CN112685726A - Single-point authentication method based on KEYCLOAK - Google Patents
Single-point authentication method based on KEYCLOAK Download PDFInfo
- Publication number
- CN112685726A CN112685726A CN202110073095.XA CN202110073095A CN112685726A CN 112685726 A CN112685726 A CN 112685726A CN 202110073095 A CN202110073095 A CN 202110073095A CN 112685726 A CN112685726 A CN 112685726A
- Authority
- CN
- China
- Prior art keywords
- user
- authentication
- foreground
- authentication identifier
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 235000014510 cooky Nutrition 0.000 claims abstract description 19
- 230000008569 process Effects 0.000 claims description 11
- 230000007246 mechanism Effects 0.000 claims description 3
- 230000003993 interaction Effects 0.000 abstract description 5
- 230000002452 interceptive effect Effects 0.000 abstract description 2
- 238000003672 processing method Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a single-point authentication method based on KEYCLOAK, which is characterized in that a user firstly carries out single-point authentication login before accessing application through an http protocol and an access cookie and obtains a unique authentication identifier of the user; when sending an http request to a background, carrying the authentication identifier in a request header; the background checks the authentication identifier to realize single-point authentication. The invention realizes the interaction between the foreground and the background, the user logs in at the front end and stores the information at the front end, and the background only needs to receive the data transmitted by the front end and authenticate the user authentication information carried by the request, so that whether the user logs in effectively can be known. Meanwhile, all information of the user can be acquired from the system, a very convenient processing method is provided for front-end and back-end interactive authentication, the user information is stored through a third-party application, and the back end only needs to judge whether the user logs in, so that the single-point login and authentication of the user are completely and safely realized.
Description
Technical Field
The invention relates to the technical field of software application, and particularly provides a KEYCLOAK-based single-point authentication method.
Background
At present, many application software realize a login function, most of the technologies used for realizing login directly intercept an address accessed by a user in a back-end interception mode, then judge whether a request of the user is registered at the back end, and intercept the request if the request is not registered, and jump to a login page at the same time; after the user logs in, the back end carries out interception judgment, and then single sign-on is realized. However, at present, many application products are separated from one another in the front-end and back-end, and each application product has a respective framework, so that all access requests cannot be intercepted one by one, and whether login is required or not is judged, and therefore, the judgment of login through the front end and the transmission of login information in the process of interaction with the back end become a new user login and request authentication mode.
Disclosure of Invention
The traditional file transmission system brings obvious defects that a client uploads a file, and a frame used by a background after the file is stored is not a frame with a front end and a back end which are not separated, so that all requests and displays are all in charge of the back end, and the background can return all pages of a user and can intercept all the requests. However, currently used frames such as regular, vue, and springboot are frames with separate front and back ends, a background cannot process pages accessed by all users, and the background cannot know whether a user logs in or not and whether the user logs in effectively, which can be realized only by the front end transmitting information of the user to the background.
In order to solve the above problem, the present invention provides a single-point authentication method based on keylock.
In order to achieve the purpose, the invention provides the following technical scheme:
a single point authentication method based on KEYCLOAK is characterized in that: the method comprises the steps that through an http protocol and an access cookie, a user firstly carries out single-point authentication login before accessing an application, and a user unique authentication identifier (token) is taken;
when sending an http request to a background, carrying the authentication identifier in a request header (header);
the background checks the authentication identifier to realize single-point authentication.
The method is realized by deploying a keylock application, and comprises the following contents:
all user information is uniformly stored and managed through a keylogging application, whether a user logs in or not is judged through setting a code and an authentication identifier (token), and the login state of the user is judged through adding the authentication identifier (token) in a request header (header) when a foreground interacts with a background.
The keylock application provides a registered account mechanism for the user in a form of a seal interface, and the user can register, delete and modify user information and store the user information through the interface.
The method sets code and authentication identifier (token) process including the following steps:
after the user logs in on the keylock page, the keylock page returns login information to the keylock application and attaches a code;
and the foreground calls a keycloak interface through the code to acquire an authentication identifier (token), and stores the authentication identifier (token) in a cookie in the browser.
The implementation process of judging whether the user logs in by the method comprises the following contents:
the foreground judges whether the user logs in by judging whether an authentication identifier (token) exists in the cookie of the browser.
The process of adding the token in the header comprises the following contents:
when the foreground needs to interact with the background, the foreground adds a token stored in a cookie of the browser in a request header (header) of an http request;
after the background receives the http request, intercepting the http request, and then judging whether an authentication identifier (token) exists:
if not, returning the information that the user does not log in;
if the authentication identifier (token) exists, intercepting the authentication identifier (token), and then sending the authentication identifier (token) to the keylock application for authentication:
if the authentication identifier (token) is consistent with the authentication identifier (token) in the keylog application, the user login is determined to be valid;
and if the authentication identifier (token) is not consistent with the authentication identifier (token) in the keylog application, determining that the user login is invalid, and returning the user login information to the background to be invalid.
The method implementation further comprises the following steps:
when a user accesses the foreground, the foreground intercepts and judges the access, judges whether the user logs in or not, and jumps to a login page provided by a keyclak if the user does not log in;
after logging in on a keylog page, a user returns to an application and attaches a code (code), a foreground calls a keylog interface through the code to acquire an authentication identifier (token), and the token is stored in a cookie in a browser.
The foreground judges whether the user logs in by judging whether an authentication identifier (token) exists in the cookie.
The method provides a single-click cancellation function, a foreground calls a cancellation interface in a keylog application according to the cancellation operation of a user, and cancellation is completed through a session in the keylog application;
and after logging off, the foreground judges whether the user logs in again and jumps to a login page.
When the workstation is authenticated based on Kerberos, the workstation is authenticated through Keycoak, and a user name and a password do not need to be provided again after the workstation is logged in.
The Keycoak is constructed based on standard protocols, can use any OpenID Connect resource library or SAML 2.0 service providing program library, and provides support for OpenID Connect, OAuth 2.0 and SAML based on standard protocols.
Compared with the prior art, the single-point authentication method based on KEYCLOAK has the following outstanding advantages that:
the invention realizes the interaction between the foreground and the background, the user logs in at the front end and stores the information at the front end, and the background only needs to receive the data transmitted by the front end and authenticate the user authentication information carried by the request, so that whether the user logs in effectively can be known. Meanwhile, all information of the user can be acquired from the system, a very convenient processing method is provided for front-end and back-end interactive authentication, the user information is stored through a third-party application, and the back end only needs to judge whether the user logs in, so that the single-point login and authentication of the user are completely and safely realized.
Drawings
FIG. 1 is a schematic diagram of management of user information by deploying a keylock application;
FIG. 2 is a flow chart illustrating a user access foreground;
FIG. 3 is a diagram illustrating foreground and background interaction flow;
fig. 4 is a schematic diagram of a user logoff flow.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
A single-point authentication method based on KEYCLOAK is characterized in that a user firstly carries out single-point authentication login and obtains a user unique authentication identifier before accessing an application through an http protocol and an access cookie;
when sending an http request to a background, carrying the authentication identifier in a request header;
the background checks the authentication identifier to realize single-point authentication.
keylock is a Single Sign On (SSO) providing for Web applications and restful Web APIs, is an open source software, and is an open source identity and access management solution for modern applications and services. It can easily protect applications and services with little code. The user is authenticated using keylog instead of a single application. This means that the application does not have to process the login form, verify the user identity and store the user.
After logging on keylog, the user can access other applications without logging on again, which is also applicable to logout. Keylog provides a single point of logoff, meaning that the user only has to logoff once to logoff all applications using keylog. If a user authenticates a workstation using Kerberos (LDAP or active directory), they can also authenticate to keylock automatically without providing the username and password again after logging onto the workstation. Keylock may also authenticate the user using an existing OpenID Connect or SAML 2.0 identity provider. Again, this is just a matter of configuring the identity provider through the management console. Keycoak has built-in support and can connect to existing LDAP or Active Directory servers. If the user is owned in another store (e.g., a relational database), the own provisioning program may also be implemented. The keylock client adapter makes it very easy to protect applications and services. It has adapters for multiple platforms and programming languages, and keylock is built based on standard protocols and can use any OpenID Connect repository or SAML 2.0 service to provide libraries. Keycoak is based on standard protocols and provides support for OpenID Connect, OAuth 2.0 and SAML.
As shown in fig. 1, the method is implemented by deploying a keylock application, and includes the following contents:
all user information is uniformly stored and managed through a keylog application, whether a user logs in or not is judged through setting a code and an authentication identifier (token), and the login state of the user is judged through adding the authentication identifier (token) in a header during interaction between a foreground and a background.
The keylock application provides a registered account mechanism for the user in a form of a seal interface, and the user can register, delete and modify user information and store the user information through the interface.
As shown in fig. 2, the process of setting code and authentication identifier (token) by the method includes the following steps:
after the user logs in on the keylock page, the keylock page returns login information to the keylock application and attaches a code;
and the foreground calls a keycloak interface through the code to acquire an authentication identifier (token), and stores the authentication identifier (token) in a cookie in the browser.
The implementation process of judging whether the user logs in by the method comprises the following contents:
the foreground judges whether the user logs in by judging whether an authentication identifier (token) exists in the cookie of the browser.
As shown in fig. 3, the process of adding a token in the header includes the following steps:
when the foreground needs to interact with the background, the foreground adds a token stored in a cookie of the browser in a header of an http request;
after the background receives the http request, intercepting the http request, and then judging whether an authentication identifier (token) exists:
if not, returning the information that the user does not log in;
if the authentication identifier (token) exists, intercepting the authentication identifier (token), and then sending the authentication identifier (token) to the keylock application for authentication:
if the authentication identifier (token) is consistent with the authentication identifier (token) in the keylog application, the user login is determined to be valid;
and if the authentication identifier (token) is not consistent with the authentication identifier (token) in the keylog application, determining that the user login is invalid, and returning the user login information to the background to be invalid.
The method implementation further comprises the following steps:
when a user accesses the foreground, the foreground intercepts and judges the access, judges whether the user logs in or not, and jumps to a login page provided by a keyclak if the user does not log in;
after logging in on a keylog page, a user returns to an application and attaches a code (code), a foreground calls a keylog interface through the code to acquire an authentication identifier (token), and the token is stored in a cookie in a browser.
The foreground judges whether the user logs in by judging whether an authentication identifier (token) exists in the cookie.
As shown in fig. 4, the method provides a single cancellation function, when a user cancels, the user clicks a cancellation button, the foreground invokes a cancellation interface in the keylog application according to the cancellation operation of the user, and completes cancellation through a session in the keylog application;
and after logging off, the foreground judges whether the user logs in again and jumps to a login page.
The above-described embodiments are merely preferred embodiments of the present invention, and general changes and substitutions by those skilled in the art within the technical scope of the present invention are included in the protection scope of the present invention.
Claims (10)
1. A single point authentication method based on KEYCLOAK is characterized in that: the method comprises the steps that through an http protocol and an access cookie, a user firstly carries out single-point authentication login before accessing an application, and a user unique authentication identifier is obtained;
when sending an http request to a background, carrying the authentication identifier in a request header;
the background checks the authentication identifier to realize single-point authentication.
2. The method of claim 1, wherein the method is implemented by deploying a keylock application, and comprises the following steps:
all user information is uniformly stored and managed through a keylogging application, whether a user logs in or not is judged through setting a code and an authentication identifier, and the login state of the user is judged through adding the authentication identifier in a request header when a foreground interacts with a background.
3. The method of claim 2, wherein the method comprises: the keylock application provides a registered account mechanism for the user in a form of a seal interface, and the user can register, delete and modify user information and store the user information through the interface.
4. The method of claim 3, wherein the method comprises: the method comprises the following steps of setting code and authentication identification:
after the user logs in on the keylock page, the keylock page returns login information to the keylock application and attaches a code;
and the foreground calls the keycloak interface through the code to acquire the authentication identifier and stores the authentication identifier into the cookie in the browser.
5. The method of claim 1, wherein the method for single-point authentication based on KEYCLOAK comprises: the implementation process of judging whether the user logs in by the method comprises the following contents:
the foreground judges whether the user logs in or not by judging whether the authentication identification exists in the cookie of the browser or not.
6. The method of claim 2, wherein the process of adding token in the header comprises the following steps:
when the foreground needs to interact with the background, the foreground adds a token stored in a cookie of the browser in an http request header;
after the background receives the http request, the http request is intercepted, and then whether an authentication identifier exists is judged:
if not, returning the information that the user does not log in;
if the authentication identifier exists, intercepting the authentication identifier, and then sending the authentication identifier to the keyLoak application for authentication:
if the authentication identifier is consistent with the authentication identifier in the keylog application, the user login is determined to be valid;
if the authentication identification is not consistent with the authentication identification in the keylog application, the user login is determined to be invalid, and the background returns the user login information to be invalid.
7. The method of claim 2, wherein the method further comprises:
when a user accesses the foreground, the foreground intercepts and judges the access, judges whether the user logs in or not, and jumps to a login page provided by a keyclak if the user does not log in;
after logging in on a keylog page, a user returns to the application and attaches a code, a foreground calls a keylog interface through the code to acquire an authentication identifier, and the authentication identifier is stored in a cookie in a browser;
the foreground judges whether the user logs in or not by judging whether the cookie has the authentication identification or not.
8. The method of claim 2, wherein the method provides a single point cancellation function, the foreground invokes a cancellation interface in the keylog application according to the cancellation operation of the user, and completes the cancellation through the session in the keylog application;
and after logging off, the foreground judges whether the user logs in again and jumps to a login page.
9. The method of claim 2, wherein the identity of the workstation is verified by Keycoak when Kerberos is used to authenticate the workstation.
10. The method of claim 2, wherein the Keycoak is constructed based on standard protocol, and can use any OpenID Connect resource library or SAML 2.0 service provider library to provide support for OpenID Connect, OAuth 2.0 and SAML based on standard protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110073095.XA CN112685726A (en) | 2021-01-20 | 2021-01-20 | Single-point authentication method based on KEYCLOAK |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110073095.XA CN112685726A (en) | 2021-01-20 | 2021-01-20 | Single-point authentication method based on KEYCLOAK |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112685726A true CN112685726A (en) | 2021-04-20 |
Family
ID=75458641
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110073095.XA Pending CN112685726A (en) | 2021-01-20 | 2021-01-20 | Single-point authentication method based on KEYCLOAK |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112685726A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113472735A (en) * | 2021-05-13 | 2021-10-01 | 新华三大数据技术有限公司 | Big data service single sign-on method, device and storage medium |
| CN113794679A (en) * | 2021-08-02 | 2021-12-14 | 浪潮软件股份有限公司 | Method and system for preventing automatic script number robbing |
| CN114338094A (en) * | 2021-12-09 | 2022-04-12 | 北京五八信息技术有限公司 | Method and device for acquiring request header information, electronic equipment and readable medium |
| CN114760349A (en) * | 2022-04-28 | 2022-07-15 | 西门子(中国)有限公司 | Service access method and device, system, equipment and medium |
| CN116028915A (en) * | 2023-03-29 | 2023-04-28 | 江苏智云天工科技有限公司 | Single-point authentication method, system and medium for user access |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017059400A1 (en) * | 2015-10-02 | 2017-04-06 | Veritas Technologies Llc. | Single sign-on method for appliance secure shell |
| CN109450890A (en) * | 2018-11-02 | 2019-03-08 | 北京京东金融科技控股有限公司 | The method and apparatus of single-sign-on |
| CN109587133A (en) * | 2018-11-30 | 2019-04-05 | 武汉烽火众智智慧之星科技有限公司 | A kind of single-node login system and method |
| CN110572388A (en) * | 2019-09-05 | 2019-12-13 | 北京宝兰德软件股份有限公司 | method for connecting unified authentication server and unified authentication adapter |
| CN110958237A (en) * | 2019-11-26 | 2020-04-03 | 苏州思必驰信息科技有限公司 | Authority verification method and device |
| CN112039873A (en) * | 2020-08-28 | 2020-12-04 | 浪潮云信息技术股份公司 | Method for accessing business system by single sign-on |
-
2021
- 2021-01-20 CN CN202110073095.XA patent/CN112685726A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017059400A1 (en) * | 2015-10-02 | 2017-04-06 | Veritas Technologies Llc. | Single sign-on method for appliance secure shell |
| CN109450890A (en) * | 2018-11-02 | 2019-03-08 | 北京京东金融科技控股有限公司 | The method and apparatus of single-sign-on |
| CN109587133A (en) * | 2018-11-30 | 2019-04-05 | 武汉烽火众智智慧之星科技有限公司 | A kind of single-node login system and method |
| CN110572388A (en) * | 2019-09-05 | 2019-12-13 | 北京宝兰德软件股份有限公司 | method for connecting unified authentication server and unified authentication adapter |
| CN110958237A (en) * | 2019-11-26 | 2020-04-03 | 苏州思必驰信息科技有限公司 | Authority verification method and device |
| CN112039873A (en) * | 2020-08-28 | 2020-12-04 | 浪潮云信息技术股份公司 | Method for accessing business system by single sign-on |
Non-Patent Citations (1)
| Title |
|---|
| 张洪朋: "《Python Web开发从入门到精通》", 30 April 2020 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113472735A (en) * | 2021-05-13 | 2021-10-01 | 新华三大数据技术有限公司 | Big data service single sign-on method, device and storage medium |
| CN113472735B (en) * | 2021-05-13 | 2023-06-13 | 新华三大数据技术有限公司 | Big data service single sign-on method, device and storage medium |
| CN113794679A (en) * | 2021-08-02 | 2021-12-14 | 浪潮软件股份有限公司 | Method and system for preventing automatic script number robbing |
| CN113794679B (en) * | 2021-08-02 | 2023-04-18 | 浪潮软件股份有限公司 | Method and system for preventing automatic script number robbing |
| CN114338094A (en) * | 2021-12-09 | 2022-04-12 | 北京五八信息技术有限公司 | Method and device for acquiring request header information, electronic equipment and readable medium |
| CN114760349A (en) * | 2022-04-28 | 2022-07-15 | 西门子(中国)有限公司 | Service access method and device, system, equipment and medium |
| CN116028915A (en) * | 2023-03-29 | 2023-04-28 | 江苏智云天工科技有限公司 | Single-point authentication method, system and medium for user access |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109981561B (en) | User authentication method for migrating single-body architecture system to micro-service architecture | |
| AU2019384472B2 (en) | Dual factor authentication with active directory and one time password token combination | |
| EP3535949B1 (en) | Non-intrusive security enforcement for federated single sign-on (sso) | |
| CN112685726A (en) | Single-point authentication method based on KEYCLOAK | |
| EP3251324B1 (en) | Secure access to cloud-based services | |
| US8782765B2 (en) | Techniques for environment single sign on | |
| US5586260A (en) | Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms | |
| CN112995219B (en) | Single sign-on method, device, equipment and storage medium | |
| US20030033535A1 (en) | Method and system for implementing a common user logon to multiple applications | |
| EP3888322A1 (en) | Systems and methods for securely calling apis on an api gateway from applications needing first party authentication | |
| CN112468481B (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
| CN115021991A (en) | Single sign-on for unmanaged mobile devices | |
| US9699169B2 (en) | Computer readable storage media for selective proxification of applications and method and systems utilizing same | |
| US20150149530A1 (en) | Redirecting Access Requests to an Authorized Server System for a Cloud Service | |
| WO2009145987A2 (en) | System, method, and apparatus for single sign-on and managing access to resources across a network | |
| CN1701293A (en) | Systems and methods for authenticating a user to a web server | |
| US9059987B1 (en) | Methods and systems of using single sign-on for identification for a web server not integrated with an enterprise network | |
| CN111444495B (en) | System and method for realizing single sign-on based on container | |
| EP3488589B1 (en) | Login proxy for third-party applications | |
| CN109962892A (en) | A kind of authentication method and client, server logging in application | |
| CN112039873A (en) | Method for accessing business system by single sign-on | |
| CN108683651B (en) | Single sign-on method, server and system | |
| CN107395566B (en) | Authentication method and device | |
| CN114338078B (en) | CS client login method and device | |
| CN113065161A (en) | Security control method and device for Redis database |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210420 |
|
| RJ01 | Rejection of invention patent application after publication |