概述
Casdoor is a UI-first Identity Access Management (IAM) / Single-Sign-On (SSO) platform based on OAuth 2.0, OIDC, SAML, and CAS.
Casdoor serves both the web UI and the login requests from application users.
Casdoor features
Casdoor follows a front-end and back-end separate architecture, developed by Golang. It supports high concurrency, provides a web-based UI for management, and supports localization in 10+ languages.
Casdoor supports third-party application login, such as GitHub, Google, QQ, and WeChat, and it supports extending third-party login with plugins.
Casdoor supports authorization management based on Casbin. It supports ACL, RBAC, ABAC, and RESTful access control models.
Casdoor provides phone verification code, email verification code, and password retrieval functions.
Casdoor supports auditing and recording of accessing logs.
Casdoor integrates with Alibaba Cloud, Tencent Cloud, and Qiniu Cloud image CDN cloud storage.
Casdoor allows customization of registration, login, and password retrieval pages.
Casdoor supports integration with existing systems by database synchronization, enabling smooth transition to Casdoor.
Casdoor supports mainstream databases such as MySQL, PostgreSQL, and SQL Server, and it supports the extension of new databases with plugins.
How it works
步骤0 (前置知识)
- Casdoor follows the authorization process built upon the OAuth 2.0 protocol. It is highly recommended to have a brief understanding of how OAuth 2.0 works. You can refer to this introduction to OAuth 2.0.
步骤 1 (授权请求)
Your Application (which could be a website or any other application) should compose a URL in the following format: endpoint/login/oauth/authorize?client_id=xxx&response_type=code&redirect_uri=xxx&scope=read&state=xxx. Replace endpoint with your Casdoor's host URL and xxx with your own information.
对于 xxx 的部分需要写上什么?
For
client_id: you can find this under each individual ApplicationFor
redirect_uri: you should set this to your own Application's callback URL. Casdoor will use this information to send the response back after authorization.For
state: you should fill this out with your Application name.
The Application will prompt the user: "Hey, I need some resources and I need your permission to access these resources. Can you go to this URL and enter your username and password for me?"
With the correctly composed URL, your Application will make the user launch a request to this URL, and the Authorization Request is completed.
步骤 2(授权认证)
This step is straightforward: the user is redirected to the URL composed in Step 1, and the user will see the login page from Casdoor. By entering the correct username and credentials into the login page, Casdoor now knows the identity of the user and is about to send two pieces of information back to the callback URL set in Step 1: code and state.
用户打开网址并向Casdoor提供凭据。 Casdoor will say: "Looking good ~ this is the user who is authorizing the Application to get the code and state. I know this user in my database, and I will send the code and state back to the Application using the callback URL (redirect_uri)"
With these two pieces of information sent back to your Application, the authorization is granted to the app, and the Authorization Grant is completed.
Casdoor also provides third-party logins. In this case, instead of seeing the credential entry page, you will see a list of third-party providers. You can log in to your app using these providers, with Casdoor acting as a middle layer (middleware).
步骤 3(授权认证)
In this step, your Application already has the code from Step 2, and it will speak to Casdoor: "Hey, the user agreed to give me the code. Can you verify this code and give me the access_token?"
步骤 4(访问令牌)
Casdoor responds to your Application: "You know what, this code seems legit. You must be the right Application. Here's the access_token for you." With this code, Casdoor confirms that it is an authorized Application (authorized by the correct user in Step 2) trying to obtain the access_token (which will be used later to access more resources).
步骤 5(访问令牌)
In this step, your Application says: "Nice! I just got the fresh-and-tasty access_token. Now I can use it to access something more valuable from the Resource Server!"
Your Application then turns to the Resource Server and says: "Hey buddy, can you check out this access_token? I received it from Casdoor. Do you want to verify if this is the correct token you issued to Casdoor?"
步骤 6 (受保护资源)
The Resource Server responds to your Application: "Not bad. It seems just like the one I issued to Casdoor, and Casdoor says whoever holds this access_token can access these Protected Resources. So go ahead and take it!"
And that's basically how Casdoor works with your Application.
Casdoor can act as both an Authorization Server and a Resource Server. In other words, Casdoor authorizes your Application to access resources, usually the currently logged-in user's information, from Casdoor's database.
在线演示
Casdoor
这里是一个由Casbin部署的在线演示。
全局管理员登录:
- 用户名:
admin - 密码:
123
Casbin-OA
Casbin-OA is one of the Casbin web apps. It uses Casdoor for authentication.
- Casbin-OA
- Source code: https://github.com/casbin/casbin-oa
Casnode
Casnode is the official forum developed by the Casbin community.
It uses Casdoor as the authentication platform and manages members.
- Casnode
- Source code: https://github.com/casbin/casnode
结构
Casdoor consists of two parts:
| 名称 | 描述 | 语言 | 源代码 |
|---|---|---|---|
| 前端 | Casdoor的前端Web界面 | JavaScript + React | https://github.com/casdoor/casdoor/tree/master/web |
| 后端 | Casdoor后端RESTful API | Golang + Beego + SQL | https://github.com/casdoor/casdoor |