使用Keycloak SSO在2个应用程序之间保持身份验证 [英] Keep authentication between 2 applications with Keycloak SSO
问题描述
我有2个JHipster应用程序在一个子域(app1.domain.tld和app2.domain.tld)上运行.
I have 2 JHipster apps running each on one subdomain (app1.domain.tld & app2.domain.tld).
在两个应用程序中,用户都通过Keycloak登录.顺序是这样的:
In both apps, users login through Keycloak. The sequence is as such :
- Angular应用将带有凭据的/authenticate请求发送到Keycloak
- 在成功响应的情况下,返回认证cookie
- POST请求被发送到生成JSessionID cookie的Jhipster后端应用
- 然后,将JSessionID用于对备份应用程序的每个请求.
如果用户已经登录到域(* .domain.tld)的应用程序之一,则自动登录用户(不询问用户名和密码)的最佳方法是什么?
What would be the best way to automatically login user (without asking username & password) if they are already logged in one of the apps of the domain (*.domain.tld) ?
在了解JSessionID仅适用于在其上生成的应用程序之前,我曾尝试将JSessionID用作全局令牌.
I tried to use the JSessionID as a global token before understanding it only works on the app it was generated on...
也许捕获Keycloak身份验证cookie(在步骤2中返回)并在第二个应用程序上进行身份验证会成功吗?
Maybe catching Keycloak authentication cookie (returned at step 2) and authenticating on second application would do the trick ?
根据我在测试中看到的内容,在第一个应用程序上进行身份验证后,当我转到第二个应用程序时,Angular 401 HTTP拦截器将使用会话令牌重定向到keycloak登录页面.因此,那时Keycloak应该看到我已经登录,并且应该将我重定向到第二个应用程序的主页.
From what I saw while testing, after being authenticated on first app, when I go to the second one, Angular 401 HTTP interceptor redirects to keycloak login page with a session token. Thus at that time Keycloak should see that I'm already logged in and should redirect me to home page of my second app.
我对吗?
推荐答案
从 keycloak文档中:
会话状态iframe
默认情况下,JavaScript适配器会创建一个隐藏的iframe,该iframe用于检测是否已发生Single Sign-Out.这不需要任何网络流量,而是通过查看特殊的状态cookie来检索状态.可以通过在传递给init方法的选项中设置checkLoginIframe:false来禁用此功能.您不应直接查看此cookie.它的格式可以更改,并且还与Keycloak服务器(而不是您的应用程序)的URL相关联.
By default, the JavaScript adapter creates a hidden iframe that is used to detect if a Single-Sign Out has occurred. This does not require any network traffic, instead the status is retrieved by looking at a special status cookie. This feature can be disabled by setting checkLoginIframe: false in the options passed to the init method.You should not rely on looking at this cookie directly. Its format can change and it’s also associated with the URL of the Keycloak server, not your application.
init函数的成功回调具有一个提供用户身份验证状态的参数.
The success callback of init function has a parameter that gives the authentication status of the user.
<script src="keycloak.js"></script>
<script>
var keycloak = Keycloak();
keycloak.init().success(function(authenticated) {
alert(authenticated ? 'authenticated' : 'not authenticated');
}).error(function() {
alert('failed to initialize');
});
</script>
如果用户通过了身份验证,则将用户重定向到登录页面,因为用户已经通过了身份验证,因此无需再次输入登录凭据.如果适配器使用onload选项check-sso
If the user is authenticated redirect the user to the login page, since the user is already authenticated there is no need to input the login credentials again. The adapter can handle this automatically if it's initialized with the onload option check-sso
有关javascript适配器内部工作原理的更多详细信息,请参见
For more details on the inner workings of the javascript adapter, the source can be found here
这篇关于使用Keycloak SSO在2个应用程序之间保持身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
