Keycloak 什么是钥匙斗篷';s OAuth2/OpenID连接端点?
我们正在尝试将KeyClope作为SSO解决方案进行评估,它在许多方面看起来都不错,但文档中痛苦地缺少基本知识 对于Keycloak 什么是钥匙斗篷';s OAuth2/OpenID连接端点?,keycloak,Keycloak,我们正在尝试将KeyClope作为SSO解决方案进行评估,它在许多方面看起来都不错,但文档中痛苦地缺少基本知识 对于http://localhost:8080/对于领域测试,什么是和 我们对使用keydepot自己的客户机库不感兴趣,我们希望使用标准的OAuth2/OpenID连接客户机库,因为使用keydepot服务器的客户机应用程序将使用多种语言编写(PHP、Ruby、Node、Java、C#、Angular)。因此,使用Key斗篷客户端的示例对我们没有用处。经过大量的挖掘,我们或多或少地获
http://localhost:8080/测试我们对使用keydepot自己的客户机库不感兴趣,我们希望使用标准的OAuth2/OpenID连接客户机库,因为使用keydepot服务器的客户机应用程序将使用多种语言编写(PHP、Ruby、Node、Java、C#、Angular)。因此,使用Key斗篷客户端的示例对我们没有用处。经过大量的挖掘,我们或多或少地获得了信息(主要来自Key斗篷自己的JS客户端库):
- 授权端点:
/auth/realms/{realm}/tokens/login - 令牌端点:/code>/auth/realms/{realm}/tokens/access/code
id\u令牌id\u令牌access\u令牌"iss": "{realm}"
"sub": "5bf30443-0cf7-4d31-b204-efd11a432659"
"name": "Amir Abiri"
"email: "..."
因此,虽然Key斗篷1.1.x不完全符合OpenID Connect,但它确实使用OpenID Connect语言“说话”。对于Key斗篷1.2,可以通过url检索上述信息
http://keycloakhost:keycloakport/auth/realms/{realm}/.well-known/openid-configuration
{
“发行人”:http://localhost:8080/auth/realms/demo",
“授权\u终结点”:http://localhost:8080/auth/realms/demo/protocol/openid-连接/验证“,
“令牌\u终结点”:http://localhost:8080/auth/realms/demo/protocol/openid-连接/令牌“,
“userinfo_终结点”:http://localhost:8080/auth/realms/demo/protocol/openid-连接/userinfo“,
“结束会话\终结点”:http://localhost:8080/auth/realms/demo/protocol/openid-连接/注销“,
“jwks_uri”:http://localhost:8080/auth/realms/demo/protocol/openid-连接/证书“,
“支持的授权类型”:[
“授权代码”,
“刷新令牌”,
“密码”
],
“支持的响应类型”:[
“代码”
],
“受支持的主题类型”:[
“公众”
],
“支持的id\u令牌\u签名\u alg\u值”:[
“RS256”
],
“支持的响应模式”:[
“查询”
]
}
注意:您可能需要将客户端添加到1.9.0版json中的有效重定向URI列表中,所有端点位于地址/auth/realms/{realm}
- 授权端点:/auth/realms/{realm}/account
- 令牌端点:/auth/realms/{realm}/protocol/openid connect
/auth/realms/{realm}/.well-known/openid配置中找到。假设您的领域名为demo
,则该端点将生成类似于此的JSON响应
{
"issuer": "http://localhost:8080/auth/realms/demo",
"authorization_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token",
"token_introspection_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout",
"jwks_uri": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/certs",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"registration_endpoint": "http://localhost:8080/auth/realms/demo/clients-registrations/openid-connect"
}
据我所知,这些端点实现了规范。FQDN/auth/realms/{realm\u name}/.众所周知的/openid配置
您将在此处看到所有内容,另外,如果身份提供商也是KeyClope,则输入此URL将在其他身份提供商支持并且已经处理过它的情况下设置所有内容
- TokenUrl:[domain]/auth/realms/{REALM\u NAME}/protocol/openid connect/token
- AuthUrl:[domain]/auth/realms/{REALM\u NAME}/protocol/openid connect/auth
实际上链接到。众所周知,
位于域设置的第一个选项卡上-但链接看起来不像链接,而是文本框的值。。。糟糕的用户界面设计。
以下链接提供了描述KeyClope元数据的JSON文档
/auth/realms/{realm-name}/.well-known/openid-configuration
以下信息使用KeyClope 6.0.1报告,用于master
realm
{
"issuer":"http://localhost:8080/auth/realms/master",
"authorization_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/auth",
"token_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token",
"token_introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect",
"userinfo_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo",
"end_session_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/logout",
"jwks_uri":"http://localhost:8080/auth/realms/master/protocol/openid-connect/certs",
"check_session_iframe":"http://localhost:8080/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported":[
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"response_types_supported":[
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported":[
"public",
"pairwise"
],
"id_token_signing_alg_values_supported":[
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"userinfo_signing_alg_values_supported":[
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_signing_alg_values_supported":[
"PS384",
"ES384",
"RS384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"response_modes_supported":[
"query",
"fragment",
"form_post"
],
"registration_endpoint":"http://localhost:8080/auth/realms/master/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported":[
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported":[
"RS256"
],
"claims_supported":[
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email"
],
"claim_types_supported":[
"normal"
],
"claims_parameter_supported":false,
"scopes_supported":[
"openid",
"address",
"email",
"microprofile-jwt",
"offline_access",
"phone",
"profile",
"roles",
"web-origins"
],
"request_parameter_supported":true,
"request_uri_parameter_supported":true,
"code_challenge_methods_supported":[
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens":true,
"introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect"
}
您还可以通过进入管理控制台->领域设置->单击端点字段上的超链接来查看此信息
从那时起,我们就放弃了使用KeyClope,因此我无法验证。在web应用程序上使用什么URL来创建登录链接?你都试过了,但都不行that@AmirAbiri你的钥匙斗篷的替代品是什么?我现在正在评估。它喜欢UI,希望我的所有用户都由它管理,但我很难将我的GoLang应用程序连接到它。@Tarion有一个WSO2身份服务器。我一直在努力使用KeyClope,直到我找到了这个带有神奇URL的帖子!您最终使用了什么?我们最终能够说服楼上的人,OAuth与登录和安全无关,它是应用程序本身使用的一种技术,只与第三方集成相关。很难解释谷歌和FB在任何地方使用它与我们无关的事实。@AmirAbiri不会说它只用于第三方集成。这是它现在的主要用途,但是,作为一种越来越多的互联网公司支持的协议,如果您在自己的企业环境中处理多个应用程序(或微服务),并且您想要一个SSO解决方案,那么它可能也有意义。事实上,在我的例子中,使用keydove已经超过10个月了,我认为它可能也适用于简单的应用程序,因为它负责所有的用户管理工作。请注意,OpenID Connect基本上是一组标准,OAuth 2就是其中之一(JWT是另一个)。这个评论有点误导。OAuth2是实现授权协议的标准。OIDC是一个在OAuth2之上工作的标准,用于标识。是的,这也适用于5.0。他们
{
"issuer":"http://localhost:8080/auth/realms/master",
"authorization_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/auth",
"token_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token",
"token_introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect",
"userinfo_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo",
"end_session_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/logout",
"jwks_uri":"http://localhost:8080/auth/realms/master/protocol/openid-connect/certs",
"check_session_iframe":"http://localhost:8080/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported":[
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"response_types_supported":[
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported":[
"public",
"pairwise"
],
"id_token_signing_alg_values_supported":[
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"userinfo_signing_alg_values_supported":[
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_signing_alg_values_supported":[
"PS384",
"ES384",
"RS384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"response_modes_supported":[
"query",
"fragment",
"form_post"
],
"registration_endpoint":"http://localhost:8080/auth/realms/master/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported":[
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported":[
"RS256"
],
"claims_supported":[
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email"
],
"claim_types_supported":[
"normal"
],
"claims_parameter_supported":false,
"scopes_supported":[
"openid",
"address",
"email",
"microprofile-jwt",
"offline_access",
"phone",
"profile",
"roles",
"web-origins"
],
"request_parameter_supported":true,
"request_uri_parameter_supported":true,
"code_challenge_methods_supported":[
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens":true,
"introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect"
}