できるオーオース インストール編

Azure上のUbuntuにKeycloakをインストールしてOAuth2.0を体験してみます。

テスト環境は以下の通りです。

# uname -a
Linux ubuntu18 5.0.0-1020-azure #21~18.04.1-Ubuntu SMP Fri Sep 13 14:10:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

# java -version
openjdk version "1.8.0_242"
OpenJDK Runtime Environment (build 1.8.0_242-8u242-b08-0ubuntu3~18.04-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)

まずはKeycloakをダウンロードして解凍します。

# cd /opt
# wget https://downloads.jboss.org/keycloak/9.0.0/keycloak-9.0.0.tar.gz
# tar zxvf keycloak-9.0.0.tar.gz

つぎに管理ユーザー(admin)を作成して起動します。-b 0.0.0.0とする事ですべてのIPアドレスからアクセスできるようになります。

# cd keycloak-9.0.0
# ./bin/add-user-keycloak.sh -u admin
Press ctrl-d (Unix) or ctrl-z (Windows) to exit
Password:
Added 'admin' to '/opt/keycloak-9.0.0/standalone/configuration/keycloak-add-user.json', restart server to load user
# ./bin/standalone.sh -b 0.0.0.0

SSL設定はApacheで行う事とし、アプリケーションサーバは8080ポートでLISTENします。

# ./bin/kcadm.sh config credentials --server http://l
ocalhost:8080/auth --realm master --user admin
Logging into http://localhost:8080/auth as user admin of realm master
Enter password: **********
# ./bin/kcadm.sh update realms/master -s sslRequired=NONE

SSL設定とProxy設定をApacheで行います。

apache2.conf

（省略）
ProxyPreserveHost On
ProxyRequests Off
RequestHeader add X-forwarded-proto https
ProxyPass /auth http://127.0.0.1:8080/auth
ProxyPassReverse /auth http://127.0.0.1:8080/auth
（省略）

SSL設定をKeycloakで行います。

standalone.xml

（省略）
<!-- http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/ -->
<http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="https" enable-http2="true"/>
（省略）

次回からオーオースを試すために、Keycloakの設定(OpenID Provider Configuration)を確認します。これがオープンソースとはおそろしいです。
https://ja.wikipedia.org/wiki/Keycloak

# curl -k https://ubuntu18.japaneast.cloudapp.azure.com/auth/realms/master/.well-known/openid-configuration

{"issuer":"https://ubuntu18.japaneast.cloudapp.azure.com/auth/realms/master","authorization_endpoint":"https://ubuntu18.japaneast.cloudapp.azure.com/auth/realms/master/protocol/openid-connect/auth","token_endpoint":"https://ubuntu18.japaneast.cloudapp.azure.com/auth/realms/master/protocol/openid-connect/token","token_introspection_endpoint":"https://ubuntu18.japaneast.cloudapp.azure.com/auth/realms/master/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://ubuntu18.japaneast.cloudapp.azure.com/auth/realms/master/protocol/openid-connect/userinfo","end_session_endpoint":"https://ubuntu18.japaneast.cloudapp.azure.com/auth/realms/master/protocol/openid-connect/logout","jwks_uri":"https://ubuntu18.japaneast.cloudapp.azure.com/auth/realms/master/protocol/openid-connect/certs","check_session_iframe":"https://ubuntu18.japaneast.cloudapp.azure.com/auth/realms/master/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],"id_token_encryption_enc_values_supported":["A128GCM","A128CBC-HS256"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"https://ubuntu18.japaneast.cloudapp.azure.com/auth/realms/master/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":false,"scopes_supported":["openid","address","email","microprofile-jwt","offline_access","phone","profile","roles","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"introspection_endpoint":"https://ubuntu18.japaneast.cloudapp.azure.com/auth/realms/master/protocol/openid-connect/token/introspect"}

#次回
できるオーオース　Client Credentials Grant編
https://qiita.com/namikitakeo/items/0c283b2e5da55670c542