sso

sso 单点登录

1 单点登录时序图

                 +-----------------+  +---------------------+                     +-----------+
                 |~* /static/      |  |= /auth/verification |                     |/          |
                 |= /index_sso.html|  |= /butterfly_401     |                     |           |  Nginx 配置
                 |= /              |  |= /auth/ssologin     |                     |           |
                 +-----------------+  +---------------------+                     +-----------+
                          |                     |                                       |
+----------+      +---------------+    +--------------+        +----------+       +-----------+
|web browse|      |butterfly-admin|    |butterfly-auth|        |cas-server|       |app-backend|  服务
+----------+      +---------------+    +--------------+        +----------+       +-----------+
     |                    |                    |                     |                   |
     +-------route------->|/                   |                     |                   |
     |<-------page--------+/index_sso.html     |                     |                   |
     |                    |                    |                     |                   |
     ====================================================================not  have token
     |                    |                    |                     |                   |
     +--V----------------request api---------------------------------------------------->| 1 客户端请求后端接口返回 401
     |  +-sub request-header not have token--->|(/auth/verification) |                   |
     |<-code=401,targetURL=/auth/ssologin------+                     |                   |
     |                    |                    |                     |                   |
     +--window.location.herf=directurl-------->|(/auth/ssologin)     |                   | 2 客户端设置当前页面的 URL 地址为 /auth/ssologin
     |<----code=302,Location=cas-server--------+                     |                   |
     |                    |                    |                     |                   |
     +-----302 http://cas-server/login  login page ----------------->|(/login)           | 3 客户端根据 butterfly-auth 返回内容重定向到 cas-server
     |<-------------code=302,set Cookie TGT=xxx ---------------------+                   |
     |                    |                    |                     |                   |
     +-----302 /auth/ssologin?ticket=xxx ----->|(/auth/ssologin)     |                   | 4 客户端根据 cas-server 返回内容重定向到 /auth/ssologin
     |                    |                    +-------check st----->|(/session/validate)|
     |                    |                    |<-------st vaild-----+                   |
     |<--code=302 set Cookie butterfly_token---+                     |                   |
     |                    |                    |                     |                   |
     +--302 / ----------->|                    |                     |                   | 5 客户端重新请求首页
     |<-------page--------+/index_sso.html     |                     |                   |
     |                    |                    |                     |                   |
     ======================================================================== have token
     |                    |                    |                     |                   |
     +---V----------------request api--------------------------------------------------->|
     |   +-sub request-header have token------>|(/auth/verification) |                   |
     |<-------------------response-------------------------------------------------------+

2 butterfly-admin 关键点

2.1 nginx auth request

Authentication Based on Subrequest Result（基于子请求结果的认证）

Nginx auth 子请求是通过 HTTP GET 方法发送的，即使原请求是 POST 请求，auth 子请求也会转为 GET 请求，GET 请求没有 body , body 被丢弃。

nginx 配置

# 认证接口
location = /auth/verification {
    internal;
    proxy_pass http://127.0.0.1:8001;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    # 真实的请求路径
    proxy_set_header X-Original-URI $request_uri;
    proxy_set_header Host  $host:$server_port;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Real-PORT $remote_port;
    proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
}


#对 / 所有做负载均衡 + 反向代理
location / {
    auth_request        /auth/verification;
    auth_request_set    $butterfly_location $upstream_http_location;
    auth_request_set    $butterfly_username $upstream_http_username;
    error_page 401    = /butterfly_401;
    proxy_redirect off;
    proxy_set_header  X-Username        $butterfly_username;
    # 后端的 Web 服务器可以通过 X-Forwarded-For 获取用户真实 IP
    proxy_set_header Host  $host:$server_port;
    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    proxy_pass        http://backend;
}

location  = /butterfly_401 {
    internal;
    default_type application/json;
    if ($butterfly_location) {
        return 401 '{"success":false,"message":"You are not authorized","data":{"Target_url":"$butterfly_location"}}';
    }
}

2.2 amis 全局适配器

// 全局请求适配器。参考：官网 -> 快速开始 -> 控制 amis 的行为
requestAdaptor(api) {
    api.headers["Authorization"] = "Bearer: " + Cookies.get('butterfly_token');
    //console.log("全局请求适配器", api);
    return api;
},
// 全局响应适配器。参考：官网 -> 快速开始 -> 控制 amis 的行为
responseAdaptor(api, payload, query, request, response) {
    //console.log("全局响应适配器", response);
    if (response.status == 401) {
        window.location.href = "/auth/ssologin";
        return {
        status: 401,
        msg: "请登录"
    }
  }
  return payload;
},

2.3 Token 存储方式

单点登录时，需要跳转到 butterfly-admin 单页之外进行登录，则无法使用拦截器进行拦截，故而需要使用 Cookie

浏览器获取 Cookie 方式:
F12，Console，在命令框内输入：document.cookie，显示返回

2.4 username 传递

作用：后端服务可以获取到 username 用来鉴权及审计等操作

/xingqiao/ 前缀转发到 butterfly_xingqiao

    location ^~ /xingqiao/ {
        auth_request        /auth/verification;
        auth_request_set    $butterfly_location $upstream_http_location;
        auth_request_set    $butterfly_username $upstream_http_username;
        error_page 401    = /butterfly_401;
        proxy_redirect off;
        proxy_set_header  X-Username        $butterfly_username;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_pass        http://butterfly_xingqiao;
    }

/auth/verification 认证完成后，返回("username", "meetbill") header

auth_request 返回的 username 头默认不会自动传递给 backend

Nginx 默认只会转发客户端请求的 headers，而 auth_request 的响应头（如 username）需要手动提取并传递给后端。
需要通过 auth_request_set 提取该值，然后使用 proxy_set_header 显式传递给 backend。

后端(butterfly_xingqiao) 就可以看到 ("HTTP_X_USERNAME", "meetbill") 的 header。

Previousamis Nextpangu

Last updated 1 month ago

hashtag1 单点登录时序图

hashtag2 butterfly-admin 关键点

hashtag2.1 nginx auth request

hashtag2.2 amis 全局适配器

hashtag2.3 Token 存储方式

hashtag2.4 username 传递