CAS单点登录:开启OIDC协议(八)
1.引入依赖
<dependency> <groupId>org.apereo.cas</groupId> <artifactId>cas-server-support-oidc</artifactId> <version>${cas.version}</version> </dependency>
2.生成jwks
官方提供的用于生产JWK文件工具:https://mkjwk.org/
复制出来如下:
{ "keys": [ { "p": "-8Jzd4q1UBRcAYsHbgsJzODtZQWuoIQhZ-PphuyUaQVQXTF466FZjeKkvlGkf3H-TgxlQxgb5S0rfbNKxlR3NO4xdGwtuv8hvzI1FJFmCA2Ap78u0-9UCvmpmiJ--SREF6r50_-kXOg_RIvEmH_mEVjHWMN7k4ajwL5jnWr1R0M", "kty": "RSA", "q": "u7kCj-lylPkIrbNpu1q2BqJCfkluksYm5g514YIxwc3wVVWF6SSTdnpLHvckVjzS8-w9gtnC0kcaKpE8bhQpetu5gf-1QGYIty03Q4my6qca6KosW3yUIfSjOpTKETwJOjby0Se1F9axr11_tP1A_OBZHfV_DDnH5xp7bBAagdk", "d": "q-It8mn90JhBLAWdBjZMxTlN5fXbxyVGEboMwB1A9hu5-08JyVRGPPTUe-6kVqSjPMGRDraXNw54PiixE-qLEK80lA_0CWbD00vdRFPelQU0A84koUazGwwy7rnl5ARjqJmQkUBgn6BnwXyvhX1ENKui4jCixFG5oWO2H1HT5LAzzI0z5XVhvngdF6hfMBXdIsUQtkFCnjbnLziQxdcOpmYXbqTgclUWdO--8IZ-PkaHlX7JhJ3BhVJH4bdautCaI5yytc4MBqjQHGCcExMIsXSrJmLwocLqTq1jK05cz1P5Ukkd9xvkCDrSv6osS7SUxP1ZS7fy0VLxsViPvbL34Q", "e": "AQAB", "kid": "cas", "qi": "WUYT1z4nJ6pI3KS5SjWneZf-RAioAvh-d2k-y2tKpgQOSQX_E-n8YqAxVBZrbXRt5mcM4Tr39E65jmQQKkIbxylOyzh0yffnSjLpsi1vZa1ZoTtO2ae2hlk9NvCHjKi0xd4K-A_v93VUZERIV_A2ZeMMfw7u0waLvgJCWn90DmU", "dp": "P5iIKHtef8MU1sLy9oZNTHbJIQrFaQDXm3HELPQYLUtNWK1FmWghwiitavIetp7qGXciIUe2zDaT1OX0jpMJpdJBpeIpzyHhuXWKWQ69km0uwbEWuCytszQL9saeAnt5w-zJvRbHwzxbtwoDeG5ehKVDfhWrYsHRHcA6U6qQGRc", "alg": "RS256", "dq": "jixhz2LMAB3YP84I_veFsuKDH6g30Xu3jDdZejCjxJdXNRnvsJKeCHY4nLwqzhGE5259a7PHRIDLRX_315r3i3AMQHPM73gXk7vwBfutAOEMlTgFHkjs3Aau9TgpDgJ9LpTdNCExm1tj-WADz6ya4qp7dCAxV64PQ22gGkjb-ok", "n": "uJz8Ys_Px5Ivup5O8QTwIXSBQFlr4wnufgQa7WOL6qxM7KEpWAWArj4u4Aj_Clmj48r-VNTJRctz7IDZNgtsmd3FKNMENaWVhvvzFCbHSghYT44vzy21Ct0GwA5RTLppkACkgiGOEUXedfqVay5eAPS2V-bZD8B9EnDKETOGj0qPjYXKCwOVa-Ik-gLu4XqBU1nbfF3OWl_SY-sPC6JU3rwT0twFh5zRynCfjZiwyFq3yfVcgoKrFQAPLKtfJQTUFsYx2S6iXrd79S4I5NADR5s4_ZDzT8MA-i4x4j6-zCVhrw1DCgFwiLsUF7TPAMBz63xWcEjuR5bwxjX2r6Aqyw" } ] }
在static下新建keystore.jwks文件,将以上内容复制进去。
3.修改application.properties
## # OIDC # #签名文件路径 cas.authn.oidc.jwksFile=classpath:/static/keystore.jwks #签发端地址 cas.authn.oidc.issuer=${cas.server.name}/oidc/ #-------------------开启动态注册客户端------------------ cas.authn.oidc.dynamicClientRegistrationMode=OPEN #-------------------自定义字段------------------ cas.authn.oidc.userDefinedScopes.hbtvprofiles=id,name,mobile,email,avatar
4.在service下新建OIDC-1002.json
{ "@class" : "org.apereo.cas.services.OidcRegisteredService", "clientId": "abcd", "clientSecret": "xyz", "serviceId" : "^(https|http|imaps)://app1.cas.com.*", "name": "ODICService", "id": 1002, "scopes" : [ "java.util.HashSet", [ "profile", "email", "address", "phone", "offline_access", "displayName", "eduPerson" ] ] }
5.OIDC所有节点信息
6.测试
请求:https://server.cas.com:8443/cas/oidc/.well-known,可以如下信息:
{ "issuer":"https://server.cas.com:8443/cas/oidc/", "scopes_supported":[ "openid", "profile", "email", "address", "phone", "offline_access" ], "response_types_supported":[ "code", "token", "id_token token" ], "subject_types_supported":[ "public", "pairwise" ], "claim_types_supported":[ "normal" ], "claims_supported":[ "sub", "name", "preferred_username", "family_name", "given_name", "middle_name", "given_name", "profile", "picture", "nickname", "website", "zoneinfo", "locale", "updated_at", "birthdate", "email", "email_verified", "phone_number", "phone_number_verified", "address", "gender" ], "grant_types_supported":[ "authorization_code", "password", "client_credentials", "refresh_token" ], "id_token_signing_alg_values_supported":[ "none", "RS256" ], "introspection_endpoint_auth_methods_supported":[ "client_secret_basic" ], "jwks_uri":"https://server.cas.com:8443/cas/oidc/jwks", "token_endpoint":"https://server.cas.com:8443/cas/oidc/accessToken", "authorization_endpoint":"https://server.cas.com:8443/cas/oidc/authorize", "userinfo_endpoint":"https://server.cas.com:8443/cas/oidc/profile", "registration_endpoint":"https://server.cas.com:8443/cas/oidc/register", "end_session_endpoint":"https://server.cas.com:8443/cas/logout", "introspection_endpoint":"https://server.cas.com:8443/cas/oidc/introspect", "revocation_endpoint":"https://server.cas.com:8443/cas/oidc/revoke" }
从response_types_supported,可知相较于OAuth模式,OIDC多了一种id_token。
6.1.id_token模式
1.请求以下地址获取id_token:
https://server.cas.com:8443/cas/oidc/authorize?response_type=id_token token&scope=openid&client_id=abcd&redirect_uri=http://app1.cas.com
response_type:获取的响应类型,id_token token,中间有空格
返回如下:
http://app1.cas.com/#access_token=AT-2-C3bFdo7yBqgR0-kfQZn2GTT54BDE-k8I&token_type=bearer&expires_in=28800&refresh_token=RT-2-XRmagsTk9HsVfty-uOo-ffT-mM0bwuWH&id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImNhcyJ9.eyJqdGkiOiJUR1QtMS14V1pYUlgwNEpUazdWT3BVQlpGajk2MFBSeGJPT2VpVVRDLWhnSzg1cUdxZm13T3lDLXNHVTV2R3hSRlFYWE1OUnlNYW5nZWwtUEMiLCJpc3MiOiJodHRwczovL3NlcnZlci5jYXMuY29tOjg0NDMvY2FzL29pZGMvIiwiYXVkIjoiYWJjZCIsImV4cCI6MTU5MDQzNTA3NSwiaWF0IjoxNTkwNDA2Mjc1LCJuYmYiOjE1OTA0MDU5NzUsInN1YiI6ImFkbWluIiwiYW1yIjpbIlJlbWVtYmVyTWVVc2VybmFtZVBhc3N3b3JkQ2FwdGNoYUF1dGhlbnRpY2F0aW9uSGFuZGxlciJdLCJzdGF0ZSI6IiIsIm5vbmNlIjoiIiwiYXRfaGFzaCI6IjZ0bkgyejk5SUQ4ZkVIWmhnSHI5aFEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiJ9.brHP9rswVSNFWLorJnAlGqkU7xrPa9CxR255d8VKJjJMqfjRcDxVKjEGQgztSR-upX2PNFqLG7PZMi1mWbZ86NV_4f3wQ9ywQiB59wE4Qe5W_v0kgEz5wF9gi9oWLExKI9sj2EPeU7L-AKVPz-5oRGl20Vs8_bJOqJaPnBVz1jojTsdBgPW4EcEiKv8tU6FA7KXuC_61kXVCCBj8vCLDIOWZETep8KFN_3tLfJ5CcmzC3MioG7Jmg60YhstsS9W2HZV_faxQFV44HgxnuWV-G4wp4_bhs6GorJqCQCNKjE2r1ZFC6bm3jRHQvRWvDDIoyk79HBrQW-noKk5NA8N_wg
整理如下:
access_token:AT-2-C3bFdo7yBqgR0-kfQZn2GTT54BDE-k8I
refresh_token:RT-2-XRmagsTk9HsVfty-uOo-ffT-mM0bwuWH
id_token:eyJhbGciOiJSUzI1NiIsImtpZCI6ImNhcyJ9.eyJqdGkiOiJUR1QtMS14V1pYUlgwNEpUazdWT3BVQlpGajk2MFBSeGJPT2VpVVRDLWhnSzg1cUdxZm13T3lDLXNHVTV2R3hSRlFYWE1OUnlNYW5nZWwtUEMiLCJpc3MiOiJodHRwczovL3NlcnZlci5jYXMuY29tOjg0NDMvY2FzL29pZGMvIiwiYXVkIjoiYWJjZCIsImV4cCI6MTU5MDQzNTA3NSwiaWF0IjoxNTkwNDA2Mjc1LCJuYmYiOjE1OTA0MDU5NzUsInN1YiI6ImFkbWluIiwiYW1yIjpbIlJlbWVtYmVyTWVVc2VybmFtZVBhc3N3b3JkQ2FwdGNoYUF1dGhlbnRpY2F0aW9uSGFuZGxlciJdLCJzdGF0ZSI6IiIsIm5vbmNlIjoiIiwiYXRfaGFzaCI6IjZ0bkgyejk5SUQ4ZkVIWmhnSHI5aFEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiJ9.brHP9rswVSNFWLorJnAlGqkU7xrPa9CxR255d8VKJjJMqfjRcDxVKjEGQgztSR-upX2PNFqLG7PZMi1mWbZ86NV_4f3wQ9ywQiB59wE4Qe5W_v0kgEz5wF9gi9oWLExKI9sj2EPeU7L-AKVPz-5oRGl20Vs8_bJOqJaPnBVz1jojTsdBgPW4EcEiKv8tU6FA7KXuC_61kXVCCBj8vCLDIOWZETep8KFN_3tLfJ5CcmzC3MioG7Jmg60YhstsS9W2HZV_faxQFV44HgxnuWV-G4wp4_bhs6GorJqCQCNKjE2r1ZFC6bm3jRHQvRWvDDIoyk79HBrQW-noKk5NA8N_wg
2.根据accessToken获取用户信息,请求如下:
https://server.cas.com:8443/cas/oidc/profile?access_token=AT-2-C3bFdo7yBqgR0-kfQZn2GTT54BDE-k8I
得到响应如下:
{ "sub" : "admin", "auth_time" : 1590406275, "attributes" : { "credentialType" : "RememberMeUsernamePasswordCaptchaCredential" }, "id" : "admin" }
参考如下:
https://apereo.github.io/cas/5.2.x/installation/OIDC-Authentication.html
https://www.jianshu.com/p/be7cc032a4e9
https://blog.csdn.net/BecauseSy/article/details/80223125
https://www.cnblogs.com/linianhui/p/openid-connect-core.html
https://www.cnblogs.com/linianhui/p/openid-connect-extension.html