首页 > 其他分享 >CAS单点登录:开启OIDC协议(八)

CAS单点登录:开启OIDC协议(八)

时间:2024-06-14 17:37:23浏览次数:28  
标签:单点 CAS server cas token https oidc com OIDC

1.引入依赖

<dependency>
  <groupId>org.apereo.cas</groupId>
  <artifactId>cas-server-support-oidc</artifactId>
  <version>${cas.version}</version>
</dependency>

2.生成jwks

官方提供的用于生产JWK文件工具:https://mkjwk.org/

复制出来如下:

复制代码
{
    "keys": [
        {
            "p": "-8Jzd4q1UBRcAYsHbgsJzODtZQWuoIQhZ-PphuyUaQVQXTF466FZjeKkvlGkf3H-TgxlQxgb5S0rfbNKxlR3NO4xdGwtuv8hvzI1FJFmCA2Ap78u0-9UCvmpmiJ--SREF6r50_-kXOg_RIvEmH_mEVjHWMN7k4ajwL5jnWr1R0M",
            "kty": "RSA",
            "q": "u7kCj-lylPkIrbNpu1q2BqJCfkluksYm5g514YIxwc3wVVWF6SSTdnpLHvckVjzS8-w9gtnC0kcaKpE8bhQpetu5gf-1QGYIty03Q4my6qca6KosW3yUIfSjOpTKETwJOjby0Se1F9axr11_tP1A_OBZHfV_DDnH5xp7bBAagdk",
            "d": "q-It8mn90JhBLAWdBjZMxTlN5fXbxyVGEboMwB1A9hu5-08JyVRGPPTUe-6kVqSjPMGRDraXNw54PiixE-qLEK80lA_0CWbD00vdRFPelQU0A84koUazGwwy7rnl5ARjqJmQkUBgn6BnwXyvhX1ENKui4jCixFG5oWO2H1HT5LAzzI0z5XVhvngdF6hfMBXdIsUQtkFCnjbnLziQxdcOpmYXbqTgclUWdO--8IZ-PkaHlX7JhJ3BhVJH4bdautCaI5yytc4MBqjQHGCcExMIsXSrJmLwocLqTq1jK05cz1P5Ukkd9xvkCDrSv6osS7SUxP1ZS7fy0VLxsViPvbL34Q",
            "e": "AQAB",
            "kid": "cas",
            "qi": "WUYT1z4nJ6pI3KS5SjWneZf-RAioAvh-d2k-y2tKpgQOSQX_E-n8YqAxVBZrbXRt5mcM4Tr39E65jmQQKkIbxylOyzh0yffnSjLpsi1vZa1ZoTtO2ae2hlk9NvCHjKi0xd4K-A_v93VUZERIV_A2ZeMMfw7u0waLvgJCWn90DmU",
            "dp": "P5iIKHtef8MU1sLy9oZNTHbJIQrFaQDXm3HELPQYLUtNWK1FmWghwiitavIetp7qGXciIUe2zDaT1OX0jpMJpdJBpeIpzyHhuXWKWQ69km0uwbEWuCytszQL9saeAnt5w-zJvRbHwzxbtwoDeG5ehKVDfhWrYsHRHcA6U6qQGRc",
            "alg": "RS256",
            "dq": "jixhz2LMAB3YP84I_veFsuKDH6g30Xu3jDdZejCjxJdXNRnvsJKeCHY4nLwqzhGE5259a7PHRIDLRX_315r3i3AMQHPM73gXk7vwBfutAOEMlTgFHkjs3Aau9TgpDgJ9LpTdNCExm1tj-WADz6ya4qp7dCAxV64PQ22gGkjb-ok",
            "n": "uJz8Ys_Px5Ivup5O8QTwIXSBQFlr4wnufgQa7WOL6qxM7KEpWAWArj4u4Aj_Clmj48r-VNTJRctz7IDZNgtsmd3FKNMENaWVhvvzFCbHSghYT44vzy21Ct0GwA5RTLppkACkgiGOEUXedfqVay5eAPS2V-bZD8B9EnDKETOGj0qPjYXKCwOVa-Ik-gLu4XqBU1nbfF3OWl_SY-sPC6JU3rwT0twFh5zRynCfjZiwyFq3yfVcgoKrFQAPLKtfJQTUFsYx2S6iXrd79S4I5NADR5s4_ZDzT8MA-i4x4j6-zCVhrw1DCgFwiLsUF7TPAMBz63xWcEjuR5bwxjX2r6Aqyw"
        }
    ]
}
复制代码

在static下新建keystore.jwks文件,将以上内容复制进去。

3.修改application.properties

复制代码
##
# OIDC
#
#签名文件路径
cas.authn.oidc.jwksFile=classpath:/static/keystore.jwks
#签发端地址
cas.authn.oidc.issuer=${cas.server.name}/oidc/
#-------------------开启动态注册客户端------------------
cas.authn.oidc.dynamicClientRegistrationMode=OPEN
#-------------------自定义字段------------------
cas.authn.oidc.userDefinedScopes.hbtvprofiles=id,name,mobile,email,avatar
复制代码

4.在service下新建OIDC-1002.json

复制代码
{
  "@class" : "org.apereo.cas.services.OidcRegisteredService",
  "clientId": "abcd",
  "clientSecret": "xyz",
  "serviceId" : "^(https|http|imaps)://app1.cas.com.*",
  "name": "ODICService",
  "id": 1002,
  "scopes" : [ "java.util.HashSet",
    [ "profile", "email", "address", "phone", "offline_access", "displayName", "eduPerson" ]
  ]
}
复制代码

5.OIDC所有节点信息

6.测试

请求:https://server.cas.com:8443/cas/oidc/.well-known,可以如下信息:

复制代码
{
    "issuer":"https://server.cas.com:8443/cas/oidc/",
    "scopes_supported":[
        "openid",
        "profile",
        "email",
        "address",
        "phone",
        "offline_access"
    ],
    "response_types_supported":[
        "code",
        "token",
        "id_token token"
    ],
    "subject_types_supported":[
        "public",
        "pairwise"
    ],
    "claim_types_supported":[
        "normal"
    ],
    "claims_supported":[
        "sub",
        "name",
        "preferred_username",
        "family_name",
        "given_name",
        "middle_name",
        "given_name",
        "profile",
        "picture",
        "nickname",
        "website",
        "zoneinfo",
        "locale",
        "updated_at",
        "birthdate",
        "email",
        "email_verified",
        "phone_number",
        "phone_number_verified",
        "address",
        "gender"
    ],
    "grant_types_supported":[
        "authorization_code",
        "password",
        "client_credentials",
        "refresh_token"
    ],
    "id_token_signing_alg_values_supported":[
        "none",
        "RS256"
    ],
    "introspection_endpoint_auth_methods_supported":[
        "client_secret_basic"
    ],
    "jwks_uri":"https://server.cas.com:8443/cas/oidc/jwks",
    "token_endpoint":"https://server.cas.com:8443/cas/oidc/accessToken",
    "authorization_endpoint":"https://server.cas.com:8443/cas/oidc/authorize",
    "userinfo_endpoint":"https://server.cas.com:8443/cas/oidc/profile",
    "registration_endpoint":"https://server.cas.com:8443/cas/oidc/register",
    "end_session_endpoint":"https://server.cas.com:8443/cas/logout",
    "introspection_endpoint":"https://server.cas.com:8443/cas/oidc/introspect",
    "revocation_endpoint":"https://server.cas.com:8443/cas/oidc/revoke"
}
复制代码

从response_types_supported,可知相较于OAuth模式,OIDC多了一种id_token。

6.1.id_token模式

1.请求以下地址获取id_token:

  https://server.cas.com:8443/cas/oidc/authorize?response_type=id_token token&scope=openid&client_id=abcd&redirect_uri=http://app1.cas.com

  response_type:获取的响应类型,id_token token,中间有空格

返回如下:

http://app1.cas.com/#access_token=AT-2-C3bFdo7yBqgR0-kfQZn2GTT54BDE-k8I&token_type=bearer&expires_in=28800&refresh_token=RT-2-XRmagsTk9HsVfty-uOo-ffT-mM0bwuWH&id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImNhcyJ9.eyJqdGkiOiJUR1QtMS14V1pYUlgwNEpUazdWT3BVQlpGajk2MFBSeGJPT2VpVVRDLWhnSzg1cUdxZm13T3lDLXNHVTV2R3hSRlFYWE1OUnlNYW5nZWwtUEMiLCJpc3MiOiJodHRwczovL3NlcnZlci5jYXMuY29tOjg0NDMvY2FzL29pZGMvIiwiYXVkIjoiYWJjZCIsImV4cCI6MTU5MDQzNTA3NSwiaWF0IjoxNTkwNDA2Mjc1LCJuYmYiOjE1OTA0MDU5NzUsInN1YiI6ImFkbWluIiwiYW1yIjpbIlJlbWVtYmVyTWVVc2VybmFtZVBhc3N3b3JkQ2FwdGNoYUF1dGhlbnRpY2F0aW9uSGFuZGxlciJdLCJzdGF0ZSI6IiIsIm5vbmNlIjoiIiwiYXRfaGFzaCI6IjZ0bkgyejk5SUQ4ZkVIWmhnSHI5aFEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiJ9.brHP9rswVSNFWLorJnAlGqkU7xrPa9CxR255d8VKJjJMqfjRcDxVKjEGQgztSR-upX2PNFqLG7PZMi1mWbZ86NV_4f3wQ9ywQiB59wE4Qe5W_v0kgEz5wF9gi9oWLExKI9sj2EPeU7L-AKVPz-5oRGl20Vs8_bJOqJaPnBVz1jojTsdBgPW4EcEiKv8tU6FA7KXuC_61kXVCCBj8vCLDIOWZETep8KFN_3tLfJ5CcmzC3MioG7Jmg60YhstsS9W2HZV_faxQFV44HgxnuWV-G4wp4_bhs6GorJqCQCNKjE2r1ZFC6bm3jRHQvRWvDDIoyk79HBrQW-noKk5NA8N_wg

整理如下:

access_token:AT-2-C3bFdo7yBqgR0-kfQZn2GTT54BDE-k8I

refresh_token:RT-2-XRmagsTk9HsVfty-uOo-ffT-mM0bwuWH

id_token:eyJhbGciOiJSUzI1NiIsImtpZCI6ImNhcyJ9.eyJqdGkiOiJUR1QtMS14V1pYUlgwNEpUazdWT3BVQlpGajk2MFBSeGJPT2VpVVRDLWhnSzg1cUdxZm13T3lDLXNHVTV2R3hSRlFYWE1OUnlNYW5nZWwtUEMiLCJpc3MiOiJodHRwczovL3NlcnZlci5jYXMuY29tOjg0NDMvY2FzL29pZGMvIiwiYXVkIjoiYWJjZCIsImV4cCI6MTU5MDQzNTA3NSwiaWF0IjoxNTkwNDA2Mjc1LCJuYmYiOjE1OTA0MDU5NzUsInN1YiI6ImFkbWluIiwiYW1yIjpbIlJlbWVtYmVyTWVVc2VybmFtZVBhc3N3b3JkQ2FwdGNoYUF1dGhlbnRpY2F0aW9uSGFuZGxlciJdLCJzdGF0ZSI6IiIsIm5vbmNlIjoiIiwiYXRfaGFzaCI6IjZ0bkgyejk5SUQ4ZkVIWmhnSHI5aFEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiJ9.brHP9rswVSNFWLorJnAlGqkU7xrPa9CxR255d8VKJjJMqfjRcDxVKjEGQgztSR-upX2PNFqLG7PZMi1mWbZ86NV_4f3wQ9ywQiB59wE4Qe5W_v0kgEz5wF9gi9oWLExKI9sj2EPeU7L-AKVPz-5oRGl20Vs8_bJOqJaPnBVz1jojTsdBgPW4EcEiKv8tU6FA7KXuC_61kXVCCBj8vCLDIOWZETep8KFN_3tLfJ5CcmzC3MioG7Jmg60YhstsS9W2HZV_faxQFV44HgxnuWV-G4wp4_bhs6GorJqCQCNKjE2r1ZFC6bm3jRHQvRWvDDIoyk79HBrQW-noKk5NA8N_wg

 

2.根据accessToken获取用户信息,请求如下:

  https://server.cas.com:8443/cas/oidc/profile?access_token=AT-2-C3bFdo7yBqgR0-kfQZn2GTT54BDE-k8I

得到响应如下:

复制代码
{
  "sub" : "admin",
  "auth_time" : 1590406275,
  "attributes" : {
    "credentialType" : "RememberMeUsernamePasswordCaptchaCredential"
  },
  "id" : "admin"
}
复制代码

 

 

 

参考如下:

https://apereo.github.io/cas/5.2.x/installation/OIDC-Authentication.html

https://www.jianshu.com/p/be7cc032a4e9

https://blog.csdn.net/BecauseSy/article/details/80223125

https://www.cnblogs.com/linianhui/p/openid-connect-core.html

https://www.cnblogs.com/linianhui/p/openid-connect-extension.html

  分类: CAS

标签:单点,CAS,server,cas,token,https,oidc,com,OIDC
From: https://www.cnblogs.com/lvjinlin/p/18248309

相关文章

  • CAS单点登录:获取请求中的Service(九)
    1.需求在cas-server处理客户端请求的过程中,偶尔需要这个客户端的信息,这里我们就需要获取该次请求中的Service2.引入依赖<dependency><groupId>org.apereo.cas</groupId><artifactId>cas-server-core-web-api</artifactId><version>${cas.version}</version>......
  • 使用乐观锁和CAS解决超卖(Overselling)
    今天我要和大家分享的是如何在Java中使用乐观锁和CAS(Compare-And-Swap)技术来解决超卖的问题。最近我在项目中实现了这个功能,觉得非常有意思,所以决定分享出来。希望对大家有所帮助!背景介绍秒杀活动通常在电商平台中很常见,我觉得实现这个功能的难点在于多线程避免超卖。为了应......
  • 一步步了解C++类型转换:static_cast、const_cast、reinterpret_cast和dynamic_cast
    1. static_caststatic_cast 可以用于基础类型之间的转换,类层次结构中的父类和子类之间的转换,以及把 void* 转换成目标类型的指针等。静态类型转换示例:#include<iostream>classBase{};classDerived:publicBase{};intmain(){//基础数据类型int......
  • 南方CASS 10.1安装教程附安装包下载
    南方CASS10.1是一个非常好的专业测量工具,主要是由南方测绘仪器公司AutoCAD2000上开发的新一代数字化地形地籍成图软件。其主要特色是面向GIS,彻底打通了数字化成图系统与GIS的接口。对于这一特色的主要支撑技术包括在属性编码基础上进一步研究开发的骨架线实时编辑、简码用户......
  • .NET Framework 旧系统新增SSO单点登录实例
    最近公司的很多项目都要改单点登录了,不过大部分都还没敲定,目前立刻要做的就只有一个比较老的项目先改一个试试手,主要目标就是最短最快实现功能首先因为要保留原登录方式,所以页面上的改动就是在原来登录页面下加一个SSO登录入口用超链接写的入口,页面改造后如下图:其中超链接的......
  • 2024年农业科学与可持续发展国际会议(ICASSD2024)
    2024年农业科学与可持续发展国际会议(ICASSD2024)会议简介2024年国际农业科学与可持续发展大会(ICASSD2024)很高兴邀请您提交主题为“农业科学和可持续发展的当前挑战和未来前景”的原稿。通过ICASSD2024,农业、食品和生物技术三个重要领域的完美融合将为研究人员、农学家、政策......
  • CASIO fx-991CN X 使用
    复数转换\(a+b\,{\mathrmi}\leftrightarrowr\angle\theta\)进入复数运算模式菜单2输入待转换数OPTN⬇️,选择目标格式。=可通过SHIFT设置⬇️2选择默认输出格式角度弧度转换例:将弧度转换为角度在角度模式D下输入待转换的弧度值。(若要转换模式,SHIFT菜单......
  • Case专题--->(28)verilog 优先Case(四)
     (28)verilog优先Case(四)1目录(a)IC简介(b)vim简介(c)Verilog简介(d)verilog优先Case(四)(e)结束1IC简介(a)在IC设计中,设计师使用电路设计工具(如EDA软件)来设计和模拟各种电路,例如逻辑电路、模拟电路、数字信号处理电路等。然后,根据设计电路的规格要求,进行布局设计和布线,确定各......
  • PingCastle 3.2.0.1 - Active Directory 安全检测和评估
    PingCastle3.2.0.1-ActiveDirectory安全检测和评估活动目录域安全分析工具请访问原文链接:https://sysin.org/blog/pingcastle/,查看最新版。原创作品,转载请保留出处。作者主页:sysin.org在20%的时间内获得80%的ActiveDirectory安全性ActiveDirectory正迅速成为......
  • mysql order by后跟case when
    在SQL中,ORDERBY子句用于对查询结果进行排序。当在ORDERBY后面使用CASE语句时,它的原理是:根据CASE语句中定义的条件和结果,为查询结果集中的每一行生成一个临时的排序值。然后,根据这些排序值对结果集进行排序。具体来说,CASE语句在ORDERBY中的工作原理如下:   条件判断:CASE......