('token')\n user.value = null\n}\n\nconst fetchUser = async () => {\n const token = localStorage.getItem('token')\n if (!token) return\n\n try {\n const res = await axios.get('http:\/\/localhost:8000\/api\/me', {\n headers: {\n Authorization: `Bearer ${token}`,\n },\n })\n user.value = res.data\n } catch {\n logout()\n }\n}\n\nonMounted(() => {\n const params = new URLSearchParams(window.location.search)\n const token = params.get('access_token')\n if (token) {\n localStorage.setItem('token', token)\n window.history.replaceState({}, '', '\/')\n }\n fetchUser()\n})\n<\/script>\n\n<template>\n <div>\n <h1>Keycloak \u767b\u5f55\u793a\u4f8b<\/h1>\n <div v-if="user">\n <p>\u4f60\u597d\uff0c{{ user.name || user.preferred_username }}\uff01<\/p>\n <button @click="logout">\u9000\u51fa\u767b\u5f55<\/button>\n <\/div>\n <div v-else>\n <button @click="login">\u4f7f\u7528 Keycloak \u767b\u5f55<\/button>\n <\/div>\n <\/div>\n<\/template><\/code><\/pre>\n
\n\u4e03\u3001\u603b\u7ed3<\/h2>\n
Keycloak \u5c31\u50cf\u4f60\u9879\u76ee\u7684\u201c\u95e8\u795e\u201d\uff0c\u5b83\u5b88\u4f4f\u5927\u95e8\uff0c\u786e\u4fdd\u201c\u4ec0\u4e48\u4eba\u80fd\u8fdb\u201d\u201c\u8fdb\u6765\u4e86\u662f\u8c01\u201d\u3002\u901a\u8fc7\u6807\u51c6\u534f\u8bae\uff08OAuth\u3001OIDC\uff09\u5bf9\u63a5\uff0c\u4f60\u4e0d\u9700\u8981\u91cd\u590d\u9020\u8f6e\u5b50\uff0c\u5c31\u80fd\u8ba9\u4f60\u7684\u7cfb\u7edf\u62e5\u6709\u73b0\u4ee3\u5316\u7684\u7528\u6237\u8eab\u4efd\u7ba1\u7406\u529f\u80fd\u3002<\/p>\n
\u672c\u6587\u901a\u8fc7\u4e00\u4e2a Vue + FastAPI \u7684\u5c0f\u4f8b\u5b50\uff0c\u5e26\u4f60\u8dd1\u901a\u4e86 Keycloak \u7684\u4e00\u4e2a\u6700\u57fa\u672c\u5e94\u7528\u573a\u666f\u3002\u540e\u7eed\u4f60\u53ef\u4ee5\u63a2\u7d22\u66f4\u591a\u7279\u6027\uff0c\u6bd4\u5982\uff1a<\/p>\n
\n- \u793e\u4ea4\u767b\u5f55\uff08Google\u3001GitHub \u4e00\u952e\u63a5\u5165\uff09<\/li>\n
- \u591a\u56e0\u7d20\u8ba4\u8bc1\uff08MFA\uff09<\/li>\n
- \u81ea\u5b9a\u4e49\u7528\u6237\u754c\u9762<\/li>\n
- \u4e0e\u4f01\u4e1a AD\u3001LDAP \u96c6\u6210<\/li>\n<\/ul>\n
\u672c\u4f5c\u54c1\u91c7\u7528\u77e5\u8bc6\u5171\u4eab\u7f72\u540d-\u975e\u5546\u4e1a\u6027\u4f7f\u7528-\u7981\u6b62\u6f14\u7ece 4.0 \u56fd\u9645\u8bb8\u53ef\u534f\u8bae<\/a>\u8fdb\u884c\u8bb8\u53ef\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"Keycloak \u7684\u67b6\u6784\u4e0e\u5e94\u7528 \u4e00\u3001\u4ec0\u4e48\u662f Keycloak\uff1f Keycloak \u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u8eab\u4efd\u4e0e\u8bbf\u95ee\u7ba1\u7406\uff08IAM\uff09\u89e3\u51b3\u65b9\u6848\uff0c\u5b83\u5e2e\u6211\u4eec\u641e\u5b9a\u767b\u5f55\u3001\u5355\u70b9\u767b\u5f55\uff08SSO\uff09\u3001\u6ce8\u518c\u3001\u793e\u4ea4\u767b\u5f55\u3001MFA\u3001\u591a\u79df\u6237\u7b49\u7b49\u2014\u2014\u7b80\u5355\u8bf4\uff0c\u5c31\u662f\u628a\u201c\u600e\u4e48\u767b\u5f55\u201d\u7684\u9505\u4ea4\u7ed9\u5b83\uff0c\u6211\u4eec\u4e13\u6ce8\u4e8e\u5199\u4e1a\u52a1\u4ee3\u7801\u5c31\u884c\u4e86\u3002 \u4f60\u53ef\u4ee5\u628a\u5b83\u60f3\u8c61\u6210\u201c\u7edf\u4e00\u8ba4\u8bc1\u4e2d\u5fc3\u201d\uff0c\u4f60\u5e94\u7528\u91cc\u6240\u6709\u5173\u4e8e\u201c\u7528\u6237\u662f\u8c01\u201d\u201c\u6709\u6ca1\u6709\u6743\u9650\u201d\u7684\u95ee\u9898\uff0c\u90fd\u53ef\u4ee5\u4e22\u7ed9\u5b83\u6765\u5904\u7406\u3002 Keycloak \u652f\u6301\u54ea\u4e9b\u534f\u8bae\uff1f OAuth 2.0\uff1a\u73b0\u4ee3\u8ba4\u8bc1\u7684\u4e3b\u6d41\u534f\u8bae\uff0c\u50cf GitHub \u767b\u5f55\u90a3\u5957\u5c31\u662f\u5b83\u3002 OIDC\uff08OpenID Connect\uff09\uff1a\u5728 OAuth 2.0 \u4e0a\u5c01\u88c5\u4e00\u5c42\uff0c\u7528\u4e8e\u83b7\u53d6\u201c\u7528\u6237\u662f\u8c01\u201d\u7684\u4fe1\u606f\u3002 SAML 2.0\uff1a\u4e3b\u8981\u662f\u4f01\u4e1a\u3001\u8001\u7cfb\u7edf\u5728\u7528\u3002 \u4e8c\u3001Keycloak \u67b6\u6784\u4e00\u56fe\u6d41 +————-+ +——————–+ +————-+ | \u6d4f\u89c8\u5668 | <—> | \u524d\u7aef Vue \u5e94\u7528 | <—> | | +————-+ +——————–+ | | | Keycloak | +————-+ +——————–+ | | | Python | <—> | \u540e\u7aef FastAPI […] →Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[],"class_list":["post-2044","post","type-post","status-publish","format-standard","hentry","category-cloud"],"_links":{"self":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/2044"}],"collection":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2044"}],"version-history":[{"count":1,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/2044\/revisions"}],"predecessor-version":[{"id":2045,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/2044\/revisions\/2045"}],"wp:attachment":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2044"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2044"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2044"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}