OIDC 配置发现

@@oidc 发现页

术语

• OpenID Connect ：以下简称 oidc 协议
• Relying Party：依赖方，也就是客户端，简称 RP
• OpenID Provider：oidc 协议认证的实现方，简称 OP
• End-User：用户，资源拥有者

介绍

In order for an OpenID Connect Relying Party to utilize OpenID Connect services for an End-User, the RP needs to know where the OpenID Provider is. OpenID Connect uses WebFinger [RFC7033] to locate the OpenID Provider for an End-User.

oidc 协议有很多的配置信息和 url，RP 需要对接 OP 来实现认证和授权，那么 RP 就需要知道这些配置信息，比如发起认证请求的 url 地址，token 交换的 url 地址等。为了方便对接，OP 提供了一个 url 来返回自己的所有配置信息（一个 json 对象格式），这样 RP 只需要调用这一个地址就知道了所有配置。这种提供信息的方式也是一个协议称为 WebFinger。WebFinger 是一种使用 http 协议来发现互联网上关于某个实体信息的协议，oidc 的配置（或者称为元数据）发现是一个典型例子。

在 oidc 协议官方文档中，这一模块称为 Discovery，即定义 RP 如何动态发现有关 OP 的信息。

发现

必须使用 GET 请求，url 后缀为 /.well-known/openid-configuration，比如 http://localhost:8080/auth/realms/springdemo/.well-known/openid-configuration，以下是 keycloak 的响应内容，这里面大多数字段是协议规定的，少部分是 OP 自己提供的。

{
"issuer": "http://localhost:8080/auth/realms/springdemo",
"authorization_endpoint": "http://localhost:8080/auth/realms/springdemo/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:8080/auth/realms/springdemo/protocol/openid-connect/token",
"token_introspection_endpoint": "http://localhost:8080/auth/realms/springdemo/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:8080/auth/realms/springdemo/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:8080/auth/realms/springdemo/protocol/openid-connect/logout",
"jwks_uri": "http://localhost:8080/auth/realms/springdemo/protocol/openid-connect/certs",
"check_session_iframe": "http://localhost:8080/auth/realms/springdemo/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public",
"pairwise"
],
"id_token_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"id_token_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA1_5"
],
"id_token_encryption_enc_values_supported": [
"A128GCM",
"A128CBC-HS256"
],
"userinfo_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"registration_endpoint": "http://localhost:8080/auth/realms/springdemo/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"claims_supported": [
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email",
"acr"
],
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": false,
"scopes_supported": [
"openid",
"address",
"email",
"microprofile-jwt",
"offline_access",
"phone",
"profile",
"roles",
"web-origins"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"code_challenge_methods_supported": [
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens": true,
"introspection_endpoint": "http://localhost:8080/auth/realms/springdemo/protocol/openid-connect/token/introspect"
}

转 https://my.oschina.net/wecanweup/blog/4869316