Keycloak中OIDC端點(URL)介紹

OIDC(OpenId Connect)協議 是一個基於OAuth2協議的身份認證標準協議，具體請百度。

Keycloak客戶端對應授權模式

客戶端選擇"confidential"和"bearer-only"訪問類型

需要設置客戶端憑證

配置端點(Configuration Endpoint)

該端點是Keycloak中最重要的端點， 它列出了與 Keycloak 中的 OpenID Connect 實現相關的端點和其他配置選項 。

端點URL,訪問時請使用具體的領域名稱(realm name)替代
http://ip:port/auth/realms/{realm-name}/.well-known/openid-configuration

舉例：
http://localhost:8080/auth/realms/master/.well-known/openid-configuration

接口返回內容(此處想用代碼，但是保存提示有敏感詞彙)，還請諒解。

{
  "issuer": "http://localhost:8080/auth/realms/qiaohaoba_test",
  "authorization_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/auth",
  "token_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/token",
  "introspection_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/userinfo",
  "end_session_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/logout",
  "jwks_uri": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/certs",
  "check_session_iframe": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/login-status-iframe.html",
  "grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials", "urn:ietf:params:oauth:grant-type:device_code", "urn:openid:params:grant-type:ciba"],
  "response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"],
  "subject_types_supported": ["public", "pairwise"],
  "id_token_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
  "id_token_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "RSA1_5"],
  "id_token_encryption_enc_values_supported": ["A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512"],
  "userinfo_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none"],
  "request_object_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none"],
  "response_modes_supported": ["query", "fragment", "form_post"],
  "registration_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/clients-registrations/openid-connect",
  "token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt"],
  "token_endpoint_auth_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
  "introspection_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt"],
  "introspection_endpoint_auth_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
  "claims_supported": ["aud", "sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email", "acr"],
  "claim_types_supported": ["normal"],
  "claims_parameter_supported": true,
  "scopes_supported": ["openid", "web-origins", "profile", "address", "roles", "microprofile-jwt", "email", "phone", "offline_access"],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "code_challenge_methods_supported": ["plain", "S256"],
  "tls_client_certificate_bound_access_tokens": true,
  "revocation_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/revoke",
  "revocation_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt"],
  "revocation_endpoint_auth_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
  "backchannel_logout_supported": true,
  "backchannel_logout_session_supported": true,
  "device_authorization_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/auth/device",
  "backchannel_token_delivery_modes_supported": ["poll"],
  "backchannel_authentication_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/ext/ciba/auth"
}

授權端點(Authorization Endpoint)

授權端點用於執行用戶的身份認證，一般通過將用戶重定向到該端點，用戶完成身份認證後再重定向回自己的系統，屬於標準的Oauth2授權碼模式。

/realms/{realm-name}/protocol/openid-connect/auth

該端點一般用於前後端分離項目，前端負責身份認證，所以不好通過Postman演示，就大致截個Keycloak登錄的圖片。

授權碼模式請求示例：
http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/auth?client_id=XXX&redirect_uri=XXXXX&state=7181d870-bd6a-4080-8829-1e87b1c28520
&response_mode=fragment&response_type=code&scope=openid&nonce=ed594de6-b92c-43d4-84a9-65cb9afe2379

參數名稱	參數釋義
client_id	Keycloak客戶端ID
redirect_uri	表示授權服務器(Keycloak)身份認證成功後跳轉URL
response_type	返回類型，該示例使用Oauth2授權碼模式
scope	權限範圍，這裏使用openid方式
response_mode	返回模式
state	不清楚
nonce	不清楚

訪問令牌端點(Token Endpoint)

令牌端點用於獲取令牌。令牌可以通過交換授權碼或通過直接提供憑據來獲得，具體取決於Realm支持哪些授權模式。令牌端點還用於在過期時獲取新的訪問令牌。

Oauth2授權模式詳解：https://www.ruanyifeng.com/blog/2019/04/oauth-grant-types.html

/realms/{realm-name}/protocol/openid-connect/token

參數名稱	參數釋義
grant_type	授權模式，五種值："authorization_code", "implicit", "refresh_token", "password", "client_credentials"
redirect_uri	重定向URL，授權碼模式專用
code	授權碼，授權碼模式專用
clinet_id	客戶端id
client_secret	客戶端憑證，該憑證在Keycloak中設置，如沒有設置，可以不填，客戶端憑證模式一定需要
username	用戶名，資源擁有者憑證(密碼)模式專用
password	密碼，資源擁有者憑證(密碼)模式專用
refresh_token	刷新Token，用於獲取最新的Token，防止Token過期，刷新token專用

1、授權碼模式獲取訪問令牌

授權碼模式每獲取一次令牌，code字段既失效，需要獲取最新的code，才能再次通過授權碼模式換取令牌。

2、隱式模式獲取訪問令牌

 

3、客戶端憑證模式獲取訪問令牌

該模式需要客戶端的訪問類型爲"confidential"，且"Service Accounts Enabled"選項需要開啓。

接口Postman請求示例

4、資源擁有者憑證(密碼)模式獲取訪問令牌

該模式需要" Direct Access Grants Enabled"選項開啓。

接口Postman請求示例

5、刷新訪問令牌

刷新Token每次refresh_token獲取上一次調用該接口返回的refresh_token值，用過一次就失效。

用戶端點(Userinfo Endpoint)

用戶信息端點用於獲取已經通過身份認證的用戶詳細信息，調用該接口也需要Token。

/realms/{realm-name}/protocol/openid-connect/userinfo

退出端點(Logout Endpoint)

退出端點用於已經通過身份認證的用戶執行退出操作，退出成功後將會跳轉到授權端點(登錄地址)。

/realms/{realm-name}/protocol/openid-connect/logout

證書端點(Certificate Endpoint)

證書端點返回領域啓用的公鑰，編碼爲 JSON Web 密鑰 (JWK)。根據領域設置，可以啓用一個或多個密鑰來驗證令牌。

/realms/{realm-name}/protocol/openid-connect/certs

令牌驗證端點(Introspection Endpoint)

令牌驗證端點用於檢索和驗證令牌的活動狀態。可以使用它來驗證訪問或刷新令牌。但是隻能用於驗證訪問類型爲"confidential"的客戶端。

/realms/{realm-name}/protocol/openid-connect/token/introspect

動態客戶端註冊端點(Dynamic Client Registration Endpoint)

動態客戶端註冊端點用於動態註冊客戶端。

/realms/{realm-name}/clients-registrations/openid-connect

令牌撤銷端點(Token Revocation Endpoint)

令牌撤銷端點用於銷燬令牌， 此端點支持刷新令牌和訪問令牌。

/realms/{realm-name}/protocol/openid-connect/revoke

設備授權端點(Device Authorization Endpoint)

設備授權端點用於獲取設備代碼和用戶代碼。但是隻能用於驗證訪問類型爲"confidential"的客戶端。

/realms/{realm-name}/protocol/openid-connect/auth/device

反向通道身份驗證端點(Backchannel Authentication Endpoint)

反向通道身份驗證端點用於獲取標識客戶端發出的身份驗證請求的 auth_req_id。但是隻能用於驗證訪問類型爲"confidential"的客戶端。

/realms/{realm-name}/protocol/openid-connect/ext/ciba/auth