Key枕的 OAuth2/OpenID 连接端点是什么?

我们正在尝试评估作为一个单点登录解决方案,它在许多方面看起来不错,但文档是痛苦的缺乏基础知识。

对于领域 testhttp://localhost:8080/上给定的 Keycon 安装,授权端点OAuth2令牌端点连接用户信息端点是什么?

我们并不想使用 Key斗篷自己的客户端库,我们想使用标准的 OAuth2/OpenID Connect 客户端库,因为使用 key斗篷服务器的客户端应用程序将使用多种语言(PHP、 Ruby、 Node、 Java、 C # 、 Angular)编写。因此,我们不需要使用 Key枕客户端的示例。

196840 次浏览
小开

经过深入调查,我们或多或少得到了一些信息(主要来自 Keycloak 自己的 JS 客户端 lib) :

  • 授权端点: /auth/realms/{realm}/tokens/login
  • 令牌端点: /auth/realms/{realm}/tokens/access/codes

至于 连接用户信息,现在(1.1.0。最后一点: Key枕没有实现这个端点,所以它不完全兼容 OpenID 连接。但是,已经有一个 补丁补充说,在撰写本文时应该包含在1.2. x 中。

但是 -具有讽刺意味的是,钥匙斗篷确实将 id_token和访问令牌一起发送回来。id_tokenaccess_token都是 签署了 JWT,令牌的密钥是 OpenID Connect 的密钥,即:

"iss":  "{realm}"
"sub":  "5bf30443-0cf7-4d31-b204-efd11a432659"
"name": "Amir Abiri"
"email: "..."

因此,虽然 Key枕1.1. x 不完全兼容 OpenID Connect,但它确实使用 OpenID Connect 语言“说话”。

小开
最佳答案

对于钥匙斗篷1.2,可以通过 URL 检索上述信息

http://keycloakhost:keycloakport/auth/realms/{realm}/.well-known/openid-configuration

例如,如果领域名是 小样:

http://keycloakhost:keycloakport/auth/realms/demo/.well-known/openid-configuration

上述 url 的输出示例如下:

{
"issuer": "http://localhost:8080/auth/realms/demo",
"authorization_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token",
"userinfo_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout",
"jwks_uri": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/certs",
"grant_types_supported": [
"authorization_code",
"refresh_token",
"password"
],
"response_types_supported": [
"code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"response_modes_supported": [
"query"
]
}

https://issues.jboss.org/browse/KEYCLOAK-571找到了信息

注意: 您可能需要将客户端添加到 有效重定向 URI列表中

小开

在版本1.9.0中,带有所有端点的 json 位于 address/auth/fields/{ domain }

  • 授权端点: /auth/fields/{ domain }/account
  • 令牌端点: /auth/fields/{ domain }/protocol/openid-connect
小开

版本1.9.3。最后,Key枕有许多 OpenID 端点可用。这些可以在 /auth/realms/{realm}/.well-known/openid-configuration找到。假设您的领域名为 demo,那个端点将产生类似于这样的 JSON 响应。

{
"issuer": "http://localhost:8080/auth/realms/demo",
"authorization_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token",
"token_introspection_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout",
"jwks_uri": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/certs",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"registration_endpoint": "http://localhost:8080/auth/realms/demo/clients-registrations/openid-connect"
}

据我所知,这些端点实现了 Oauth 2.0规范。

小开

FQDN/auth/fields/{ domain _ name }/. well-known/openid-configuration

您将在这里看到一切,另外,如果身份提供者也是钥匙斗篷,那么提供这个 URL 将设置一切也与其他身份提供者如果他们支持和他们已经处理它

小开

密钥斗篷版本: 4.6.0

  • TokenUrl: [ domain ]/auth/fields/{ REALM _ NAME }/protocol/openid-connect/token
  • AuthUrl: [ domain ]/auth/fields/{ REALM _ NAME }/protocol/openid-connect/auth
小开

实际上,链接到 .well-known是在您的领域设置的第一个选项卡-但链接看起来不像链接,但作为值的文本框... 糟糕的用户界面设计。 域的常规选项卡的屏幕截图

小开

下面的链接提供 JSON 文档,该文档描述了有关密钥斗篷的元数据

/auth/realms/{realm-name}/.well-known/openid-configuration

下面的信息是使用钥匙斗篷6.0.1为 master领域报告的

{
"issuer":"http://localhost:8080/auth/realms/master",
"authorization_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/auth",
"token_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token",
"token_introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect",
"userinfo_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo",
"end_session_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/logout",
"jwks_uri":"http://localhost:8080/auth/realms/master/protocol/openid-connect/certs",
"check_session_iframe":"http://localhost:8080/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported":[
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"response_types_supported":[
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported":[
"public",
"pairwise"
],
"id_token_signing_alg_values_supported":[
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"userinfo_signing_alg_values_supported":[
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_signing_alg_values_supported":[
"PS384",
"ES384",
"RS384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"response_modes_supported":[
"query",
"fragment",
"form_post"
],
"registration_endpoint":"http://localhost:8080/auth/realms/master/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported":[
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported":[
"RS256"
],
"claims_supported":[
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email"
],
"claim_types_supported":[
"normal"
],
"claims_parameter_supported":false,
"scopes_supported":[
"openid",
"address",
"email",
"microprofile-jwt",
"offline_access",
"phone",
"profile",
"roles",
"web-origins"
],
"request_parameter_supported":true,
"request_uri_parameter_supported":true,
"code_challenge_methods_supported":[
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens":true,
"introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect"
}
小开

您还可以通过进入管理控制台-> 域设置-> 单击 Endpoints 字段上的超链接来查看此信息。

enter image description here

小开

我目前正在尝试使用钥匙斗篷18.0.0,我发现“/auth”部分已经从 OIDC 发现 URL 中删除了:

https://{keycloakhost}:{keycloakport}/realms/{realm}/.well-known/openid-configuration

这将返回一个包含端点的 JSON 数据结构:

{
"issuer": "https://{keycloakhost}:{keycloakport}/realms/{realm}",
"authorization_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/auth",
"token_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/token",
"introspection_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/userinfo",
"end_session_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/logout",
"frontchannel_logout_session_supported": true,
"frontchannel_logout_supported": true,
"jwks_uri": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/certs",
"check_session_iframe": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:openid:params:grant-type:ciba"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public",
"pairwise"
],
"id_token_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"id_token_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"id_token_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"userinfo_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"request_object_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"response_modes_supported": [
"query",
"fragment",
"form_post",
"query.jwt",
"fragment.jwt",
"form_post.jwt",
"jwt"
],
"registration_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"introspection_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"introspection_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"authorization_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"authorization_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA-OAEP-256",
"RSA1_5"
],
"authorization_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"claims_supported": [
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email",
"acr"
],
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": true,
"scopes_supported": [
"openid",
"phone",
"roles",
"microprofile-jwt",
"email",
"web-origins",
"offline_access",
"address",
"profile"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"code_challenge_methods_supported": [
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens": true,
"revocation_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/revoke",
"revocation_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"revocation_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"device_authorization_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/auth/device",
"backchannel_token_delivery_modes_supported": [
"poll",
"ping"
],
"backchannel_authentication_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/ext/ciba/auth",
"backchannel_authentication_request_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512"
],
"require_pushed_authorization_requests": false,
"pushed_authorization_request_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/ext/par/request",
"mtls_endpoint_aliases": {
"token_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/token",
"revocation_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/revoke",
"introspection_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/token/introspect",
"device_authorization_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/auth/device",
"registration_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/clients-registrations/openid-connect",
"userinfo_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/userinfo",
"pushed_authorization_request_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/ext/par/request",
"backchannel_authentication_endpoint": "https://{keycloakhost}:{keycloakport}/realms/{realm}/protocol/openid-connect/ext/ciba/auth"
}
}
小开

对于主机名端点:

https://keycloak.{HOSTNAME}/realms/{REALM}/.well-known/openid-configuration

提交答案