{"id":1420,"date":"2023-03-21T14:35:46","date_gmt":"2023-03-21T06:35:46","guid":{"rendered":"http:\/\/idaas-doc.cloudentify.com\/docs\/?p=1420"},"modified":"2023-06-01T13:38:21","modified_gmt":"2023-06-01T05:38:21","slug":"oidc","status":"publish","type":"post","link":"https:\/\/idaas-doc.cloudentify.com\/docs\/oidc\/","title":{"rendered":"OIDC"},"content":{"rendered":"\n

\u534f\u8bae\u6982\u8ff0<\/span><\/h3>\n\n\n\n

OIDC\uff08OpenID Connect\uff09\u662f\u4e00\u4e2a\u57fa\u4e8eOAuth 2.0\u534f\u8bae\u7684\u8eab\u4efd\u8ba4\u8bc1\u6807\u51c6\u534f\u8bae\uff0c\u589e\u52a0\u4e86 Id Token\u3002<\/p>\n\n\n\n

\u540d\u8bcd\u89e3\u91ca<\/span><\/h3>\n\n\n\n
    \n
  1. OpenID Provider\uff08OP\uff09: OIDC \u6388\u6743\u670d\u52a1\u5668\uff0c\u8d1f\u8d23\u7b7e\u53d1 ID Token\u3002<\/li>\n\n\n\n
  2. End-User\uff08EU\uff09\uff1a\u7528\u6237\uff0cID Token \u7684\u4fe1\u606f\u4e2d\u4f1a\u5305\u542b\u7ec8\u7aef\u7528\u6237\u7684\u4fe1\u606f\u3002<\/li>\n\n\n\n
  3. ID Token \u7531 OpenID Provider \u9881\u53d1\uff0c\u5305\u542b\u5173\u4e8e\u7ec8\u7aef\u7528\u6237\u7684\u4fe1\u606f\u5b57\u6bb5\u3002<\/li>\n\n\n\n
  4. UserInfo Endpoint\uff1a\u7528\u6237\u4fe1\u606f\u63a5\u53e3\uff0c\u901a\u8fc7 ID Token \u8bbf\u95ee\u65f6\u8fd4\u56de\u7528\u6237\u4fe1\u606f\u3002<\/li>\n\n\n\n
  5. Claims \u6307\u7ec8\u7aef\u7528\u6237\u4fe1\u606f\u5b57\u6bb5\u3002<\/li>\n<\/ol>\n\n\n\n

    \u767b\u5f55\u6d41\u7a0b<\/span><\/h3>\n\n\n\n
      \n
    1. \u7528\u6237\u5c1d\u8bd5\u767b\u5f55\u5e94\u7528\u7cfb\u7edf\u3002<\/li>\n\n\n\n
    2. \u5e94\u7528\u7cfb\u7edf\u53d1\u9001\u8ba4\u8bc1\u8bf7\u6c42\u5230OIDC \u6388\u6743\u670d\u52a1\u5668\u3002<\/li>\n\n\n\n
    3. OIDC \u6388\u6743\u670d\u52a1\u5668\u5bf9\u7528\u6237\u8fdb\u884c\u8ba4\u8bc1\u4e0e\u6388\u6743\u3002<\/li>\n\n\n\n
    4. OIDC \u6388\u6743\u670d\u52a1\u5668\u8fd4\u56de\u8ba4\u8bc1\u4fe1\u606f\uff0c\u5305\u542b ID Token\u3001Access Token\u548cRefresh Token\u3002<\/li>\n\n\n\n
    5. \u5e94\u7528\u7cfb\u7edf\u83b7\u53d6\u8ba4\u8bc1\u4fe1\u606f\u540e\uff0c\u518d\u643a\u5e26Access Token \u53d1\u9001\u8bf7\u6c42\u5230 UserInfo Endpoint\u3002<\/li>\n\n\n\n
    6. UserInfo Endpoint \u8fd4\u56de End-User \u7684 Claims\u3002<\/li>\n\n\n\n
    7. \u5e94\u7528\u7cfb\u7edf\u9a8c\u8bc1End-User\u4fe1\u606f\u662f\u5426\u6709\u6548\uff0c\u6709\u6548\u5219\u767b\u5f55\u6210\u529f\uff0c\u53cd\u4e4b\u5931\u8d25\u3002<\/li>\n<\/ol>\n\n\n\n

      \u5f00\u53d1\u8be6\u60c5<\/span><\/h3>\n\n\n\n

      \u5f00\u53d1\u8be6\u60c5\u4ee5\u6388\u6743\u7801\u6a21\u5f0f\u4e3a\u4f8b\u3002
      \u5e94\u7528\u7cfb\u7edf\u53ef\u4ee5\u901a\u8fc7\u6b64\u63a5\u53e3\u83b7\u53d6 OIDC \u6388\u6743\u670d\u52a1\u5668\u7684\u57fa\u672c\u914d\u7f6e\u4fe1\u606f\u3002<\/p>\n\n\n\n

      HTTP Method\uff1aGET\nhttps:\/\/demo.cloudentify.com\/api\/oauth\/oidc\/{appkey}\/.well-known\/openid-configuration<\/code>              <\/pre>\n\n\n\n
      \u8fd4\u56de\u793a\u4f8b\uff1a<\/p>\n\n\n\n
      {\n    \"issuer\" : \"https:\/\/test.cloudentify.com\",\n    \"authorization_endpoint\" : \"https:\/\/test.cloudentify.com\/api\/oauth\/authorize\",\n    \"token_endpoint\" : \"https:\/\/test.cloudentify.com\/api\/oauth\/token\",\n    \"token_endpoint_auth_methods_supported\" : [ \"client_secret_basic\"],\n    \"jwks_uri\" : \"https:\/\/test.cloudentify.com\/api\/oauth\/oidc\/{appkey}\/.well-known\/jwks.json\",\n    \"response_types_supported\" : [ \"code\" ],\n    \"grant_types_supported\" : [ \"authorization_code\", \"refresh_token\" ],\n    \"subject_types_supported\" : [ \"public\" ],\n    \"id_token_signing_alg_values_supported\" : [ \"RS256\" ],\n    \"scopes_supported\" : [ \"openid\",\"username\",\"email\",\"phone\",\"address\",\"profile\",\"offline_access\"]\n}<\/code>         <\/pre>\n\n\n\n
      \u6b65\u9aa41\uff1a<\/p>\n\n\n\n
        \n
      • \u83b7\u53d6\u7528\u6237\u6388\u6743\uff0c\u5982\u679c\u7528\u6237\u672a\u767b\u5f55\u7cfb\u7edf\uff0c\u5219\u8981\u6c42\u7528\u6237\u8fdb\u884c\u8eab\u4efd\u8ba4\u8bc1\uff08\u8df3\u8f6c\u81f3\u6388\u6743\u670d\u52a1\u5668\u8fdb\u884c\u8ba4\u8bc1\uff09\uff0c\u5e94\u7528\u53d1\u8d77\u91cd\u5b9a\u5411\u81f3\u6388\u6743\u670d\u52a1\u5668\u7684\u4ee5\u4e0b\u5730\u5740\u3002\u63a5\u53e3\u652f\u6301 PKCE \u6a21\u5f0f\uff0c\u5982\u9700\u8fdb\u884c PKCE \u6a21\u5f0f\u7684\u6821\u9a8c\uff0c\u53ef\u4f20\u5165\u76f8\u5e94\u7684\u53c2\u6570\u3002<\/li>\n<\/ul>\n\n\n\n
        HTTP Method\uff1aGET\nhttps://demo.cloudentify.com\/api\/oauth\/authorize<\/code><\/pre>\n\n\n\n
        \u8bf7\u6c42\u53c2\u6570\uff1a<\/p>\n\n\n\n
          \n
        • client_id\uff1a\u5fc5\u586b\uff0c\u5ba2\u6237\u7aef ID\uff0c\u4ece\u7ba1\u7406\u5e73\u53f0-\u5e94\u7528\u7ba1\u7406-\u4f01\u4e1a\u5e94\u7528\u5217\u8868\u7684App ID\u5904\u83b7\u53d6\uff1b<\/li>\n\n\n\n
        • response_type\uff1a\u5fc5\u586b\uff0c\u56fa\u5b9a\u503c\u201ccode\u201d\uff1b<\/li>\n\n\n\n
        • redirect_uri\uff1a\u5fc5\u586b\uff0c\u6388\u6743\u6210\u529f\u540e\u7684\u91cd\u5b9a\u5411\u5730\u5740\uff1b<\/li>\n\n\n\n
        • state\uff1a\u975e\u5fc5\u586b\uff0c\u5e94\u7528\u7cfb\u7edf\u63d0\u4f9b\u7684\u4e00\u4e2a\u968f\u673a\u5b57\u7b26\u4e32\uff0c\u670d\u52a1\u5668\u4f1a\u539f\u6837\u91cd\u5b9a\u5411\u7ed9\u5e94\u7528\u7cfb\u7edf\uff0c\u9632\u6b62 CSRF\u3001XSRF\uff1b<\/li>\n\n\n\n
        • scope\uff1a\u5fc5\u586b\uff0c\u53c2\u6570\u503c\u5e94\u4ee5 openid \u5f00\u5934\uff1b<\/li>\n\n\n\n
        • code_challenge_method\uff1a\u975e\u5fc5\u586b\uff0cPKCE \u6a21\u5f0f\u7684\u5fc5\u8981\u53c2\u6570\uff0c\u5373 code_challenge \u503c\u7684\u8ba1\u7b97\u65b9\u6cd5\uff0c\u76ee\u524d\u4ec5\u652f\u6301 SHA256\uff1b<\/li>\n\n\n\n
        • code_challenge\uff1a\u975e\u5fc5\u586b\uff0cPKCE \u6a21\u5f0f\u7684\u5fc5\u8981\u53c2\u6570\uff0c\u8ba1\u7b97\u65b9\u5f0f\uff1acode_challenge = code_challenge_method(code_verifier)\u3002code_verifier \u4e3a\u6821\u9a8c\u7801\u539f\u6587\uff0c\u5e94\u7528\u7cfb\u7edf\u9700\u8981\u81ea\u884c\u4fdd\u5b58code_verifier\uff0c\u5e76\u5728\u83b7\u53d6\u6388\u6743\u4ee4\u724c\u7684\u8bf7\u6c42\u4e2d\u5e26\u4e0a\uff0c\u7528\u4f5c\u9a8c\u8bc1\uff0ccode_challenge_method\u4f7f\u7528SHA256\u3002<\/li>\n<\/ul>\n\n\n\n
          \u8bf7\u6c42\u793a\u4f8b\uff1a<\/p>\n\n\n\n
          https://demo.cloudentify.com\/api\/oauth\/authorize?client_id=EFTDBB&response_type=code&redirect_uri=http%3A%2F%2Fwww.test.com&scope=openid%20phone%20profile%20offline_access%20email&code_challenge_method=S256&code_challenge=FWOeBX6Qw_krhUE2M0lOIH3jcxaZzfs5J4jtai5hOX4&state=123456<\/code><\/pre>\n\n\n\n
            \n
          • \u6388\u6743\u670d\u52a1\u5668\u8fdb\u884c\u8ba4\u8bc1\u540e\uff0c\u5c06\u901a\u8fc7redirect_uri\u4f20\u5165\u7684\u91cd\u5b9a\u5411\u5730\u5740\uff0c\u5411\u5e94\u7528\u4e0b\u53d1\u6388\u6743\u7801\u3002<\/li>\n<\/ul>\n\n\n\n
            HTTP Method\uff1aGET\nhttp://www.test.com?code=b9eb0dc233&state=123456<\/code><\/pre>\n\n\n\n
            \u6b65\u9aa42\uff1a<\/p>\n\n\n\n
              \n
            • \u5e94\u7528\u83b7\u53d6\u5230\u6388\u6743\u7801\u540e\uff0c\u4f7f\u7528\u6388\u6743\u7801\u6362\u53d6\u8bbf\u95ee\u4ee4\u724c\u3002<\/li>\n<\/ul>\n\n\n\n
              HTTP Method\uff1aPOST\nhttps://demo.cloudentify.com\/api\/oauth\/token<\/code><\/pre>\n\n\n\n
              \u8bf7\u6c42\u53c2\u6570\uff1a<\/p>\n\n\n\n