跳到主内容

标准OIDC客户端

OIDC发现

Casdoor是完整的OIDC实现。 如果您的应用已针对其他身份提供商使用了标准OIDC客户端,您可以通过将客户端指向Casdoor的发现URL,切换到Casdoor。

发现端点

Casdoor 在 OpenID Connect 和 OAuth 2.0 发现 URL 上公开元数据。 大多数客户端使用这些元数据自动配置端点和功能。

OpenID Connect 发现

<your-casdoor-backend-host>/.well-known/openid-configuration

OAuth 2.0 authorization server metadata (RFC 8414)

<your-casdoor-backend-host>/.well-known/oauth-authorization-server

如果您的客户端仅需要OAuth 2.0,请使用此选项。 两个发现URL返回的元数据相同。

示例响应

Both https://door.casdoor.com/.well-known/openid-configuration and https://door.casdoor.com/.well-known/oauth-authorization-server return metadata like:

{
"issuer": "https://door.casdoor.com",
"authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
"token_endpoint": "https://door.casdoor.com/api/login/oauth/access_token",
"userinfo_endpoint": "https://door.casdoor.com/api/userinfo",
"jwks_uri": "https://door.casdoor.com/.well-known/jwks",
"introspection_endpoint": "https://door.casdoor.com/api/login/oauth/introspect",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"response_modes_supported": [
"login",
"code",
"link"
],
"grant_types_supported": [
"authorization_code",
"implicit",
"password",
"client_credentials",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code"
],
"code_challenge_methods_supported": [
"S256"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile",
"address",
"phone",
"offline_access"
],
"claims_supported": [
"iss",
"ver",
"sub",
"aud",
"iat",
"exp",
"id",
"type",
"displayName",
"avatar",
"permanentAvatar",
"email",
"phone",
"location",
"affiliation",
"title",
"homepage",
"bio",
"tag",
"region",
"language",
"score",
"ranking",
"isOnline",
"isAdmin",
"isGlobalAdmin",
"isForbidden",
"signupApplication",
"ldap"
],
"request_parameter_supported": true,
"request_object_signing_alg_values_supported": [
"HS256",
"HS384",
"HS512"
]
}

Casdoor支持所有标准OAuth 2.0授权类型,包括授权码、隐式授权、密码凭据、客户端凭据和刷新令牌流程。 The device code grant (urn:ietf:params:oauth:grant-type:device_code) is also available for scenarios like smart TVs or CLI tools that have limited input capabilities.

The code_challenge_methods_supported field indicates that Casdoor supports PKCE (Proof Key for Code Exchange) with the S256 challenge method. PKCE enhances security for public clients like mobile apps and single-page applications by preventing authorization code interception attacks. When your client library supports automatic PKCE, it will use the S256 method based on this discovery metadata. 有关手动实现的详细信息,请参阅OAuth 2.0文档.

应用程序专用OIDC端点

除了全局发现端点外,还提供特定于应用程序的OIDC发现端点。 每个应用程序都拥有独立的OIDC配置,且具有唯一的颁发者。 这在运行多租户部署时非常有用,尤其是在应用程序需要各自证书的情况下,或者您希望逐步迁移应用程序而不会影响其他应用程序时。

应用程序特定的发现 URL 遵循以下模式:

<your-casdoor-backend-host>/.well-known/<application-name>/openid-configuration
<your-casdoor-backend-host>/.well-known/<application-name>/oauth-authorization-server

For example, if you have an application named app-example:

https://door.casdoor.com/.well-known/app-example/openid-configuration
https://door.casdoor.com/.well-known/app-example/oauth-authorization-server

The main difference is that the issuer and jwks_uri fields in the discovery response contain the application path. The issuer becomes https://door.casdoor.com/.well-known/app-example instead of just https://door.casdoor.com, and the jwks_uri points to /.well-known/app-example/jwks. 其他一切内容,包括授权和令牌端点,均保持不变。

JWKS和WebFinger也可按应用提供:

<your-casdoor-backend-host>/.well-known/<application-name>/jwks
<your-casdoor-backend-host>/.well-known/<application-name>/webfinger

JWKS端点返回用于验证令牌的公钥。 当应用配置了自身的证书时,将使用该证书。 否则,将回退到全局证书。

以下是响应的样式。 全局端点返回:

{
"issuer": "https://door.casdoor.com",
"jwks_uri": "https://door.casdoor.com/.well-known/jwks",
"authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
...
}

而针对app-example的应用程序特定端点返回:

{
"issuer": "https://door.casdoor.com/.well-known/app-example",
"jwks_uri": "https://door.casdoor.com/.well-known/app-example/jwks",
"authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
...
}

OIDC客户端库列表

以下是一些适用于Go和Java等语言的OIDC客户端库的列表:

OIDC 客户端库语言链接
go-oidcGohttps://github.com/coreos/go-oidc
pac4j-oidcJavahttps://www.pac4j.org/docs/clients/openid-connect.html

上表并非详尽无遗。 如需了解更多 OIDC 客户端库,请参阅:

  1. https://oauth.net/code/
  2. https://openid.net/certified-open-id-developer-tools/

OIDC UserInfo字段

以下表格说明了如何将OIDC UserInfo字段(通过/api/userinfo API)从Casdoor的用户表的属性中映射出来:

Casdoor 用户字段OIDC用户信息字段
Idsub
originBackendiss
Audaud
Namepreferred_username
DisplayNamename
Emailemail
Avatarpicture
Locationaddress
Phonephone

:::注意

/api/userinfo</code>端点会将address声明作为****纯字符串返回,该字符串取自用户的Location</code>字段(例如:"纽约"),而非作为结构化的OIDC地址对象。 这与JWT 标准令牌的行为不同,在后者中,地址会作为由用户地址数组构建的正规 OIDC 地址对象返回。 请参阅OIDC 地址声明以获取完整说明。

:::

UserInfo is defined here.