143

我们正在尝试将 Keycloak 评估为 SSO 解决方案,它在许多方面看起来都不错,但是文档在基础知识方面非常缺乏。

http://localhost:8080/对于 Realm 上的给定Keycloak安装testOAuth2 Authorization EndpointOAuth2 Token EndpointOpenID Connect UserInfo Endpoint是什么?

我们对使用 Keycloak 自己的客户端库不感兴趣,我们希望使用标准的 OAuth2 / OpenID Connect 客户端库,因为使用 keycloak 服务器的客户端应用程序将使用多种语言(PHP、Ruby、Node、Java、C# ,角度)。因此,使用 Keycloak 客户端的示例对我们没有用处。

4

9 回答 9

196

对于 Keycloak 1.2,可以通过 url 检索上述信息

http://keycloakhost:keycloakport/auth/realms/{realm}/.well-known/openid-configuration

例如,如果领域名称是demo

http://keycloakhost:keycloakport/auth/realms/demo/.well-known/openid-configuration

上述 url 的示例输出:

{
    "issuer": "http://localhost:8080/auth/realms/demo",
    "authorization_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth",
    "token_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token",
    "userinfo_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo",
    "end_session_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout",
    "jwks_uri": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/certs",
    "grant_types_supported": [
        "authorization_code",
        "refresh_token",
        "password"
    ],
    "response_types_supported": [
        "code"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "response_modes_supported": [
        "query"
    ]
}

在https://issues.jboss.org/browse/KEYCLOAK-571找到信息

注意:您可能需要将您的客户端添加到有效重定向 URI列表

于 2015-05-26T04:31:07.833 回答
22

实际上链接到.well-know是在您的领域设置的第一个选项卡上 - 但链接看起来不像链接,而是作为文本框的值......糟糕的用户界面设计。 Realm 的常规选项卡的屏幕截图

于 2019-01-18T19:04:42.487 回答
21

在 1.9.3.Final 版本中,Keycloak 有许多可用的 OpenID 端点。这些可以在 找到/auth/realms/{realm}/.well-known/openid-configuration。假设您的领域是 named demo,该端点将产生与此类似的 JSON 响应。

{
  "issuer": "http://localhost:8080/auth/realms/demo",
  "authorization_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth",
  "token_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token",
  "token_introspection_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo",
  "end_session_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout",
  "jwks_uri": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/certs",
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "refresh_token",
    "password",
    "client_credentials"
  ],
  "response_types_supported": [
    "code",
    "none",
    "id_token",
    "token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "registration_endpoint": "http://localhost:8080/auth/realms/demo/clients-registrations/openid-connect"
}

据我发现,这些端点实现了Oauth 2.0规范。

于 2016-05-03T15:14:35.007 回答
16

经过大量挖掘,我们能够或多或少地抓取信息(主要来自 Keycloak 自己的 JS 客户端库):

  • 授权端点: /auth/realms/{realm}/tokens/login
  • 令牌端点: /auth/realms/{realm}/tokens/access/codes

至于OpenID Connect UserInfo,现在(1.1.0.Final)Keycloak 没有实现这个端点,所以它不完全兼容 OpenID Connect。但是,已经有一个补丁补充说,在撰写本文时应该包含在 1.2.x 中。

但是- 具有讽刺意味的是,Keycloak 确实id_token与访问令牌一起发回了一个 in。id_token和 都是签名的JWT access_token令牌的密钥是 OpenID Connect 的密钥,即:

"iss":  "{realm}"
"sub":  "5bf30443-0cf7-4d31-b204-efd11a432659"
"name": "Amir Abiri"
"email: "..."

因此,虽然 Keycloak 1.1.x 不完全兼容 OpenID Connect,但它确实以 OpenID Connect 语言“说话”。

于 2015-02-23T12:14:51.100 回答
13

您还可以通过进入 Admin Console -> Realm Settings -> 单击 Endpoints 字段上的超链接来查看此信息。

在此处输入图像描述

于 2020-05-02T17:16:53.690 回答
7

在 1.9.0 版中,所有端点的 json 位于地址 /auth/realms/{realm}

  • 授权端点: /auth/realms/{realm}/account
  • 令牌端点: /auth/realms/{realm}/protocol/openid-connect
于 2016-04-09T23:05:29.353 回答
3

密钥斗篷版本:4.6.0

  • TokenUrl:[域]/auth/realms/{REALM_NAME}/protocol/openid-connect/token
  • AuthUrl:[域]/auth/realms/{REALM_NAME}/protocol/openid-connect/auth
于 2018-12-07T17:48:03.630 回答
3

以下链接提供描述有关 Keycloak 元数据的 JSON 文档

/auth/realms/{realm-name}/.well-known/openid-configuration

以下信息是使用 Keycloak 6.0.1 报告的master领域

{  
   "issuer":"http://localhost:8080/auth/realms/master",
   "authorization_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/auth",
   "token_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token",
   "token_introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect",
   "userinfo_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo",
   "end_session_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/logout",
   "jwks_uri":"http://localhost:8080/auth/realms/master/protocol/openid-connect/certs",
   "check_session_iframe":"http://localhost:8080/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
   "grant_types_supported":[  
      "authorization_code",
      "implicit",
      "refresh_token",
      "password",
      "client_credentials"
   ],
   "response_types_supported":[  
      "code",
      "none",
      "id_token",
      "token",
      "id_token token",
      "code id_token",
      "code token",
      "code id_token token"
   ],
   "subject_types_supported":[  
      "public",
      "pairwise"
   ],
   "id_token_signing_alg_values_supported":[  
      "PS384",
      "ES384",
      "RS384",
      "HS256",
      "HS512",
      "ES256",
      "RS256",
      "HS384",
      "ES512",
      "PS256",
      "PS512",
      "RS512"
   ],
   "userinfo_signing_alg_values_supported":[  
      "PS384",
      "ES384",
      "RS384",
      "HS256",
      "HS512",
      "ES256",
      "RS256",
      "HS384",
      "ES512",
      "PS256",
      "PS512",
      "RS512",
      "none"
   ],
   "request_object_signing_alg_values_supported":[  
      "PS384",
      "ES384",
      "RS384",
      "ES256",
      "RS256",
      "ES512",
      "PS256",
      "PS512",
      "RS512",
      "none"
   ],
   "response_modes_supported":[  
      "query",
      "fragment",
      "form_post"
   ],
   "registration_endpoint":"http://localhost:8080/auth/realms/master/clients-registrations/openid-connect",
   "token_endpoint_auth_methods_supported":[  
      "private_key_jwt",
      "client_secret_basic",
      "client_secret_post",
      "client_secret_jwt"
   ],
   "token_endpoint_auth_signing_alg_values_supported":[  
      "RS256"
   ],
   "claims_supported":[  
      "aud",
      "sub",
      "iss",
      "auth_time",
      "name",
      "given_name",
      "family_name",
      "preferred_username",
      "email"
   ],
   "claim_types_supported":[  
      "normal"
   ],
   "claims_parameter_supported":false,
   "scopes_supported":[  
      "openid",
      "address",
      "email",
      "microprofile-jwt",
      "offline_access",
      "phone",
      "profile",
      "roles",
      "web-origins"
   ],
   "request_parameter_supported":true,
   "request_uri_parameter_supported":true,
   "code_challenge_methods_supported":[  
      "plain",
      "S256"
   ],
   "tls_client_certificate_bound_access_tokens":true,
   "introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect"
}
于 2019-06-07T00:20:46.133 回答
2

FQDN/auth/realms/{realm_name}/.well-known/openid-configuration

您将在此处看到所有内容,此外,如果身份提供者也是 Keycloak,则提供此 URL 将设置其他身份提供者的所有内容(如果他们支持并且他们已经处理过)

于 2018-04-11T22:04:32.153 回答