Cliente OIDC Padrão

Descoberta OIDC

O Casdoor implementou completamente o protocolo OIDC. Se a sua aplicação já está usando uma biblioteca de cliente OIDC padrão para se conectar a outro provedor de identidade OAuth 2.0, e você quer migrar para o Casdoor, usar a descoberta OIDC tornará muito fácil para você fazer a troca.

Global OIDC Endpoint

Casdoor's global OIDC discovery URL is:

<your-casdoor-backend-host>/.well-known/openid-configuration

Por exemplo, a URL de descoberta OIDC para o site de demonstração é: https://door.casdoor.com/.well-known/openid-configuration, e ela contém as seguintes informações:

{
  "issuer": "https://door.casdoor.com",
  "authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
  "token_endpoint": "https://door.casdoor.com/api/login/oauth/access_token",
  "userinfo_endpoint": "https://door.casdoor.com/api/userinfo",
  "jwks_uri": "https://door.casdoor.com/.well-known/jwks",
  "introspection_endpoint": "https://door.casdoor.com/api/login/oauth/introspect",
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "code token",
    "code id_token",
    "token id_token",
    "code token id_token",
    "none"
  ],
  "response_modes_supported": [
    "login",
    "code",
    "link"
  ],
  "grant_types_supported": [
    "password",
    "authorization_code"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "profile",
    "address",
    "phone",
    "offline_access"
  ],
  "claims_supported": [
    "iss",
    "ver",
    "sub",
    "aud",
    "iat",
    "exp",
    "id",
    "type",
    "displayName",
    "avatar",
    "permanentAvatar",
    "email",
    "phone",
    "location",
    "affiliation",
    "title",
    "homepage",
    "bio",
    "tag",
    "region",
    "language",
    "score",
    "ranking",
    "isOnline",
    "isAdmin",
    "isGlobalAdmin",
    "isForbidden",
    "signupApplication",
    "ldap"
  ],
  "request_parameter_supported": true,
  "request_object_signing_alg_values_supported": [
    "HS256",
    "HS384",
    "HS512"
  ]
}

Application-Specific OIDC Endpoints

Besides the global discovery endpoint, you can use application-specific OIDC discovery endpoints. Each application gets its own isolated OIDC configuration with a unique issuer. This comes in handy when running multi-tenant deployments where applications need their own certificates or when you want to gradually migrate applications without affecting others.

The application-specific discovery URL follows this pattern:

<your-casdoor-backend-host>/.well-known/<application-name>/openid-configuration

For example, if you have an application named app-example:

https://door.casdoor.com/.well-known/app-example/openid-configuration

The main difference is that the issuer and jwks_uri fields in the discovery response contain the application path. The issuer becomes https://door.casdoor.com/.well-known/app-example instead of just https://door.casdoor.com, and the jwks_uri points to /.well-known/app-example/jwks. Everything else, including the authorization and token endpoints, stays the same.

You can also access the JWKS and WebFinger endpoints for each application:

<your-casdoor-backend-host>/.well-known/<application-name>/jwks
<your-casdoor-backend-host>/.well-known/<application-name>/webfinger

The JWKS endpoint returns the public keys for verifying tokens. When an application has its own certificate configured, that certificate is used. Otherwise, it falls back to the global certificates.

Here's what the responses look like. The global endpoint returns:

{
  "issuer": "https://door.casdoor.com",
  "jwks_uri": "https://door.casdoor.com/.well-known/jwks",
  "authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
  ...
}

While the application-specific endpoint for app-example returns:

{
  "issuer": "https://door.casdoor.com/.well-known/app-example",
  "jwks_uri": "https://door.casdoor.com/.well-known/app-example/jwks",
  "authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
  ...
}

Lista de Bibliotecas de Cliente OIDC

Aqui está uma lista de algumas bibliotecas de cliente OIDC para linguagens como Go e Java:

Biblioteca de cliente OIDC	Idioma	Link
go-oidc	Go	https://github.com/coreos/go-oidc
pac4j-oidc	Java	https://www.pac4j.org/docs/clients/openid-connect.html

Por favor, note que a tabela acima não é exaustiva. Para uma lista completa de bibliotecas de cliente OIDC, você pode encontrar mais detalhes em:

Campos UserInfo OIDC

A tabela a seguir ilustra como os campos UserInfo OIDC (via a API /api/userinfo) são mapeados a partir das propriedades da tabela de Usuário do Casdoor:

Campo de Usuário do Casdoor	Campo UserInfo OIDC
Id	sub
originBackend	iss
Aud	aud
Name	preferred_username
DisplayName	name
Email	email
Avatar	picture
Location	address
Phone	phone

Você pode ver a definição de UserInfo aqui.

Descoberta OIDC​

Global OIDC Endpoint​

Application-Specific OIDC Endpoints​

Lista de Bibliotecas de Cliente OIDC​

Campos UserInfo OIDC​

Descoberta OIDC

Global OIDC Endpoint

Application-Specific OIDC Endpoints

Lista de Bibliotecas de Cliente OIDC

Campos UserInfo OIDC