Keycloak中OIDC端点(URL)介绍

OIDC(OpenId Connect)协议 是一个基于OAuth2协议的身份认证标准协议，具体请百度。

Keycloak客户端对应授权模式

客户端选择"confidential"和"bearer-only"访问类型

需要设置客户端凭证

配置端点(Configuration Endpoint)

该端点是Keycloak中最重要的端点， 它列出了与 Keycloak 中的 OpenID Connect 实现相关的端点和其他配置选项 。

端点URL,访问时请使用具体的领域名称(realm name)替代
http://ip:port/auth/realms/{realm-name}/.well-known/openid-configuration

举例：
http://localhost:8080/auth/realms/master/.well-known/openid-configuration

接口返回内容(此处想用代码，但是保存提示有敏感词汇)，还请谅解。

{
  "issuer": "http://localhost:8080/auth/realms/qiaohaoba_test",
  "authorization_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/auth",
  "token_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/token",
  "introspection_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/userinfo",
  "end_session_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/logout",
  "jwks_uri": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/certs",
  "check_session_iframe": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/login-status-iframe.html",
  "grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials", "urn:ietf:params:oauth:grant-type:device_code", "urn:openid:params:grant-type:ciba"],
  "response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"],
  "subject_types_supported": ["public", "pairwise"],
  "id_token_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
  "id_token_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "RSA1_5"],
  "id_token_encryption_enc_values_supported": ["A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512"],
  "userinfo_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none"],
  "request_object_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none"],
  "response_modes_supported": ["query", "fragment", "form_post"],
  "registration_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/clients-registrations/openid-connect",
  "token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt"],
  "token_endpoint_auth_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
  "introspection_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt"],
  "introspection_endpoint_auth_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
  "claims_supported": ["aud", "sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email", "acr"],
  "claim_types_supported": ["normal"],
  "claims_parameter_supported": true,
  "scopes_supported": ["openid", "web-origins", "profile", "address", "roles", "microprofile-jwt", "email", "phone", "offline_access"],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "code_challenge_methods_supported": ["plain", "S256"],
  "tls_client_certificate_bound_access_tokens": true,
  "revocation_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/revoke",
  "revocation_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt"],
  "revocation_endpoint_auth_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
  "backchannel_logout_supported": true,
  "backchannel_logout_session_supported": true,
  "device_authorization_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/auth/device",
  "backchannel_token_delivery_modes_supported": ["poll"],
  "backchannel_authentication_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/ext/ciba/auth"
}

授权端点(Authorization Endpoint)

授权端点用于执行用户的身份认证，一般通过将用户重定向到该端点，用户完成身份认证后再重定向回自己的系统，属于标准的Oauth2授权码模式。

/realms/{realm-name}/protocol/openid-connect/auth

该端点一般用于前后端分离项目，前端负责身份认证，所以不好通过Postman演示，就大致截个Keycloak登录的图片。

授权码模式请求示例：
http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/auth?client_id=XXX&redirect_uri=XXXXX&state=7181d870-bd6a-4080-8829-1e87b1c28520
&response_mode=fragment&response_type=code&scope=openid&nonce=ed594de6-b92c-43d4-84a9-65cb9afe2379

参数名称	参数释义
client_id	Keycloak客户端ID
redirect_uri	表示授权服务器(Keycloak)身份认证成功后跳转URL
response_type	返回类型，该示例使用Oauth2授权码模式
scope	权限范围，这里使用openid方式
response_mode	返回模式
state	不清楚
nonce	不清楚

访问令牌端点(Token Endpoint)

令牌端点用于获取令牌。令牌可以通过交换授权码或通过直接提供凭据来获得，具体取决于Realm支持哪些授权模式。令牌端点还用于在过期时获取新的访问令牌。

Oauth2授权模式详解：https://www.ruanyifeng.com/blog/2019/04/oauth-grant-types.html

/realms/{realm-name}/protocol/openid-connect/token

参数名称	参数释义
grant_type	授权模式，五种值："authorization_code", "implicit", "refresh_token", "password", "client_credentials"
redirect_uri	重定向URL，授权码模式专用
code	授权码，授权码模式专用
clinet_id	客户端id
client_secret	客户端凭证，该凭证在Keycloak中设置，如没有设置，可以不填，客户端凭证模式一定需要
username	用户名，资源拥有者凭证(密码)模式专用
password	密码，资源拥有者凭证(密码)模式专用
refresh_token	刷新Token，用于获取最新的Token，防止Token过期，刷新token专用

1、授权码模式获取访问令牌

授权码模式每获取一次令牌，code字段既失效，需要获取最新的code，才能再次通过授权码模式换取令牌。

2、隐式模式获取访问令牌

 

3、客户端凭证模式获取访问令牌

该模式需要客户端的访问类型为"confidential"，且"Service Accounts Enabled"选项需要开启。

接口Postman请求示例

4、资源拥有者凭证(密码)模式获取访问令牌

该模式需要" Direct Access Grants Enabled"选项开启。

接口Postman请求示例

5、刷新访问令牌

刷新Token每次refresh_token获取上一次调用该接口返回的refresh_token值，用过一次就失效。

用户端点(Userinfo Endpoint)

用户信息端点用于获取已经通过身份认证的用户详细信息，调用该接口也需要Token。

/realms/{realm-name}/protocol/openid-connect/userinfo

退出端点(Logout Endpoint)

退出端点用于已经通过身份认证的用户执行退出操作，退出成功后将会跳转到授权端点(登录地址)。

/realms/{realm-name}/protocol/openid-connect/logout

证书端点(Certificate Endpoint)

证书端点返回领域启用的公钥，编码为 JSON Web 密钥 (JWK)。根据领域设置，可以启用一个或多个密钥来验证令牌。

/realms/{realm-name}/protocol/openid-connect/certs

令牌验证端点(Introspection Endpoint)

令牌验证端点用于检索和验证令牌的活动状态。可以使用它来验证访问或刷新令牌。但是只能用于验证访问类型为"confidential"的客户端。

/realms/{realm-name}/protocol/openid-connect/token/introspect

动态客户端注册端点(Dynamic Client Registration Endpoint)

动态客户端注册端点用于动态注册客户端。

/realms/{realm-name}/clients-registrations/openid-connect

令牌撤销端点(Token Revocation Endpoint)

令牌撤销端点用于销毁令牌， 此端点支持刷新令牌和访问令牌。

/realms/{realm-name}/protocol/openid-connect/revoke

设备授权端点(Device Authorization Endpoint)

设备授权端点用于获取设备代码和用户代码。但是只能用于验证访问类型为"confidential"的客户端。

/realms/{realm-name}/protocol/openid-connect/auth/device

反向通道身份验证端点(Backchannel Authentication Endpoint)

反向通道身份验证端点用于获取标识客户端发出的身份验证请求的 auth_req_id。但是只能用于验证访问类型为"confidential"的客户端。

/realms/{realm-name}/protocol/openid-connect/ext/ciba/auth