OIDC(OpenId Connect)協議 是一個基於OAuth2協議的身份認證標準協議,具體請百度。
Keycloak客戶端對應授權模式
客戶端選擇"confidential"和"bearer-only"訪問類型
需要設置客戶端憑證
配置端點(Configuration Endpoint)
該端點是Keycloak中最重要的端點, 它列出了與 Keycloak 中的 OpenID Connect 實現相關的端點和其他配置選項 。
端點URL,訪問時請使用具體的領域名稱(realm name)替代
http://ip:port/auth/realms/{realm-name}/.well-known/openid-configuration
舉例:
http://localhost:8080/auth/realms/master/.well-known/openid-configuration
接口返回內容(此處想用代碼,但是保存提示有敏感詞彙),還請諒解。
{
"issuer": "http://localhost:8080/auth/realms/qiaohaoba_test",
"authorization_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/token",
"introspection_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/logout",
"jwks_uri": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/certs",
"check_session_iframe": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials", "urn:ietf:params:oauth:grant-type:device_code", "urn:openid:params:grant-type:ciba"],
"response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"],
"subject_types_supported": ["public", "pairwise"],
"id_token_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
"id_token_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "RSA1_5"],
"id_token_encryption_enc_values_supported": ["A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512"],
"userinfo_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none"],
"request_object_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none"],
"response_modes_supported": ["query", "fragment", "form_post"],
"registration_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt"],
"token_endpoint_auth_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
"introspection_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt"],
"introspection_endpoint_auth_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
"claims_supported": ["aud", "sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email", "acr"],
"claim_types_supported": ["normal"],
"claims_parameter_supported": true,
"scopes_supported": ["openid", "web-origins", "profile", "address", "roles", "microprofile-jwt", "email", "phone", "offline_access"],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"code_challenge_methods_supported": ["plain", "S256"],
"tls_client_certificate_bound_access_tokens": true,
"revocation_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/revoke",
"revocation_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt"],
"revocation_endpoint_auth_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"device_authorization_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/auth/device",
"backchannel_token_delivery_modes_supported": ["poll"],
"backchannel_authentication_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/ext/ciba/auth"
}
授權端點(Authorization Endpoint)
授權端點用於執行用戶的身份認證,一般通過將用戶重定向到該端點,用戶完成身份認證後再重定向回自己的系統,屬於標準的Oauth2授權碼模式。
/realms/{realm-name}/protocol/openid-connect/auth
該端點一般用於前後端分離項目,前端負責身份認證,所以不好通過Postman演示,就大致截個Keycloak登錄的圖片。
授權碼模式請求示例:
http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/auth?client_id=XXX&redirect_uri=XXXXX&state=7181d870-bd6a-4080-8829-1e87b1c28520
&response_mode=fragment&response_type=code&scope=openid&nonce=ed594de6-b92c-43d4-84a9-65cb9afe2379
參數名稱 | 參數釋義 |
client_id | Keycloak客戶端ID |
redirect_uri | 表示授權服務器(Keycloak)身份認證成功後跳轉URL |
response_type | 返回類型,該示例使用Oauth2授權碼模式 |
scope | 權限範圍,這裏使用openid方式 |
response_mode | 返回模式 |
state | 不清楚 |
nonce | 不清楚 |
訪問令牌端點(Token Endpoint)
令牌端點用於獲取令牌。令牌可以通過交換授權碼或通過直接提供憑據來獲得,具體取決於Realm支持哪些授權模式。令牌端點還用於在過期時獲取新的訪問令牌。
Oauth2授權模式詳解:https://www.ruanyifeng.com/blog/2019/04/oauth-grant-types.html
/realms/{realm-name}/protocol/openid-connect/token
參數名稱 | 參數釋義 |
grant_type | 授權模式,五種值:"authorization_code", "implicit", "refresh_token", "password", "client_credentials" |
redirect_uri | 重定向URL,授權碼模式專用 |
code | 授權碼,授權碼模式專用 |
clinet_id | 客戶端id |
client_secret | 客戶端憑證,該憑證在Keycloak中設置,如沒有設置,可以不填,客戶端憑證模式一定需要 |
username | 用戶名,資源擁有者憑證(密碼)模式專用 |
password | 密碼,資源擁有者憑證(密碼)模式專用 |
refresh_token | 刷新Token,用於獲取最新的Token,防止Token過期,刷新token專用 |
1、授權碼模式獲取訪問令牌
授權碼模式每獲取一次令牌,code字段既失效,需要獲取最新的code,才能再次通過授權碼模式換取令牌。
2、隱式模式獲取訪問令牌
3、客戶端憑證模式獲取訪問令牌
該模式需要客戶端的訪問類型爲"confidential",且"Service Accounts Enabled"選項需要開啓。
接口Postman請求示例
4、資源擁有者憑證(密碼)模式獲取訪問令牌
該模式需要" Direct Access Grants Enabled"選項開啓。
接口Postman請求示例
5、刷新訪問令牌
刷新Token每次refresh_token獲取上一次調用該接口返回的refresh_token值,用過一次就失效。
用戶端點(Userinfo Endpoint)
用戶信息端點用於獲取已經通過身份認證的用戶詳細信息,調用該接口也需要Token。
/realms/{realm-name}/protocol/openid-connect/userinfo
退出端點(Logout Endpoint)
退出端點用於已經通過身份認證的用戶執行退出操作,退出成功後將會跳轉到授權端點(登錄地址)。
/realms/{realm-name}/protocol/openid-connect/logout
證書端點(Certificate Endpoint)
證書端點返回領域啓用的公鑰,編碼爲 JSON Web 密鑰 (JWK)。根據領域設置,可以啓用一個或多個密鑰來驗證令牌。
/realms/{realm-name}/protocol/openid-connect/certs
令牌驗證端點(Introspection Endpoint)
令牌驗證端點用於檢索和驗證令牌的活動狀態。可以使用它來驗證訪問或刷新令牌。但是隻能用於驗證訪問類型爲"confidential"的客戶端。
/realms/{realm-name}/protocol/openid-connect/token/introspect
動態客戶端註冊端點(Dynamic Client Registration Endpoint)
動態客戶端註冊端點用於動態註冊客戶端。
/realms/{realm-name}/clients-registrations/openid-connect
令牌撤銷端點(Token Revocation Endpoint)
令牌撤銷端點用於銷燬令牌, 此端點支持刷新令牌和訪問令牌。
/realms/{realm-name}/protocol/openid-connect/revoke
設備授權端點(Device Authorization Endpoint)
設備授權端點用於獲取設備代碼和用戶代碼。但是隻能用於驗證訪問類型爲"confidential"的客戶端。
/realms/{realm-name}/protocol/openid-connect/auth/device
反向通道身份驗證端點(Backchannel Authentication Endpoint)
反向通道身份驗證端點用於獲取標識客戶端發出的身份驗證請求的 auth_req_id。但是隻能用於驗證訪問類型爲"confidential"的客戶端。
/realms/{realm-name}/protocol/openid-connect/ext/ciba/auth