1

Keycloak 确实支持反向通道注销,但它是否符合 Openid Connect 反向通道注销草案规范?https://openid.net/specs/openid-connect-backchannel-1_0.html

4

2 回答 2

2

OpenID Connect Back-Channel Logout在 2020 年 12 月发布的 Keycloak 12.0 中实现。

早期版本仅实现了另一种专有机制。

于 2021-02-17T11:34:31.007 回答
1

这是Keycloak关于此主题的 Jira 问题。去投票吧!

在检查了规范和 Keycloaks 实现之后,我不得不说它不符合规范。例如,这是应该从 OP 发送到 RP 的所需注销令牌格式的差异:

2.4. 注销令牌

OP 向称为 Logout Token 的 RP 发送一个类似于 ID Token 的 JWT,以请求它们注销。ID 令牌在 [OpenID.Core] 的第 2 节中定义。

注销令牌中使用了以下声明:

iss
    REQUIRED. Issuer Identifier, as specified in Section 2 of [OpenID.Core]. 
sub
    OPTIONAL. Subject Identifier, as specified in Section 2 of [OpenID.Core]. 
aud
    REQUIRED. Audience(s), as specified in Section 2 of [OpenID.Core]. 
iat
    REQUIRED. Issued at time, as specified in Section 2 of [OpenID.Core]. 
jti
    REQUIRED. Unique identifier for the token, as specified in Section 9 of [OpenID.Core]. 
events
    REQUIRED. Claim whose value is a JSON object containing the member name http://schemas.openid.net/event/backchannel-logout. This declares that the JWT is a Logout Token. The corresponding member value MUST be a JSON object and SHOULD be the empty JSON object {}. 
sid
    OPTIONAL. Session ID - String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP. Different sid values are used to identify distinct sessions at an OP. The sid value need only be unique in the context of a particular issuer. Its contents are opaque to the RP. Its syntax is the same as an OAuth 2.0 Client Identifier.

注销令牌必须包含 sub 或 sid 声明,并且可以同时包含两者。如果不存在 sid 声明,则意图是注销由 iss 和子声明标识的最终用户的 RP 上的所有会话。

这就是 Keycloak 在其当前版本 (8.0.1) 中发送的内容:

{
  "id": "3536c4c4-fa51-4691-bc09-d229df83f774-1579360301277",
  "expiration": 1579360331,
  "resource": "resource-server-1",
  "action": "LOGOUT",
  "adapterSessionIds": [
    "6569208C4937FD9C6E138C9DD9CF7C6F"
  ],
  "notBefore": 0,
  "keycloakSessionIds": [
    "ca8060fd-48e9-4d26-b2d6-d6edb095f4b7"
  ]
}
于 2020-01-18T15:22:23.277 回答