last article on 160ef8fa0c6e4d briefly introduced Keycloak , and the response was good. It seems that everyone is interested in this thing. Today, we will have a further experience of Keycloak . Let us have an intuitive understanding of it, and then gradually go deeper to break its design concepts and concepts.
general idea
Because it is known in advance that Keycloak provides Spring Security adapter. First, independently Keycloak 160ef8fa0c6eb6, and then study how it can be combined with Spring Security .
Install Keycloak
Keycloak version of this article 14.0.0 .I always don't like to waste time on installation. It is the most worry-free to use Docker to install during the research phase:
docker run -d -p 8011:8080 --name keycloak-server -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloakExecute the above command to install Keycloak . After success, open http://localhost:8011/auth/admin enter account admin and password admin , and then enter the management console. If you feel uncomfortable in English, you can change it to Chinese according to the following picture:
After the modification, you can click on the columns to learn about them, and imagine their respective functions and functions. At this time, you have to relax and not think too deeply, just to understand the whole picture.
Realm
If you have been in contact with the well-known security framework Shiro believe that this concept will not be unfamiliar. realm is a space that manages users and corresponding applications. It is a bit of a tenant, and it can maintain the ability of logical isolation between realm
By default, Keycloack provides a call Master of realm , this Master does not undertake specific application and user management, it is only used to manage other realm life cycle.
Log in to Master of realm create a custom domain felord.cn .
User
User is an entity that can log in to the application system. In fact, it can be understood as the account . They can have attributes related to them, such as email, username, address, phone number, and birthday. You can assign them group memberships and assign specific roles to them. Keycloak in User all have their subordinate realm . Next, create a new user in my custom domain felord.cn
- Management -> User menu bar, then open add user .
- Type in the unique required
username (username). - Turn on (
ON) mail authentication ( Email Verified ), and save. - Click Credentials tab to set a temporary password for the new user. This password is temporary and the user will need to change it the first time they log in. If you prefer to create a permanent password, please switch the temporary turn off and click set the password .
Then log out the current user admin and go to http://localhost:8011/auth/realms/felord.cn/account to log in to the felord.cn domain as the newly created user felord
Have you found the characteristics of the login link?
Here realm and account is familiar, but I believe most students are still confused when they see this. Why is it manual? Don't worry, the code will be combined to implement the above process and a process that is more in line with the application scenario.
The core concept of Keycloak
Next are some concepts that we need to master when Keycloak realm and user have been mentioned above, so I won’t repeat them here.
authentication
The process of identifying and authenticating users. Prove that "you are what you are talking about".
authorization
The process of granting user access. Indicate "what you can and can't do".
credentials
Credentials that prove the identity of the user. It may be a password, one-time password, digital certificate, and fingerprint.
roles
Role is an important concept of RBAC, used to indicate the user's identity type.
user role mapping
User role mapping relationship. Usually a user may have multiple roles, and a role can also correspond to different people.
composite roles
Compound role sounds very mysterious, but it is actually the role's affiliation or inheritance relationship. B role is subordinate to the A role, so if you have the A role, you must have the permissions of the B
groups
User group, you can assign a series of roles to a defined user group. Once a user belongs to the user group, the user will get all the role permissions of the corresponding group.
clients
Client. Usually refers to some keycloak to authenticate a user. It can even be said that the requesting entities keycloak protection and keycloak
client adapters
keycloak an adapter designed to support multi-language and cross-platform, such as Java , Python . Some are built-in implementations, and some need to be implemented according to the abstract definition of keycloak Follow-up we mainly deal Spring Boot Adapter
identity provider
The service used to authenticate users, referred to as IDP . keycloak itself is a IDP . This is similar to the AuthenticationProvider interface Spring Security
There are also some concepts that will be added when they come across, a bit too much, digest and digest first.
to sum up
Today’s article focuses on keycloak , builds a development environment for subsequent learning, and summarizes some of the core concepts keycloak However, due to space limitations, some concepts have not been completely sorted out, but the learning is gradual and can't be rushed. The custom realm and the user have been built, the next article I will try to use keycloak to protect the Spring Boot application. In my spare time, codewords are not easy, so please pay more attention and support the author.
Follow the public account: Felordcn for more information
java
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。