我们正在尝试将Keycloak评估为SSO解决方案,它在许多方面看起来都不错,但是很痛苦地缺少基础文档。
对于在http://localhost:8080/领域上安装的给定Keycloak test,OAuth2授权端点,OAuth2令牌端点和OpenID Connect UserInfo端点是什么?
我们对使用Keycloak自己的客户端库不感兴趣,我们想使用标准的OAuth2 / OpenID Connect客户端库,因为使用keycloak服务器的客户端应用程序将以多种语言编写(PHP,Ruby,Node,Java,C# ,角度)。因此,使用Keycloak客户端的示例对我们没有用。
Answers:
对于Keycloak 1.2,可以通过url检索上述信息
http:// keycloakhost:keycloakport / auth / realms / {realm} /。well-known / openid-configuration
例如,如果领域名称是demo:
http:// keycloakhost:keycloakport / auth / realms / demo / .well-known / openid-configuration
网址上方的示例输出:
{
"issuer": "http://localhost:8080/auth/realms/demo",
"authorization_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token",
"userinfo_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout",
"jwks_uri": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/certs",
"grant_types_supported": [
"authorization_code",
"refresh_token",
"password"
],
"response_types_supported": [
"code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"response_modes_supported": [
"query"
]
}
在https://issues.jboss.org/browse/KEYCLOAK-571中找到了信息
注意:您可能需要将客户端添加到“有效重定向URI”列表中
在1.9.3.Final版本中,Keycloak具有许多可用的OpenID端点。这些可以在找到/auth/realms/{realm}/.well-known/openid-configuration。假设您的领域名为demo,则该端点将产生与此类似的JSON响应。
{
"issuer": "http://localhost:8080/auth/realms/demo",
"authorization_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth",
"token_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token",
"token_introspection_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo",
"end_session_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout",
"jwks_uri": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/certs",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"registration_endpoint": "http://localhost:8080/auth/realms/demo/clients-registrations/openid-connect"
}
据我所知,这些端点实现了Oauth 2.0规范。
实际链接到.well-know您的领域设置的第一个选项卡上-但链接看起来不像链接,而是作为文本框的值...不良的ui设计。
Realm的“常规”选项卡的屏幕截图
经过大量挖掘之后,我们能够或多或少地抓取信息(主要来自Keycloak自己的JS客户端库):
/auth/realms/{realm}/tokens/login/auth/realms/{realm}/tokens/access/codes至于OpenID Connect UserInfo,目前(1.1.0.Final)Keycloak尚未实现此终结点,因此它不完全符合OpenID Connect。但是,已经有一个补丁程序添加了此文件,此文件应包含在1.2.x中。
但是-具有讽刺意味的是,Keycloak确实将id_tokenin与访问令牌一起发送回。无论是id_token与access_token被签署JWTs,以及令牌的键ID连接的密钥,即:
"iss": "{realm}"
"sub": "5bf30443-0cf7-4d31-b204-efd11a432659"
"name": "Amir Abiri"
"email: "..."
因此,尽管Keycloak 1.1.x不完全符合OpenID Connect,但它会以OpenID Connect语言“讲话”。
在1.9.0版中,所有端点的json位于地址/ auth / realms / {realm}
密钥斗篷版本:4.6.0
FQDN / auth / realms / {realm_name} /。众所周知/ openid配置
您将在此处看到所有内容,此外,如果身份提供者也是Keycloak,则提供此URL将为其他身份提供者(如果他们已经支持并且已经处理过)也设置了所有内容
以下链接提供描述有关Keycloak的元数据的JSON文档
/auth/realms/{realm-name}/.well-known/openid-configuration
以下是Keycloak 6.0.1针对master领域报告的信息
{
"issuer":"http://localhost:8080/auth/realms/master",
"authorization_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/auth",
"token_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token",
"token_introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect",
"userinfo_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo",
"end_session_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/logout",
"jwks_uri":"http://localhost:8080/auth/realms/master/protocol/openid-connect/certs",
"check_session_iframe":"http://localhost:8080/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported":[
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"response_types_supported":[
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported":[
"public",
"pairwise"
],
"id_token_signing_alg_values_supported":[
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"userinfo_signing_alg_values_supported":[
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_signing_alg_values_supported":[
"PS384",
"ES384",
"RS384",
"ES256",
"RS256",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"response_modes_supported":[
"query",
"fragment",
"form_post"
],
"registration_endpoint":"http://localhost:8080/auth/realms/master/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported":[
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported":[
"RS256"
],
"claims_supported":[
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email"
],
"claim_types_supported":[
"normal"
],
"claims_parameter_supported":false,
"scopes_supported":[
"openid",
"address",
"email",
"microprofile-jwt",
"offline_access",
"phone",
"profile",
"roles",
"web-origins"
],
"request_parameter_supported":true,
"request_uri_parameter_supported":true,
"code_challenge_methods_supported":[
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens":true,
"introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect"
}