عميل OIDC قياسي
اكتشاف OIDC
قامت Casdoor بتنفيذ بروتوكول OIDC بالكامل. إذا كان تطبيقك يستخدم بالفعل مكتبة عميل OIDC قياسية للاتصال بمزود هوية OAuth 2.0 آخر، وترغب في الانتقال إلى Casdoor، فإن استخدام اكتشاف OIDC سيجعل الانتقال سهلاً للغاية بالنسبة لك.
Global OIDC Endpoint
Casdoor's global OIDC discovery URL is:
<your-casdoor-backend-host>/.well-known/openid-configuration
على سبيل المثال، عنوان URL لاكتشاف OIDC لموقع العرض التوضيحي هو: https://door.casdoor.com/.well-known/openid-configuration، ويحتوي على المعلومات التالية:
{
"issuer": "https://door.casdoor.com",
"authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
"token_endpoint": "https://door.casdoor.com/api/login/oauth/access_token",
"userinfo_endpoint": "https://door.casdoor.com/api/userinfo",
"jwks_uri": "https://door.casdoor.com/.well-known/jwks",
"introspection_endpoint": "https://door.casdoor.com/api/login/oauth/introspect",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"response_modes_supported": [
"login",
"code",
"link"
],
"grant_types_supported": [
"password",
"authorization_code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile",
"address",
"phone",
"offline_access"
],
"claims_supported": [
"iss",
"ver",
"sub",
"aud",
"iat",
"exp",
"id",
"type",
"displayName",
"avatar",
"permanentAvatar",
"email",
"phone",
"location",
"affiliation",
"title",
"homepage",
"bio",
"tag",
"region",
"language",
"score",
"ranking",
"isOnline",
"isAdmin",
"isGlobalAdmin",
"isForbidden",
"signupApplication",
"ldap"
],
"request_parameter_supported": true,
"request_object_signing_alg_values_supported": [
"HS256",
"HS384",
"HS512"
]
}
Application-Specific OIDC Endpoints
Besides the global discovery endpoint, you can use application-specific OIDC discovery endpoints. Each application gets its own isolated OIDC configuration with a unique issuer. This comes in handy when running multi-tenant deployments where applications need their own certificates or when you want to gradually migrate applications without affecting others.
The application-specific discovery URL follows this pattern:
<your-casdoor-backend-host>/.well-known/<application-name>/openid-configuration
For example, if you have an application named app-example:
https://door.casdoor.com/.well-known/app-example/openid-configuration
The main difference is that the issuer and jwks_uri fields in the discovery response contain the application path. The issuer becomes https://door.casdoor.com/.well-known/app-example instead of just https://door.casdoor.com, and the jwks_uri points to /.well-known/app-example/jwks. Everything else, including the authorization and token endpoints, stays the same.
You can also access the JWKS and WebFinger endpoints for each application:
<your-casdoor-backend-host>/.well-known/<application-name>/jwks
<your-casdoor-backend-host>/.well-known/<application-name>/webfinger
The JWKS endpoint returns the public keys for verifying tokens. When an application has its own certificate configured, that certificate is used. Otherwise, it falls back to the global certificates.
Here's what the responses look like. The global endpoint returns:
{
"issuer": "https://door.casdoor.com",
"jwks_uri": "https://door.casdoor.com/.well-known/jwks",
"authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
...
}
While the application-specific endpoint for app-example returns:
{
"issuer": "https://door.casdoor.com/.well-known/app-example",
"jwks_uri": "https://door.casdoor.com/.well-known/app-example/jwks",
"authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
...
}
قائمة مكتبات عميل OIDC
فيما يلي قائمة ببعض مكتبات عميل OIDC للغات مثل Go وJava:
| مكتبة عميل OIDC | اللغة | الرابط |
|---|---|---|
| go-oidc | Go | https://github.com/coreos/go-oidc |
| pac4j-oidc | Java | https://www.pac4j.org/docs/clients/openid-connect.html |
يرجى ملاحظة أن الجدول أعلاه ليس شاملاً. للحصول على قائمة كاملة بمكتبات عميل OIDC، يمكنك العثور على المزيد من التفاصيل في:
حقول معلومات OIDC UserInfo
يوضح الجدول التالي كيفية تعيين حقول معلومات OIDC UserInfo (عبر واجهة برمجة التطبيقات /api/userinfo) من خصائص جدول مستخدم Casdoor:
| حقل مستخدم Casdoor | حقل معلومات OIDC UserInfo |
|---|---|
| Id | sub |
| originBackend | iss |
| Aud | aud |
| Name | preferred_username |
| DisplayName | name |
| Avatar | picture |
| Location | address |
| Phone | phone |
يمكنك رؤية تعريف UserInfo هنا.