From dcd2c3ea655e6f621a92b651e745ba055099f89c Mon Sep 17 00:00:00 2001 From: kevin Date: Mon, 15 Jun 2026 16:25:00 +0900 Subject: [PATCH] =?UTF-8?q?Update=20[=EC=9A=94=EC=B2=AD=EA=B3=BC=EC=97=851?= =?UTF-8?q?][=EC=82=B0=EC=B6=9C=EB=AC=BC05]=20Baron-SSO=20=EC=95=84?= =?UTF-8?q?=ED=82=A4=ED=85=8D=EC=B3=90=20=EB=A6=AC=EB=B7=B0.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ...ญ๊ณผ์—…1][์‚ฐ์ถœ๋ฌผ05] Baron-SSO ์•„ํ‚คํ…์ณ ๋ฆฌ๋ทฐ.md | 664 +++++++++++++++++- 1 file changed, 656 insertions(+), 8 deletions(-) diff --git a/[์š”์ฒญ๊ณผ์—…1][์‚ฐ์ถœ๋ฌผ05] Baron-SSO ์•„ํ‚คํ…์ณ ๋ฆฌ๋ทฐ.md b/[์š”์ฒญ๊ณผ์—…1][์‚ฐ์ถœ๋ฌผ05] Baron-SSO ์•„ํ‚คํ…์ณ ๋ฆฌ๋ทฐ.md index 07d4c90..e6a95d3 100644 --- a/[์š”์ฒญ๊ณผ์—…1][์‚ฐ์ถœ๋ฌผ05] Baron-SSO ์•„ํ‚คํ…์ณ ๋ฆฌ๋ทฐ.md +++ b/[์š”์ฒญ๊ณผ์—…1][์‚ฐ์ถœ๋ฌผ05] Baron-SSO ์•„ํ‚คํ…์ณ ๋ฆฌ๋ทฐ.md @@ -1,18 +1,423 @@ +# Baron SSO Architecture Review + +## ๋ฌธ์„œ ๋ชฉ์  + +๋ณธ ๋ฌธ์„œ๋Š” Baron SSO ์‹œ์Šคํ…œ์˜ ์ „์ฒด ์•„ํ‚คํ…์ฒ˜๋ฅผ ์ดํ•ดํ•˜๊ณ , ํŒ€ ์•„ํ‚คํ…์ฒ˜ ๋ฆฌ๋ทฐ ์‹œ ์„ค๋ช…ํ•  ์ˆ˜ ์žˆ๋„๋ก ์ž‘์„ฑํ•œ ๋ถ„์„ ๋ฌธ์„œ์ด๋‹ค. +--- + +# 0. ์ž‘์—… ๊ฐœ์š” + +| ํ•ญ๋ชฉ | ๋‚ด์šฉ | +|-----|-----| +| ์ž‘์—…๋ช… | ์š”์ฒญ๊ณผ์—…1 - Baron-SSO Architecture Review | +| ์ž‘์—…์ผ | 2026-06-15 | +| ์‹œ์ž‘ | 09:30 | +| ์ข…๋ฃŒ | 16:00 | +| ํœด๊ฒŒ์‹œ๊ฐ„ | 12:00 \~ 13:00 | +| ์ด ์ž‘์—…์‹œ๊ฐ„ | ์•ฝ6์‹œ๊ฐ„ 30๋ถ„ | +| ์ž‘์—…์ž | ๋ฌธํ˜•์„ ์ฑ…์ž„์—ฐ๊ตฌ์› | + +--- + +# 1. ์‹œ์Šคํ…œ ๊ฐœ์š” + +Baron SSO๋Š” ๊ทธ๋ฃน์‚ฌ ๋ฐ ์‚ฌ๋‚ด ์‹œ์Šคํ…œ์˜ ์ธ์ฆ(Authentication)๊ณผ ์ธ๊ฐ€(Authorization)๋ฅผ ํ†ตํ•ฉ ๊ด€๋ฆฌํ•˜๊ธฐ ์œ„ํ•œ IAM(Identity & Access Management) ํ”Œ๋žซํผ์ด๋‹ค. + +์ฃผ์š” ๋ชฉ์  + +* ํ†ตํ•ฉ ๋กœ๊ทธ์ธ(SSO) +* OAuth2 / OIDC ์ œ๊ณต +* ์‚ฌ์šฉ์ž ์ธ์ฆ +* ๊ถŒํ•œ ๊ด€๋ฆฌ +* ์กฐ์ง ๊ด€๋ฆฌ +* ๊ฐœ๋ฐœ์ž ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜ ์—ฐ๋™ ์ง€์› + +--- + +# 2. ์ „์ฒด ์•„ํ‚คํ…์ฒ˜ + +```mermaid +flowchart TD + + User[์‚ฌ์šฉ์ž] + + Gateway[Gateway] + + UF[UserFront] + AF[AdminFront] + DF[DevFront] + OF[OrgFront] + + Backend[Backend
Go + Fiber] + + Kratos[Kratos] + Hydra[Hydra] + Keto[Keto] + Oathkeeper[Oathkeeper] + + PG[(PostgreSQL)] + Redis[(Redis)] + CH[(ClickHouse)] + + User --> Gateway + + Gateway --> UF + Gateway --> AF + Gateway --> DF + Gateway --> OF + + UF --> Backend + AF --> Backend + DF --> Backend + OF --> Backend + + Backend --> Kratos + Backend --> Hydra + Backend --> Keto + Backend --> Oathkeeper + + Backend --> PG + Backend --> Redis + + Oathkeeper --> Hydra + Oathkeeper --> Keto + + Backend --> CH +``` + +--- + +# 3. ์ƒ์œ„ ์ปดํฌ๋„ŒํŠธ ์—ญํ•  + +## Gateway + +์—ญํ•  + +* ๋ชจ๋“  ์™ธ๋ถ€ ์š”์ฒญ ์ง„์ž…์  +* Reverse Proxy +* URL Routing + +์˜ˆ์‹œ + +```text +/ โ†’ UserFront +/api/* โ†’ Backend +/auth/* โ†’ Kratos +/oidc/* โ†’ Hydra +``` + +--- + +## Frontend + +### UserFront + +์ผ๋ฐ˜ ์‚ฌ์šฉ์ž์šฉ + +๊ธฐ๋Šฅ + +* ๋กœ๊ทธ์ธ +* ํšŒ์›๊ฐ€์ž… +* ๋น„๋ฐ€๋ฒˆํ˜ธ ์ฐพ๊ธฐ +* QR ๋กœ๊ทธ์ธ +* ๋‚ด ์ •๋ณด + +### AdminFront + +์‹œ์Šคํ…œ ๊ด€๋ฆฌ์ž์šฉ + +๊ธฐ๋Šฅ + +* ์‚ฌ์šฉ์ž ๊ด€๋ฆฌ +* ๊ถŒํ•œ ๊ด€๋ฆฌ +* ์‹œ์Šคํ…œ ๊ด€๋ฆฌ + +### DevFront + +๊ฐœ๋ฐœ์ž ํฌํ„ธ + +๊ธฐ๋Šฅ + +* OAuth Client ๋“ฑ๋ก +* OIDC ์„ค์ • +* API ์—ฐ๋™ + +### OrgFront + +์กฐ์ง๋„ ๊ด€๋ฆฌ ํฌํ„ธ + +๋Œ€์ƒ + +* ํšŒ์‚ฌ ๋‚ด๋ถ€ ์‚ฌ์šฉ์ž + +๊ธฐ๋Šฅ + +* ์กฐ์ง๋„ ๊ด€๋ฆฌ +* ๋ถ€์„œ ๊ด€๋ฆฌ +* ์กฐ์ง ๊ตฌ์„ฑ์› ๊ด€๋ฆฌ + +์™ธ๋ถ€ ์‚ฌ์šฉ์ž๋Š” ์‚ฌ์šฉํ•˜์ง€ ์•Š๋Š” ๊ฒƒ์œผ๋กœ ํŒ๋‹จ + +--- + +# 4. Backend ๊ตฌ์กฐ + +Backend๋Š” Go ๊ธฐ๋ฐ˜ Layered Architecture ๊ตฌ์กฐ + +```mermaid +flowchart TD + + Handler[Handler] + + Service[Service] + + Repository[Repository] + + DB[(Database)] + + Handler --> Service + Service --> Repository + Repository --> DB +``` + +์„ค๋ช… + +Handler + +* API ์š”์ฒญ ์ˆ˜์‹  + +Service + +* ์—…๋ฌด ๋กœ์ง ์ˆ˜ํ–‰ + +Repository + +* DB ์ ‘๊ทผ + +Database + +* ์‹ค์ œ ๋ฐ์ดํ„ฐ ์ €์žฅ + +--- + +# 5. Ory Stack + +```mermaid +flowchart LR + + Kratos[Kratos
Authentication] + + Hydra[Hydra
OAuth2/OIDC] + + Keto[Keto
Authorization] + + Oathkeeper[Oathkeeper
API Protection] + + Oathkeeper --> Hydra + Oathkeeper --> Keto +``` + +## Kratos + +์ธ์ฆ + +* ๋กœ๊ทธ์ธ +* ํšŒ์›๊ฐ€์ž… +* ์„ธ์…˜ + +## Hydra + +ํ† ํฐ ๋ฐœ๊ธ‰ + +* Access Token +* ID Token + +## Keto + +๊ถŒํ•œ ํŒ๋‹จ + +* ์‚ฌ์šฉ ๊ฐ€๋Šฅ ์—ฌ๋ถ€ ํ™•์ธ + +## Oathkeeper + +๋ฌธ์ง€๊ธฐ + +* ํ† ํฐ ๊ฒ€์‚ฌ +* ๊ถŒํ•œ ๊ฒ€์‚ฌ +--- +# 6. ๋กœ๊ทธ์ธ ์ธ์ฆ ํ๋ฆ„ (Kratos ์ค‘์‹ฌ) +## ๋ชฉ์  +์‚ฌ์šฉ์ž์˜ ์‹ ์›์„ ํ™•์ธํ•˜๊ณ  ๋กœ๊ทธ์ธ ์„ธ์…˜์„ ์ƒ์„ฑํ•œ๋‹ค. +## ๋‹ด๋‹น ์ปดํฌ๋„ŒํŠธ +```text +Kratos +``` +--- +## Mermaid +```mermaid +sequenceDiagram + participant U as ์‚ฌ์šฉ์ž + participant GW as Gateway + participant FE as UserFront + participant BE as Backend + participant KRA as Kratos + participant DB as PostgreSQL + U->>GW: localhost:5000 ์ ‘์† + GW->>FE: ๋กœ๊ทธ์ธ ํ™”๋ฉด ์ œ๊ณต + + FE-->>U: Login Page + + U->>FE: ID / PW ์ž…๋ ฅ + + FE->>GW: ๋กœ๊ทธ์ธ ์š”์ฒญ + + GW->>BE: POST /api/v1/auth/password/login + + BE->>KRA: ์‚ฌ์šฉ์ž ์ธ์ฆ ์š”์ฒญ + + KRA-->>BE: ์ธ์ฆ ์„ฑ๊ณต + + KRA-->>BE: Session ์ƒ์„ฑ + + BE->>DB: ๋กœ๊ทธ์ธ ์ด๋ ฅ ์ €์žฅ + + BE-->>FE: ๋กœ๊ทธ์ธ ์„ฑ๊ณต + + FE-->>U: Dashboard ์ด๋™ +``` + +--- + +## ์ƒ์„ฑ๋˜๋Š” ์ •๋ณด + +Kratos + +```text +Identity + +Session +``` + +์˜ˆ์‹œ + +```json +{ + "identity_id":"user-123", + "session_id":"session-456" +} +``` + +--- + +# 7. ๋กœ๊ทธ์ธ ํ›„ ํ† ํฐ ๋ฐœ๊ธ‰ ํ๋ฆ„ (Hydra ์ค‘์‹ฌ) + +## ๋ชฉ์  + +์ธ์ฆ๋œ ์‚ฌ์šฉ์ž๋ฅผ SSO ์‚ฌ์šฉ์ž๋กœ ์ „ํ™˜ + +๋‹ค๋ฅธ ์‹œ์Šคํ…œ์—์„œ๋„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” Token ๋ฐœ๊ธ‰ + +--- + +## ๋‹ด๋‹น ์ปดํฌ๋„ŒํŠธ + +```text +Hydra +``` + +--- + +## Mermaid + +```mermaid +sequenceDiagram + + participant BE as Backend + participant HYD as Hydra + + BE->>HYD: Token ๋ฐœ๊ธ‰ ์š”์ฒญ + + HYD-->>BE: Access Token + + HYD-->>BE: ID Token + + HYD-->>BE: Refresh Token +``` + +--- + +## ์ƒ์„ฑ๋˜๋Š” ์ •๋ณด + +### Access Token + +```text +API ์ ‘๊ทผ์šฉ +``` + +--- + +### ID Token + +```text +์‚ฌ์šฉ์ž ์ •๋ณด ์ „๋‹ฌ +``` + +--- + +### Refresh Token + +```text +Access Token ์žฌ๋ฐœ๊ธ‰ +``` + +--- + +## ์˜ˆ์‹œ + +```json +{ + "access_token":"eyJhbGciOi...", + "id_token":"eyJhbGciOi...", + "refresh_token":"eyJhbGciOi..." +} +``` + +--- + +# 8. ํ† ํฐ ๋ณด์œ  ์ƒํƒœ ์ ‘๊ทผ ํ๋ฆ„ + +## ์ƒํ™ฉ + +```text +์ด๋ฏธ ๋กœ๊ทธ์ธ ์™„๋ฃŒ + +Session ์กด์žฌ + +๋˜๋Š” + +Access Token ์กด์žฌ +``` + +--- + +## Mermaid + +```mermaid sequenceDiagram participant U as ์‚ฌ์šฉ์ž @@ -24,31 +429,274 @@ sequenceDiagram participant BE as Backend participant DB as PostgreSQL - U->>GW: localhost:5000 ์ ‘์† + U->>GW: ์„œ๋น„์Šค ์ ‘์† - GW->>FE: ํ™”๋ฉด ์š”์ฒญ ์ „๋‹ฌ - FE-->>U: ํ™”๋ฉด ํ‘œ์‹œ + GW->>FE: ํ™”๋ฉด ์ œ๊ณต U->>FE: ๋‚ด ์ •๋ณด ํด๋ฆญ - FE->>GW: GET /api/v1/me
Session Cookie ํฌํ•จ + FE->>GW: GET /api/v1/me GW->>OAT: API ์š”์ฒญ ์ „๋‹ฌ OAT->>HYD: ํ† ํฐ ๊ฒ€์ฆ - HYD-->>OAT: active=true
sub=user-123 + HYD-->>OAT: active=true + HYD-->>OAT: sub=user-123 OAT->>KET: ๊ถŒํ•œ ํ™•์ธ KET-->>OAT: allowed=true - OAT->>BE: ์ธ์ฆ ์™„๋ฃŒ ์š”์ฒญ ์ „๋‹ฌ + OAT->>BE: ์ธ์ฆ ์™„๋ฃŒ ์š”์ฒญ BE->>DB: ์‚ฌ์šฉ์ž ์กฐํšŒ DB-->>BE: ์‚ฌ์šฉ์ž ์ •๋ณด - BE-->>FE: ์‚ฌ์šฉ์ž ์ •๋ณด ๋ฐ˜ํ™˜ + BE-->>FE: ์‘๋‹ต ๋ฐ˜ํ™˜ - FE-->>U: ๋‚ด ์ •๋ณด ํ™”๋ฉด ํ‘œ์‹œ \ No newline at end of file + FE-->>U: ํ™”๋ฉด ํ‘œ์‹œ +``` + +--- + +## ๋‹จ๊ณ„๋ณ„ ์ด๋™ ๋ฐ์ดํ„ฐ + +Frontend โ†’ Gateway + +```http +GET /api/v1/me +``` + +ํฌํ•จ + +```text +Session Cookie + +๋˜๋Š” + +Access Token +``` + +--- + +Hydra ์‘๋‹ต + +```json +{ + "active": true, + "sub":"user-123" +} +``` + +--- + +Keto ์‘๋‹ต + +```json +{ + "allowed": true +} +``` + +--- + +# 9. ํ† ํฐ ์—†๋Š” ์ƒํƒœ ์ ‘๊ทผ ํ๋ฆ„ + +## ์ƒํ™ฉ + +```text +์ตœ์ดˆ ์ ‘์† + +๋กœ๊ทธ์ธ ์•ˆ๋จ + +์„ธ์…˜ ์—†์Œ + +ํ† ํฐ ์—†์Œ +``` + +--- + +## Mermaid + +```mermaid +sequenceDiagram + + participant U as ์‚ฌ์šฉ์ž + participant GW as Gateway + participant FE as Frontend + participant OAT as Oathkeeper + participant BE as Backend + participant KRA as Kratos + participant HYD as Hydra + + U->>GW: ๋ณดํ˜ธ๋œ ํŽ˜์ด์ง€ ์ ‘๊ทผ + + GW->>FE: ํŽ˜์ด์ง€ ์š”์ฒญ + + FE->>OAT: API ์š”์ฒญ + + OAT-->>FE: ์ธ์ฆ ํ•„์š” + + FE-->>U: ๋กœ๊ทธ์ธ ํŽ˜์ด์ง€ ์ด๋™ + + U->>FE: ID/PW ์ž…๋ ฅ + + FE->>BE: ๋กœ๊ทธ์ธ ์š”์ฒญ + + BE->>KRA: ์‚ฌ์šฉ์ž ์ธ์ฆ + + KRA-->>BE: ์ธ์ฆ ์„ฑ๊ณต + + BE->>HYD: Token ๋ฐœ๊ธ‰ ์š”์ฒญ + + HYD-->>BE: Access Token + + BE-->>FE: ๋กœ๊ทธ์ธ ์„ฑ๊ณต + + FE-->>U: Dashboard ์ด๋™ +``` + +--- + +# 10. OIDC ์ธ์ฆ ํ๋ฆ„ + +## ๋ชฉ์  + +๋‹ค๋ฅธ ์‹œ์Šคํ…œ์ด Baron SSO๋ฅผ ๋กœ๊ทธ์ธ ์„œ๋ฒ„๋กœ ์‚ฌ์šฉ + +--- + +## Mermaid + +```mermaid +sequenceDiagram + + participant User + participant ClientApp + participant Hydra + participant Kratos + + User->>ClientApp: ์„œ๋น„์Šค ์ ‘์† + + ClientApp->>Hydra: ์ธ์ฆ ์š”์ฒญ + + Hydra->>Kratos: ๋กœ๊ทธ์ธ ํ•„์š” + + Kratos-->>User: ๋กœ๊ทธ์ธ ํ™”๋ฉด + + User->>Kratos: ID/PW ์ž…๋ ฅ + + Kratos-->>Hydra: ์ธ์ฆ ์„ฑ๊ณต + + Hydra-->>ClientApp: ID Token + + Hydra-->>ClientApp: Access Token + + ClientApp-->>User: ๋กœ๊ทธ์ธ ์™„๋ฃŒ +``` + +--- + +# 11. Ory Stack ์—ญํ•  ์ •๋ฆฌ + +```mermaid +flowchart LR + + User[์‚ฌ์šฉ์ž] + + Kratos[Kratos
์ธ์ฆ] + + Hydra[Hydra
ํ† ํฐ] + + Oathkeeper[Oathkeeper
๊ฒ€๋ฌธ์†Œ] + + Keto[Keto
๊ถŒํ•œ] + + Backend[Backend] + + User --> Kratos + Kratos --> Hydra + Hydra --> Oathkeeper + Oathkeeper --> Keto + Keto --> Backend +``` + +--- + +## ํ•œ ์ค„ ์š”์•ฝ + +### Kratos + +```text +๋ˆ„๊ตฌ์ธ๊ฐ€? +``` + +### Hydra + +```text +์ธ์ฆ ์ฆ๋ช…์„œ ๋ฐœ๊ธ‰ +``` + +### Oathkeeper + +```text +ํ† ํฐ ํ™•์ธ +``` + +### Keto + +```text +๊ถŒํ•œ ํ™•์ธ +``` + +### Backend + +```text +์—…๋ฌด ์ฒ˜๋ฆฌ +``` + +--- + +# ํ˜„์žฌ ๊ฒ€์ฆ ์ƒํƒœ + +์™„๋ฃŒ + +```text +WSL ๊ตฌ์ถ• + +Docker ๊ตฌ์ถ• + +Ory Stack ๊ธฐ๋™ + +Backend ๊ธฐ๋™ + +Frontend ๊ธฐ๋™ + +๋กœ๊ทธ์ธ ์„ฑ๊ณต + +๋กœ๊ทธ์•„์›ƒ ์„ฑ๊ณต + +์žฌ๋กœ๊ทธ์ธ ์„ฑ๊ณต + +ํšŒ์›๊ฐ€์ž… ํ™”๋ฉด ์ง„์ž… ์„ฑ๊ณต +``` + +์˜ˆ์ • + +```text +ํšŒ์›๊ฐ€์ž… ์™„๋ฃŒ ํ…Œ์ŠคํŠธ + +๋น„๋ฐ€๋ฒˆํ˜ธ ์ฐพ๊ธฐ ํ…Œ์ŠคํŠธ + +QR ๋กœ๊ทธ์ธ ํ…Œ์ŠคํŠธ + +AdminFront ํ…Œ์ŠคํŠธ + +DevFront ํ…Œ์ŠคํŠธ + +OIDC ์ธ์ฆ ํ…Œ์ŠคํŠธ + +API ํ˜ธ์ถœ ํ…Œ์ŠคํŠธ +```