「.NET 開発基盤部会 Wiki」は、「Open棟梁Project」,「OSSコンソーシアム .NET開発基盤部会」によって運営されています。
割愛、コノ辺を見て。
取り敢えず、探すと、コチラのような情報がある。
色々と検討しましたが、tosierさんのDockerコンポーズが動かなかったので、
他のお二方のDockerコマンドをDockerコンポーズに組み込んでいくような感じにしました。
$ docker run -d -p 8080:8080 --network oidc-network -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=password --name keycloak jboss/keycloak
docker run -d -p 18080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin --name keycloak jboss/keycloak
version: "2" services: ... # KeyCloak keycloak: image: jboss/keycloak:3.4.0.Final restart: always volumes_from: - keycloak-data links: - keycloak-mariadb expose: - "8080" environment: KEYCLOAK_USER: admin KEYCLOAK_PASSWORD: admin PROXY_ADDRESS_FORWARDING: "true" ...参考:https://github.com/tosier/keycloak-mariadb-dc
version: '3.4' services: keycloak: image: jboss/keycloak:latest restart: always ports: - "8888:8080" environment: KEYCLOAK_USER: seigi KEYCLOAK_PASSWORD: seigi@123
>docker-compose up -d Creating network "keycloak_default" with the default driver Pulling keycloak (jboss/keycloak:latest)... latest: Pulling from jboss/keycloak e96e3a1df3b2: Pull complete 1b99828eddf5: Pull complete 6298f612e428: Pull complete 0d7d3759e7ca: Pull complete 6c0c91dde365: Pull complete Digest: sha256:bb12fd9de6754e20e0021d3ff75e2f5fc0e3544a853cadd3c7fbe7373a80d139 Status: Downloaded newer image for jboss/keycloak:latest Creating keycloak_keycloak_1 ... done
{ "issuer": "http://localhost:8888/auth/realms/master", "authorization_endpoint": "http://localhost:8888/auth/realms/master/protocol/openid-connect/auth", "token_endpoint": "http://localhost:8888/auth/realms/master/protocol/openid-connect/token", "token_introspection_endpoint": "http://localhost:8888/auth/realms/master/protocol/openid-connect/token/introspect", "userinfo_endpoint": "http://localhost:8888/auth/realms/master/protocol/openid-connect/userinfo", "end_session_endpoint": "http://localhost:8888/auth/realms/master/protocol/openid-connect/logout", "jwks_uri": "http://localhost:8888/auth/realms/master/protocol/openid-connect/certs", "check_session_iframe": "http://localhost:8888/auth/realms/master/protocol/openid-connect/login-status-iframe.html", "grant_types_supported": [ "authorization_code", "implicit", "refresh_token", "password", "client_credentials" ], "response_types_supported": [ "code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token" ], "subject_types_supported": [ "public", "pairwise" ], "id_token_signing_alg_values_supported": [ "PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "id_token_encryption_alg_values_supported": [ "RSA-OAEP", "RSA1_5" ], "id_token_encryption_enc_values_supported": [ "A128GCM", "A128CBC-HS256" ], "userinfo_signing_alg_values_supported": [ "PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none" ], "request_object_signing_alg_values_supported": [ "PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none" ], "response_modes_supported": [ "query", "fragment", "form_post" ], "registration_endpoint": "http://localhost:8888/auth/realms/master/clients-registrations/openid-connect", "token_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt" ], "token_endpoint_auth_signing_alg_values_supported": [ "PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "claims_supported": [ "aud", "sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email", "acr" ], "claim_types_supported": [ "normal" ], "claims_parameter_supported": false, "scopes_supported": [ "openid", "address", "email", "microprofile-jwt", "offline_access", "phone", "profile", "roles", "web-origins" ], "request_parameter_supported": true, "request_uri_parameter_supported": true, "code_challenge_methods_supported": [ "plain", "S256" ], "tls_client_certificate_bound_access_tokens": true, "introspection_endpoint": "http://localhost:8888/auth/realms/master/protocol/openid-connect/token/introspect" }
{ "keys": [ { "kid": "rJi_COdJ0jzDRkMrFUA2YA6YdRKLFWnvjXXuiCDNY_Q", "kty": "RSA", "alg": "RS256", "use": "sig", "n": "hCnz-ZtjIjfaL_wkOWhdo58UN1ap_bRxFxRnYrJ4pDMbxINhGLN8CUNlWLIwaydjMmbtsjSuJHkmf8TmFJadFu28fcKK8CiDm5kEEu8FeqMuZIQ_36BYQeiljBvuZeIIiLMkUcBfOSS0Qx79GPSek5OucpM7mZAF6A1OrQW9Tm7oN-v8Rrbz2nvTh7_WqWWrcKR4y2SZsC3UXDZsmK9Fz_lVdNBc-iRbU5ylv82WHawZlMUYY4BFsMtSZcRWOXvZQlCjxRP59xaJOlo-oST4wAVHQxuW-078AmcizlNHkdG-3w2Y3qthTD_ffXpbeDRNz3a2ktCITVGtK70uqiyWuQ", "e": "AQAB", "x5c": [ "MIICmzCCAYMCBgFyxiN00TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjAwNjE4MDYzMzMxWhcNMzAwNjE4MDYzNTExWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEKfP5m2MiN9ov/CQ5aF2jnxQ3Vqn9tHEXFGdisnikMxvEg2EYs3wJQ2VYsjBrJ2MyZu2yNK4keSZ/xOYUlp0W7bx9worwKIObmQQS7wV6oy5khD/foFhB6KWMG+5l4giIsyRRwF85JLRDHv0Y9J6Tk65ykzuZkAXoDU6tBb1Obug36/xGtvPae9OHv9apZatwpHjLZJmwLdRcNmyYr0XP+VV00Fz6JFtTnKW/zZYdrBmUxRhjgEWwy1JlxFY5e9lCUKPFE/n3Fok6Wj6hJPjABUdDG5b7TvwCZyLOU0eR0b7fDZjeq2FMP999elt4NE3PdraS0IhNUa0rvS6qLJa5AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFDVbczLPEWeM+bZJWmJd6alASl5oZ7HQoiDC7LF/gYR9Gd/h+YbN+rCL3/WbimjPr+R5nUnud3LxiFDT6SMZL3jDun2S3OJ0tgbWOh7vb5Z/YaBAlNpe4AAtNBWcPKe6ftG4AaIh0EeJZFBNlgj9pYDy5KvBQ4mDbZ5+ormrkhFomVJZk3ngHtVUGQFZZbByZupmStdQR39N+VHQDqtjZsc5is8LC1/kKOQUOgDQxfpXqG2Y8rCfyj0wN/JxB97EdA5S1yvLu/RQbgzgOlCk+pXqUgpANh6winILHi9HmQR214el2Y9oYWaCjzCj59D4s+5CCIUd762QfpLxqVqbRE=" ], "x5t": "fKVUd7VAVPxaQrL-MITaklh33v0", "x5t#S256": "NP-fHl97wx77ZMHX9cvHjbr61R9N0ud2FG95WpYPolo" } ] }
<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Name="urn:keycloak"> <EntityDescriptor entityID="http://localhost:8888/auth/realms/master"> <IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <dsig:KeyInfo> <dsig:KeyName>rJi_COdJ0jzDRkMrFUA2YA6YdRKLFWnvjXXuiCDNY_Q</dsig:KeyName> <dsig:X509Data> <dsig:X509Certificate>MIICmzCCAYMCBgFyxiN00TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjAwNjE4MDYzMzMxWhcNMzAwNjE4MDYzNTExWjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEKfP5m2MiN9ov/CQ5aF2jnxQ3Vqn9tHEXFGdisnikMxvEg2EYs3wJQ2VYsjBrJ2MyZu2yNK4keSZ/xOYUlp0W7bx9worwKIObmQQS7wV6oy5khD/foFhB6KWMG+5l4giIsyRRwF85JLRDHv0Y9J6Tk65ykzuZkAXoDU6tBb1Obug36/xGtvPae9OHv9apZatwpHjLZJmwLdRcNmyYr0XP+VV00Fz6JFtTnKW/zZYdrBmUxRhjgEWwy1JlxFY5e9lCUKPFE/n3Fok6Wj6hJPjABUdDG5b7TvwCZyLOU0eR0b7fDZjeq2FMP999elt4NE3PdraS0IhNUa0rvS6qLJa5AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFDVbczLPEWeM+bZJWmJd6alASl5oZ7HQoiDC7LF/gYR9Gd/h+YbN+rCL3/WbimjPr+R5nUnud3LxiFDT6SMZL3jDun2S3OJ0tgbWOh7vb5Z/YaBAlNpe4AAtNBWcPKe6ftG4AaIh0EeJZFBNlgj9pYDy5KvBQ4mDbZ5+ormrkhFomVJZk3ngHtVUGQFZZbByZupmStdQR39N+VHQDqtjZsc5is8LC1/kKOQUOgDQxfpXqG2Y8rCfyj0wN/JxB97EdA5S1yvLu/RQbgzgOlCk+pXqUgpANh6winILHi9HmQR214el2Y9oYWaCjzCj59D4s+5CCIUd762QfpLxqVqbRE=</dsig:X509Certificate> </dsig:X509Data> </dsig:KeyInfo> </KeyDescriptor> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8888/auth/realms/master/protocol/saml"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8888/auth/realms/master/protocol/saml"/> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8888/auth/realms/master/protocol/saml"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8888/auth/realms/master/protocol/saml"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://localhost:8888/auth/realms/master/protocol/saml"/> </IDPSSODescriptor> </EntityDescriptor> </EntitiesDescriptor>
参考:用語
MVC_sampleと連携させてみる。
"f53469c17c5a432f86ce563b7805ab89": { "client_secret": "cKdwJb6mRKVIJpGxEWjIC94zquQltw_ECfO-55p21YM", "redirect_uri_code": "http://localhost:58496/Home/OAuth2AuthorizationCodeGrantClient", "redirect_uri_token": "hogehoge0", "client_name": "MVC_Sample" },
// OAuth2, OIDC認証 "SpRp_Isser": "https://ssoauth.opentouryo.com", "OAuth2AndOidcClientID": "f53469c17c5a432f86ce563b7805ab89", "OAuth2AndOidcSecret": "cKdwJb6mRKVIJpGxEWjIC94zquQltw_ECfO-55p21YM", "SpRp_RsaCerFilePath": "C:\\root\\files\\resource\\X509\\SHA256RSA_Server.cer", "JwkSetUri": "https://localhost:44300/MultiPurposeAuthSite/jwkcerts/",
// OAuth2, OIDC認証 "SpRp_Isser": "http://localhost:8888/auth/realms/master", "OAuth2AndOidcClientID": "f53469c17c5a432f86ce563b7805ab89", "OAuth2AndOidcSecret": "<Keycloakが生成した値を入力する>", "SpRp_RsaCerFilePath": "C:\\root\\files\\resource\\X509\\SHA256RSA_Keycloak.cer", "JwkSetUri": "http://localhost:8888/auth/realms/master/protocol/openid-connect/certs",※ SHA256RSA_Keycloak.cer
-----BEGIN CERTIFICATE----- MIICmzCCAYMCBgFyxiN00TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0 ZXIwHhcNMjAwNjE4MDYzMzMxWhcNMzAwNjE4MDYzNTExWjARMQ8wDQYDVQQDDAZt YXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCEKfP5m2MiN9ov /CQ5aF2jnxQ3Vqn9tHEXFGdisnikMxvEg2EYs3wJQ2VYsjBrJ2MyZu2yNK4keSZ/ xOYUlp0W7bx9worwKIObmQQS7wV6oy5khD/foFhB6KWMG+5l4giIsyRRwF85JLRD Hv0Y9J6Tk65ykzuZkAXoDU6tBb1Obug36/xGtvPae9OHv9apZatwpHjLZJmwLdRc NmyYr0XP+VV00Fz6JFtTnKW/zZYdrBmUxRhjgEWwy1JlxFY5e9lCUKPFE/n3Fok6 Wj6hJPjABUdDG5b7TvwCZyLOU0eR0b7fDZjeq2FMP999elt4NE3PdraS0IhNUa0r vS6qLJa5AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFDVbczLPEWeM+bZJWmJd6al ASl5oZ7HQoiDC7LF/gYR9Gd/h+YbN+rCL3/WbimjPr+R5nUnud3LxiFDT6SMZL3j Dun2S3OJ0tgbWOh7vb5Z/YaBAlNpe4AAtNBWcPKe6ftG4AaIh0EeJZFBNlgj9pYD y5KvBQ4mDbZ5+ormrkhFomVJZk3ngHtVUGQFZZbByZupmStdQR39N+VHQDqtjZsc 5is8LC1/kKOQUOgDQxfpXqG2Y8rCfyj0wN/JxB97EdA5S1yvLu/RQbgzgOlCk+pX qUgpANh6winILHi9HmQR214el2Y9oYWaCjzCj59D4s+5CCIUd762QfpLxqVqbRE= -----END CERTIFICATE-----
FrontendTemplates&ResourceServerTemplatesと連携させてみる。
"f374a155909d486a9234693c34e94479": { "client_secret": "z54lhkewWPl4hk3eF1WYwvdqt7Fz24jYamLPZFVnWpA", "redirect_uri_code": "http://localhost:3000/RedirectEndpoint", "redirect_uri_token": "", "client_name": "SPA_Application" },
// const.js let FrontendHostRootUrl = 'http://localhost:3000'; let AuthServerRootUrl = 'https://localhost:44300/MultiPurposeAuthSite'; let ResourcesServerRootUrl = 'http://localhost:8888'; let constants = { BaseUrl: '~/', ClientId: 'f374a155909d486a9234693c34e94479', AuthRequestUrl: AuthServerRootUrl + '/authorize', TokenRequestUrl: AuthServerRootUrl + '/token', UserInfoRequestUrl: AuthServerRootUrl + '/userinfo', FetchDataRootUrl: FrontendHostRootUrl + '/api/sampledata/weatherforecasts?', CrudSampleRootUrl: ResourcesServerRootUrl + '/api/json/' };
// const.js let FrontendHostRootUrl = 'http://localhost:3000'; let AuthServerRootUrl = 'http://localhost:8888/auth/realms/master/protocol/openid-connect'; let ResourcesServerRootUrl = 'http://localhost:9999'; let constants = { BaseUrl: '~/', ClientId: 'f374a155909d486a9234693c34e94479', AuthRequestUrl: AuthServerRootUrl + '/auth', TokenRequestUrl: AuthServerRootUrl + '/token', UserInfoRequestUrl: AuthServerRootUrl + '/userinfo', FetchDataRootUrl: FrontendHostRootUrl + '/api/sampledata/weatherforecasts?', CrudSampleRootUrl: ResourcesServerRootUrl + '/api/json/' };※ Auth ServerとResource Serverのポート競合のため、Resource Serverを9999に変更。
// OAuth2, OIDC認証 "JwkSetUri": "https://localhost:44300/MultiPurposeAuthSite/jwkcerts/", "SpRp_RsaCerFilePath": "C:\\root\\files\\resource\\X509\\SHA256RSA_Server.cer", "SpRp_Isser": "https://ssoauth.opentouryo.com",
// OAuth2, OIDC認証 "JwkSetUri": "http://localhost:8888/auth/realms/master/protocol/openid-connect/certs", "SpRp_RsaCerFilePath": "C:\\root\\files\\resource\\X509\\SHA256RSA_Keycloak.cer", "SpRp_Isser": "http://localhost:8888/auth/realms/master",
let params = "?client_id={0}&response_type=code&scope=profile" + "&state={1}&code_challenge={2}&code_challenge_method=S256&response_mode=fragment" + "&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2FRedirectEndpoint";
const body = "grant_type=authorization_code" + "&client_id=" + ClientId + "&code=" + code + "&code_verifier=" + code_verifier + "&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2FRedirectEndpoint";