什么是Keycloak的OAuth2/OpenID Connect端点？

Question

我们正在尝试将Keycloak评估为SSO解决方案,并且它在许多方面看起来都很好,但是文档在基础知识方面却很缺乏.

对于一个给定Keycloak安装http://localhost:8080/的境界test,有什么的OAuth2授权端点,OAuth2用户令牌端点和ID连接的UserInfo终点？

我们对使用Keycloak自己的客户端库不感兴趣,我们希望使用标准的OAuth2/OpenID Connect客户端库,因为使用keycloak服务器的客户端应用程序将使用多种语言编写(PHP,Ruby,Node,Java,C# ,Angular).因此,使用Keycloak客户端的示例对我们来说并不适用.

Answer 1

对于Keycloak 1.2,可以通过URL检索上述信息

http:// keycloakhost:keycloakport/auth/realms / {realm} /.熟知/ openid-configuration

例如,如果领域是演示,

HTTP:// keycloakhost:keycloakport/AUTH /领域/演示/.好知/ OpenID的配置

以上网址的示例输出,

{"issuer":" http:// localhost:8080/auth/realms/demo ","authorization_endpoint":" http:// localhost:8080/auth/realms/demo/protocol/openid-connect/auth "," token_endpoint":" http:// localhost:8080/auth/realms/demo/protocol/openid-connect/token ","userinfo_endpoint":" http:// localhost:8080/auth/realms/demo/protocol/openid- connect/userinfo ","end_session_endpoint":" http:// localhost:8080/auth/realms/demo/protocol/openid-connect/logout ","jwks_uri":" http:// localhost:8080/auth/realms/demo/protocol/openid-connect/certs ","grant_types_supported":["authorization_code","refresh_token","password"],"response_types_supported":["code"],"subject_types_supported":["public"]," id_token_signing_alg_values_supported ":[" RS256 "]," response_modes_supported ":["查询"]}

在https://issues.jboss.org/browse/KEYCLOAK-571上找到了相关信息

注意:您可能需要将客户端添加到"有效重定向URI"列表中

Answer 2

我目前正在试验 Keycloak 18.0.0，我发现“/auth”部分已从 OIDC 发现 URL 中删除：

https://{keycloakhost}:{keycloakport}/realms/{realm}/.well-known/openid-configuration

这将返回一个包含端点的 JSON 数据结构：

https://{keycloakhost}:{keycloakport}/realms/{realm}/.well-known/openid-configuration

Answer 3

对于1.9.3.Final版本,Keycloak提供了许多OpenID端点.这些可以在/auth/realms/{realm}/.well-known/openid-configuration.假设您的领域已命名demo,该端点将生成类似于此的JSON响应.

{
  "issuer": "http://localhost:8080/auth/realms/demo",
  "authorization_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth",
  "token_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token",
  "token_introspection_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo",
  "end_session_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout",
  "jwks_uri": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/certs",
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "refresh_token",
    "password",
    "client_credentials"
  ],
  "response_types_supported": [
    "code",
    "none",
    "id_token",
    "token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "registration_endpoint": "http://localhost:8080/auth/realms/demo/clients-registrations/openid-connect"
}

据我所知,这些端点实现了Oauth 2.0规范.

Answer 4

长话短说：

KC 低于 18.0.0：https://${hostname}/auth/realms/${realm}/.well-known/openid-configuration

KC 18.0.0及更高版本：https://${hostname}/realms/${realm}/.well-known/openid-configuration

更深入的解释。符合openid-connect标准

4. 获取OpenID提供商配置信息

使用发现的发行者位置(...) 可以检索 OpenID 提供商的配置信息。

支持 Discovery 的 OpenID 提供商必须在通过将字符串 /.well-known/openid-configuration 连接到 Issuer 形成的路径上提供 JSON 文档。(..)

所以根据标准，端点是 on ${issuer_url}/.well-known/openid-configuration。

对于 18.0.0 之前的 Keycloak 版本：

发行者是https://${host}:${port}/auth/realms/${realm}/这样的 openid 配置：

https://${host}:${port}/auth/realms/${realm}/.well-known/openid-configuration

或者通过用户界面：

1. 转到您的领域，然后领域设置：

然后单击 OpenID 端点配置。

对于 Keycloak 版本 18.0.0 及更高版本（身份验证已删除）

发行者是https://${host}:${port}/realms/${realm}/这样的 openid 配置：

https://${host}:${port}/realms/${realm}/.well-known/openid-configuration

1. 转到您的领域，然后领域设置：

然后单击 OpenID 端点配置。

Answer 5

经过深入挖掘后,我们能够或多或少地获取信息(主要来自Keycloak自己的JS客户端库):

• 授权端点: /auth/realms/{realm}/tokens/login
• 令牌端点: /auth/realms/{realm}/tokens/access/codes

至于OpenID Connect UserInfo,现在(1.1.0.Final)Keycloak没有实现此端点,因此它不完全符合OpenID Connect标准.但是,已经有一个补丁补充说,在撰写本文时应该包含在1.2.x中.

但是 - 具有讽刺意味的是,Keycloak会将id_token访问令牌一起发回.无论是id_token与access_token被签署JWTs,以及令牌的键ID连接的密钥,即:

"iss":  "{realm}"
"sub":  "5bf30443-0cf7-4d31-b204-efd11a432659"
"name": "Amir Abiri"
"email: "..."

因此,虽然Keycloak 1.1.x不完全符合OpenID Connect标准,但它确实以OpenID Connect语言"说话".

Answer 6

实际链接到.well-know您的领域设置的第一个选项卡上-但链接看起来不像链接，而是作为文本框的值...不良的ui设计。 Realm的“常规”选项卡的屏幕截图

Answer 7

您还可以通过进入 Admin Console -> Realm Settings -> 单击 Endpoints 字段上的超链接来查看此信息。

Answer 8

选项 1：<Keycloak_Host>/realms//.well-known/openid-configuration

选项 2：转到您的领域，然后进入领域设置

Answer 9

在版本1.9.0中,所有端点的json都在地址/ auth/realms/{realm}

• 授权端点:/auth/realms/{realm}/account
• 令牌端点:/auth/realms/{realm}/protocol/openid-connect

Answer 10

以下链接提供了描述有关 Keycloak 的元数据的 JSON 文档

/auth/realms/{realm-name}/.well-known/openid-configuration

Keycloak 6.0.1 针对master领域报告了以下信息

{  
   "issuer":"http://localhost:8080/auth/realms/master",
   "authorization_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/auth",
   "token_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token",
   "token_introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect",
   "userinfo_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo",
   "end_session_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/logout",
   "jwks_uri":"http://localhost:8080/auth/realms/master/protocol/openid-connect/certs",
   "check_session_iframe":"http://localhost:8080/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
   "grant_types_supported":[  
      "authorization_code",
      "implicit",
      "refresh_token",
      "password",
      "client_credentials"
   ],
   "response_types_supported":[  
      "code",
      "none",
      "id_token",
      "token",
      "id_token token",
      "code id_token",
      "code token",
      "code id_token token"
   ],
   "subject_types_supported":[  
      "public",
      "pairwise"
   ],
   "id_token_signing_alg_values_supported":[  
      "PS384",
      "ES384",
      "RS384",
      "HS256",
      "HS512",
      "ES256",
      "RS256",
      "HS384",
      "ES512",
      "PS256",
      "PS512",
      "RS512"
   ],
   "userinfo_signing_alg_values_supported":[  
      "PS384",
      "ES384",
      "RS384",
      "HS256",
      "HS512",
      "ES256",
      "RS256",
      "HS384",
      "ES512",
      "PS256",
      "PS512",
      "RS512",
      "none"
   ],
   "request_object_signing_alg_values_supported":[  
      "PS384",
      "ES384",
      "RS384",
      "ES256",
      "RS256",
      "ES512",
      "PS256",
      "PS512",
      "RS512",
      "none"
   ],
   "response_modes_supported":[  
      "query",
      "fragment",
      "form_post"
   ],
   "registration_endpoint":"http://localhost:8080/auth/realms/master/clients-registrations/openid-connect",
   "token_endpoint_auth_methods_supported":[  
      "private_key_jwt",
      "client_secret_basic",
      "client_secret_post",
      "client_secret_jwt"
   ],
   "token_endpoint_auth_signing_alg_values_supported":[  
      "RS256"
   ],
   "claims_supported":[  
      "aud",
      "sub",
      "iss",
      "auth_time",
      "name",
      "given_name",
      "family_name",
      "preferred_username",
      "email"
   ],
   "claim_types_supported":[  
      "normal"
   ],
   "claims_parameter_supported":false,
   "scopes_supported":[  
      "openid",
      "address",
      "email",
      "microprofile-jwt",
      "offline_access",
      "phone",
      "profile",
      "roles",
      "web-origins"
   ],
   "request_parameter_supported":true,
   "request_uri_parameter_supported":true,
   "code_challenge_methods_supported":[  
      "plain",
      "S256"
   ],
   "tls_client_certificate_bound_access_tokens":true,
   "introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect"
}