标准OIDC 客户端
OIDC 发现
Casdoor已完全实现了OIDC协议。 如果您的应用程序已经使用标准的OIDC客户端库连接到另一个OAuth 2.0身份提供商,并且您想要迁移到Casdoor,使用OIDC发现将使您非常容易切换。
Global OIDC Endpoint
Casdoor's global OIDC discovery URL is:
<your-casdoor-backend-host>/.well-known/openid-configuration
例如,演示站点的OIDC发现URL是:https://door.casdoor.com/.well-known/openid-configuration,它包含以下信息:
{
"issuer": "https://door.casdoor.com",
"authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
"token_endpoint": "https://door.casdoor.com/api/login/oauth/access_token",
"userinfo_endpoint": "https://door.casdoor.com/api/userinfo",
"jwks_uri": "https://door.casdoor.com/.well-known/jwks",
"introspection_endpoint": "https://door.casdoor.com/api/login/oauth/introspect",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"response_modes_supported": [
"login",
"code",
"link"
],
"grant_types_supported": [
"password",
"authorization_code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile",
"address",
"phone",
"offline_access"
],
"claims_supported": [
"iss",
"ver",
"sub",
"aud",
"iat",
"exp",
"id",
"type",
"displayName",
"avatar",
"permanentAvatar",
"email",
"phone",
"location",
"affiliation",
"title",
"homepage",
"bio",
"tag",
"region",
"language",
"score",
"ranking",
"isOnline",
"isAdmin",
"isGlobalAdmin",
"isForbidden",
"signupApplication",
"ldap"
],
"request_parameter_supported": true,
"request_object_signing_alg_values_supported": [
"HS256",
"HS384",
"HS512"
]
}
Application-Specific OIDC Endpoints
Besides the global discovery endpoint, you can use application-specific OIDC discovery endpoints. Each application gets its own isolated OIDC configuration with a unique issuer. This comes in handy when running multi-tenant deployments where applications need their own certificates or when you want to gradually migrate applications without affecting others.
The application-specific discovery URL follows this pattern:
<your-casdoor-backend-host>/.well-known/<application-name>/openid-configuration
For example, if you have an application named app-example:
https://door.casdoor.com/.well-known/app-example/openid-configuration
The main difference is that the issuer and jwks_uri fields in the discovery response contain the application path. The issuer becomes https://door.casdoor.com/.well-known/app-example instead of just https://door.casdoor.com, and the jwks_uri points to /.well-known/app-example/jwks. Everything else, including the authorization and token endpoints, stays the same.
You can also access the JWKS and WebFinger endpoints for each application:
<your-casdoor-backend-host>/.well-known/<application-name>/jwks
<your-casdoor-backend-host>/.well-known/<application-name>/webfinger
The JWKS endpoint returns the public keys for verifying tokens. When an application has its own certificate configured, that certificate is used. Otherwise, it falls back to the global certificates.
Here's what the responses look like. The global endpoint returns:
{
"issuer": "https://door.casdoor.com",
"jwks_uri": "https://door.casdoor.com/.well-known/jwks",
"authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
...
}
While the application-specific endpoint for app-example returns:
{
"issuer": "https://door.casdoor.com/.well-known/app-example",
"jwks_uri": "https://door.casdoor.com/.well-known/app-example/jwks",
"authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
...
}
OIDC客户端库列表
以下是一些适用于Go和Java等语言的OIDC客户端库的列表:
| OIDC 客户端库 | 语言 | 链接 |
|---|---|---|
| go-oidc | Go | https://github.com/coreos/go-oidc |
| pac4j-oidc | Java | https://www.pac4j.org/docs/clients/openid-connect.html |
请注意,上述表格并非详尽无遗。 要获取完整的OIDC客户端库列表,您可以在以下位置找到更多详细信息:
OIDC UserInfo字段
以下表格说明了如何将OIDC UserInfo字段(通过/api/userinfo API)从Casdoor的用户表的属性中映射出来:
| Casdoor 用户字段 | OIDC用户信息字段 |
|---|---|
| Id | sub |
| originBackend | iss |
| Aud | aud |
| Name | preferred_username |
| DisplayName | name |
| Avatar | picture |
| Location | address |
| Phone | phone |
您可以在这里查看UserInfo的定义。