표준 OIDC 클라이언트
OIDC 검색
Casdoor는 OIDC 프로토콜을 완벽하게 구현했습니다. 애플리케이션이 이미 표준 OIDC 클라이언트 라이브러리를 사용하여 다른 OAuth 2.0 신원 제공자에 연결하고 있고, Casdoor로 마이그레이션하려는 경우, OIDC 검색을 사용하면 매우 쉽게 전환할 수 있습니다.
Global OIDC Endpoint
Casdoor's global OIDC discovery URL is:
<your-casdoor-backend-host>/.well-known/openid-configuration
예를 들어, 데모 사이트의 OIDC 검색 URL은 https://door.casdoor.com/.well-known/openid-configuration이며, 다음 정보를 포함하고 있습니다:
{
"issuer": "https://door.casdoor.com",
"authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
"token_endpoint": "https://door.casdoor.com/api/login/oauth/access_token",
"userinfo_endpoint": "https://door.casdoor.com/api/userinfo",
"jwks_uri": "https://door.casdoor.com/.well-known/jwks",
"introspection_endpoint": "https://door.casdoor.com/api/login/oauth/introspect",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"response_modes_supported": [
"login",
"code",
"link"
],
"grant_types_supported": [
"password",
"authorization_code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile",
"address",
"phone",
"offline_access"
],
"claims_supported": [
"iss",
"ver",
"sub",
"aud",
"iat",
"exp",
"id",
"type",
"displayName",
"avatar",
"permanentAvatar",
"email",
"phone",
"location",
"affiliation",
"title",
"homepage",
"bio",
"tag",
"region",
"language",
"score",
"ranking",
"isOnline",
"isAdmin",
"isGlobalAdmin",
"isForbidden",
"signupApplication",
"ldap"
],
"request_parameter_supported": true,
"request_object_signing_alg_values_supported": [
"HS256",
"HS384",
"HS512"
]
}
Application-Specific OIDC Endpoints
Besides the global discovery endpoint, you can use application-specific OIDC discovery endpoints. Each application gets its own isolated OIDC configuration with a unique issuer. This comes in handy when running multi-tenant deployments where applications need their own certificates or when you want to gradually migrate applications without affecting others.
The application-specific discovery URL follows this pattern:
<your-casdoor-backend-host>/.well-known/<application-name>/openid-configuration
For example, if you have an application named app-example:
https://door.casdoor.com/.well-known/app-example/openid-configuration
The main difference is that the issuer and jwks_uri fields in the discovery response contain the application path. The issuer becomes https://door.casdoor.com/.well-known/app-example instead of just https://door.casdoor.com, and the jwks_uri points to /.well-known/app-example/jwks. Everything else, including the authorization and token endpoints, stays the same.
You can also access the JWKS and WebFinger endpoints for each application:
<your-casdoor-backend-host>/.well-known/<application-name>/jwks
<your-casdoor-backend-host>/.well-known/<application-name>/webfinger
The JWKS endpoint returns the public keys for verifying tokens. When an application has its own certificate configured, that certificate is used. Otherwise, it falls back to the global certificates.
Here's what the responses look like. The global endpoint returns:
{
"issuer": "https://door.casdoor.com",
"jwks_uri": "https://door.casdoor.com/.well-known/jwks",
"authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
...
}
While the application-specific endpoint for app-example returns:
{
"issuer": "https://door.casdoor.com/.well-known/app-example",
"jwks_uri": "https://door.casdoor.com/.well-known/app-example/jwks",
"authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
...
}
OIDC 클라이언트 라이브러리 목록
다음은 Go와 Java와 같은 언어를 위한 일부 OIDC 클라이언트 라이브러리의 목록입니다:
| OIDC 클라이언트 라이브러리 | 언어 | 링크 |
|---|---|---|
| go-oidc | Go | https://github.com/coreos/go-oidc |
| pac4j-oidc | Java | https://www.pac4j.org/docs/clients/openid-connect.html |
위의 표는 완전한 목록이 아님을 유의하십시오. OIDC 클라이언트 라이브러리의 전체 목록을 보려면 다음에서 자세한 내용을 찾을 수 있습니다:
OIDC UserInfo 필드
다음 표는 OIDC UserInfo 필드(/api/userinfo API를 통해)가 Casdoor의 사용자 테이블의 속성에서 어떻게 매핑되는지를 보여줍니다:
| Casdoor 사용자 필드 | OIDC UserInfo 필드 |
|---|---|
| Id | sub |
| originBackend | iss |
| Aud | aud |
| Name | preferred_username |
| DisplayName | name |
| Avatar | picture |
| Location | address |
| Phone | phone |
UserInfo의 정의는 여기에서 볼 수 있습니다.