OIDC(OpenId Connect)协议 是一个基于OAuth2协议的身份认证标准协议,具体请百度。
Keycloak客户端对应授权模式
客户端选择"confidential"和"bearer-only"访问类型
需要设置客户端凭证
配置端点(Configuration Endpoint)
该端点是Keycloak中最重要的端点, 它列出了与 Keycloak 中的 OpenID Connect 实现相关的端点和其他配置选项 。
端点URL,访问时请使用具体的领域名称(realm name)替代
http://ip:port/auth/realms/{realm-name}/.well-known/openid-configuration
举例:
http://localhost:8080/auth/realms/master/.well-known/openid-configuration
接口返回内容(此处想用代码,但是保存提示有敏感词汇),还请谅解。
{
"issuer": "http://localhost:8080/auth/realms/qiaohaoba_test",
"authorization_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/token",
"introspection_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/logout",
"jwks_uri": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/certs",
"check_session_iframe": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": ["authorization_code", "implicit", "refresh_token", "password", "client_credentials", "urn:ietf:params:oauth:grant-type:device_code", "urn:openid:params:grant-type:ciba"],
"response_types_supported": ["code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token"],
"subject_types_supported": ["public", "pairwise"],
"id_token_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
"id_token_encryption_alg_values_supported": ["RSA-OAEP", "RSA-OAEP-256", "RSA1_5"],
"id_token_encryption_enc_values_supported": ["A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512"],
"userinfo_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none"],
"request_object_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none"],
"response_modes_supported": ["query", "fragment", "form_post"],
"registration_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt"],
"token_endpoint_auth_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
"introspection_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt"],
"introspection_endpoint_auth_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
"claims_supported": ["aud", "sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email", "acr"],
"claim_types_supported": ["normal"],
"claims_parameter_supported": true,
"scopes_supported": ["openid", "web-origins", "profile", "address", "roles", "microprofile-jwt", "email", "phone", "offline_access"],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"code_challenge_methods_supported": ["plain", "S256"],
"tls_client_certificate_bound_access_tokens": true,
"revocation_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/revoke",
"revocation_endpoint_auth_methods_supported": ["private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt"],
"revocation_endpoint_auth_signing_alg_values_supported": ["PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512"],
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"device_authorization_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/auth/device",
"backchannel_token_delivery_modes_supported": ["poll"],
"backchannel_authentication_endpoint": "http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/ext/ciba/auth"
}
授权端点(Authorization Endpoint)
授权端点用于执行用户的身份认证,一般通过将用户重定向到该端点,用户完成身份认证后再重定向回自己的系统,属于标准的Oauth2授权码模式。
/realms/{realm-name}/protocol/openid-connect/auth
该端点一般用于前后端分离项目,前端负责身份认证,所以不好通过Postman演示,就大致截个Keycloak登录的图片。
授权码模式请求示例:
http://localhost:8080/auth/realms/qiaohaoba_test/protocol/openid-connect/auth?client_id=XXX&redirect_uri=XXXXX&state=7181d870-bd6a-4080-8829-1e87b1c28520
&response_mode=fragment&response_type=code&scope=openid&nonce=ed594de6-b92c-43d4-84a9-65cb9afe2379
参数名称 | 参数释义 |
client_id | Keycloak客户端ID |
redirect_uri | 表示授权服务器(Keycloak)身份认证成功后跳转URL |
response_type | 返回类型,该示例使用Oauth2授权码模式 |
scope | 权限范围,这里使用openid方式 |
response_mode | 返回模式 |
state | 不清楚 |
nonce | 不清楚 |
访问令牌端点(Token Endpoint)
令牌端点用于获取令牌。令牌可以通过交换授权码或通过直接提供凭据来获得,具体取决于Realm支持哪些授权模式。令牌端点还用于在过期时获取新的访问令牌。
Oauth2授权模式详解:https://www.ruanyifeng.com/blog/2019/04/oauth-grant-types.html
/realms/{realm-name}/protocol/openid-connect/token
参数名称 | 参数释义 |
grant_type | 授权模式,五种值:"authorization_code", "implicit", "refresh_token", "password", "client_credentials" |
redirect_uri | 重定向URL,授权码模式专用 |
code | 授权码,授权码模式专用 |
clinet_id | 客户端id |
client_secret | 客户端凭证,该凭证在Keycloak中设置,如没有设置,可以不填,客户端凭证模式一定需要 |
username | 用户名,资源拥有者凭证(密码)模式专用 |
password | 密码,资源拥有者凭证(密码)模式专用 |
refresh_token | 刷新Token,用于获取最新的Token,防止Token过期,刷新token专用 |
1、授权码模式获取访问令牌
授权码模式每获取一次令牌,code字段既失效,需要获取最新的code,才能再次通过授权码模式换取令牌。
2、隐式模式获取访问令牌
3、客户端凭证模式获取访问令牌
该模式需要客户端的访问类型为"confidential",且"Service Accounts Enabled"选项需要开启。
接口Postman请求示例
4、资源拥有者凭证(密码)模式获取访问令牌
该模式需要" Direct Access Grants Enabled"选项开启。
接口Postman请求示例
5、刷新访问令牌
刷新Token每次refresh_token获取上一次调用该接口返回的refresh_token值,用过一次就失效。
用户端点(Userinfo Endpoint)
用户信息端点用于获取已经通过身份认证的用户详细信息,调用该接口也需要Token。
/realms/{realm-name}/protocol/openid-connect/userinfo
退出端点(Logout Endpoint)
退出端点用于已经通过身份认证的用户执行退出操作,退出成功后将会跳转到授权端点(登录地址)。
/realms/{realm-name}/protocol/openid-connect/logout
证书端点(Certificate Endpoint)
证书端点返回领域启用的公钥,编码为 JSON Web 密钥 (JWK)。根据领域设置,可以启用一个或多个密钥来验证令牌。
/realms/{realm-name}/protocol/openid-connect/certs
令牌验证端点(Introspection Endpoint)
令牌验证端点用于检索和验证令牌的活动状态。可以使用它来验证访问或刷新令牌。但是只能用于验证访问类型为"confidential"的客户端。
/realms/{realm-name}/protocol/openid-connect/token/introspect
动态客户端注册端点(Dynamic Client Registration Endpoint)
动态客户端注册端点用于动态注册客户端。
/realms/{realm-name}/clients-registrations/openid-connect
令牌撤销端点(Token Revocation Endpoint)
令牌撤销端点用于销毁令牌, 此端点支持刷新令牌和访问令牌。
/realms/{realm-name}/protocol/openid-connect/revoke
设备授权端点(Device Authorization Endpoint)
设备授权端点用于获取设备代码和用户代码。但是只能用于验证访问类型为"confidential"的客户端。
/realms/{realm-name}/protocol/openid-connect/auth/device
反向通道身份验证端点(Backchannel Authentication Endpoint)
反向通道身份验证端点用于获取标识客户端发出的身份验证请求的 auth_req_id。但是只能用于验证访问类型为"confidential"的客户端。
/realms/{realm-name}/protocol/openid-connect/ext/ciba/auth