发表新帖
发表新帖

What are Keycloak's OAuth2 / OpenID Connect endpoints?

前端 未结
关注
9 2017
孤独总比滥情好
孤独总比滥情好 2020-12-12 10:42

We are trying to evaluate Keycloak as an SSO solution, and it looks good in many respects, but the documentation is painfully lacking in the basics.

For a given Keyc

相关标签:
9条回答
  • 天命终不由人
    2020-12-12 11:23

    For Keycloak 1.2 the above information can be retrieved via the url

    http://keycloakhost:keycloakport/auth/realms/{realm}/.well-known/openid-configuration

    For example, if the realm name is demo:

    http://keycloakhost:keycloakport/auth/realms/demo/.well-known/openid-configuration

    An example output from above url:

    {
    "issuer": "http://localhost:8080/auth/realms/demo",
    "authorization_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth",
    "token_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token",
    "userinfo_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo",
    "end_session_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout",
    "jwks_uri": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/certs",
    "grant_types_supported": [
        "authorization_code",
        "refresh_token",
        "password"
    ],
    "response_types_supported": [
        "code"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "response_modes_supported": [
        "query"
    ]
}

    Found information at https://issues.jboss.org/browse/KEYCLOAK-571

    Note: You might need to add your client to the Valid Redirect URI list

    0 讨论(0)
  • 再見小時候
    2020-12-12 11:27

    After much digging around we were able to scrape the info more or less (mainly from Keycloak's own JS client lib):

    • Authorization Endpoint: /auth/realms/{realm}/tokens/login
    • Token Endpoint: /auth/realms/{realm}/tokens/access/codes

    As for OpenID Connect UserInfo, right now (1.1.0.Final) Keycloak doesn't implement this endpoint, so it is not fully OpenID Connect compliant. However, there is already a patch that adds that as of this writing should be included in 1.2.x.

    But - Ironically Keycloak does send back an id_token in together with the access token. Both the id_token and the access_token are signed JWTs, and the keys of the token are OpenID Connect's keys, i.e:

    "iss":  "{realm}"
"sub":  "5bf30443-0cf7-4d31-b204-efd11a432659"
"name": "Amir Abiri"
"email: "..."

    So while Keycloak 1.1.x is not fully OpenID Connect compliant, it does "speak" in OpenID Connect language.

    0 讨论(0)
  • 遥遥无期
    2020-12-12 11:27

    You can also see this information by going into Admin Console -> Realm Settings -> Clicking the hyperlink on the Endpoints field.

    0 讨论(0)
  • 星月不相逢
    2020-12-12 11:37

    With version 1.9.3.Final, Keycloak has a number of OpenID endpoints available. These can be found at /auth/realms/{realm}/.well-known/openid-configuration. Assuming your realm is named demo, that endpoint will produce a JSON response similar to this.

    {
  "issuer": "http://localhost:8080/auth/realms/demo",
  "authorization_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth",
  "token_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token",
  "token_introspection_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo",
  "end_session_endpoint": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout",
  "jwks_uri": "http://localhost:8080/auth/realms/demo/protocol/openid-connect/certs",
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "refresh_token",
    "password",
    "client_credentials"
  ],
  "response_types_supported": [
    "code",
    "none",
    "id_token",
    "token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "registration_endpoint": "http://localhost:8080/auth/realms/demo/clients-registrations/openid-connect"
}

    As far as I have found, these endpoints implement the Oauth 2.0 spec.

    0 讨论(0)
  • 暗喜
    2020-12-12 11:40

    Actually link to .well-know is on the first tab of your realm settings - but link doesn't look like link, but as value of text box... bad ui design. Screenshot of Realm's General Tab

    0 讨论(0)
  • 孤街浪徒
    2020-12-12 11:43

    keycloak version: 4.6.0

    • TokenUrl: [domain]/auth/realms/{REALM_NAME}/protocol/openid-connect/token
    • AuthUrl: [domain]/auth/realms/{REALM_NAME}/protocol/openid-connect/auth
    0 讨论(0)
 看不清?
提交回复
热议问题