[英].NET Core 2.1 Linux Keycloak integration\authentication (OpenID Connect + SSSD)
I am kinda lost now, I want to implement centralised user management here, and we have .NET Core 2.1 Web MVC app hosted on Linux, which uses Identity.EntityFrameworkCore
to store users' information. 我现在有点迷茫,我想在这里实现集中的用户管理,我们在Linux上托管了.NET Core 2.1 Web MVC应用程序,该应用程序使用Identity.EntityFrameworkCore
来存储用户的信息。 Also we have FreeIPA for user management which is basically Kerberos authentication on LDAP directory. 另外,我们还有用于用户管理的FreeIPA,基本上是LDAP目录上的Kerberos身份验证。
As it's deployed on Linux I can't use WindowsAuthentication
to use Kerberos, and also there is no standard way to use LDAP without Windows Compatibility Pack. 由于它已部署在Linux上,因此我不能使用WindowsAuthentication
来使用Kerberos,而且没有Windows兼容包,也没有使用LDAP的标准方法。 The only way that is left is to use third-party library, but unfortunately I'm really new to .NET Core and C#, so here's what I'm trying to do: 剩下的唯一方法是使用第三方库,但是不幸的是,我真的是.NET Core和C#的新手,所以这是我想要做的事情:
Well, I found bunch of third-party libraries like this , this and the whole bunch of THIS , and they all look promising, but I didn't found any with enough documentation or examples to use with .NET Core Identity
. 好吧,我发现了很多像这样的第三方库, 这个库以及整个THIS库 ,它们看起来都很有前途,但是我没有找到足够的文档或示例来与.NET Core Identity
一起使用。
As I said, I'm complete newbie in C# and .NET overall, and I'm unfortunately don't have an idea about either which of this library is better or is there any for straightforward way to use them to store and authenticate users. 就像我说的那样,我总体上是C#和.NET的新手,但是我不知道该库中哪个更好,或者是否有任何直接的方式来使用它们来存储和验证用户。
PS I know this question is dumb, but for learning purposes I had to make one. PS:我知道这个问题很愚蠢,但是出于学习目的,我不得不提出一个问题。 Any help with this would be appreciated! 任何帮助,将不胜感激!
Well, looks like I mostly found the answer, but it has some caveats anyway. 好吧,看来我最能找到答案了,但还是有一些警告。 I used the Keycloak OpenID Connect setup with SSSD federation, because LDAP is the wrong approach for my goals anyway. 我将Keycloak OpenID Connect设置与SSSD联合一起使用,因为LDAP对于我的目标仍然是错误的方法。 More about that setup you can read here , I faced some stupid moments over there, most of them are predicted and bypassed in this guide, but that's more a FreeIPA + Keycloak thread. 有关该设置的更多信息,您可以在这里阅读,我在那儿遇到了一些愚蠢的事情 ,其中大多数是在本指南中预测和忽略的,但这更多是FreeIPA + Keycloak线程。 Last Keycloak thing that should be noted: I had to add and allow HBAC "keycloak" service to make it work, because otherwise my SSSD authentication was denied. 最后需要注意的Keycloak事情:我必须添加并允许HBAC“ keycloak”服务使其正常工作,因为否则,我的SSSD身份验证将被拒绝。 Going forward to the .NET Core part: my app is 2.1, and my setup looks like that: 前进到.NET Core部分:我的应用程序是2.1,设置如下:
I added the following into Startup.cs dependencies: 我将以下内容添加到Startup.cs依赖项中:
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using System.IdentityModel.Tokens;
Next, I added the configuration to appsettings.json 接下来,我将配置添加到appsettings.json
"Oidc": {
"ClientId": "<your client id here>",
"ClientSecret": "<your secret here>",
"Authority": "https://<ip:port of keycloak https>/auth/realms/<realm name>",
"ResponseType": "code"
}
Okay, heading to the configuration itself: 好的,转到配置本身:
services.AddAuthentication(options => {
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie("Cookies")
.AddOpenIdConnect(options =>
{
options.ClientId = Configuration["Oidc:ClientId"];
options.ClientSecret = Configuration["Oidc:ClientSecret"];
options.Authority = Configuration["Oidc:Authority"];
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.ResponseType = Configuration["Oidc:ResponseType"];
options.Scope.Add("claims");
options.ClaimActions.Clear();
options.ClaimActions.MapUniqueJsonKey("roles", "roles");
}
);;
I hope this short answer will help someone to set up FreeIPA+Keycloak and connect it to .NET Core, because I killed a week for this :D. 我希望这个简短的答案可以帮助某人设置FreeIPA + Keycloak并将其连接到.NET Core,因为我为此花了一个星期。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.