Giter Club home page Giter Club logo

egg-oidc-server's Introduction

egg-oidc-server

安装依赖模块

$ npm i

执行迁移

迁移的配置文件在database目录下的config.json

 npm run sequelize -- db:migrate

运行

linux

DEBUG=oidc-provider:* npm run dev

windows

set DEBUG=oidc-provider:* & npm run dev

说明

app/extend有一个oidc_persistence.js文件,这个文件是对oidc的数据进行持久化,比如对client和accessToken进行保存。 如果没有则默认是存放在内存中,重启node后数据将清空。

路由

发现服务

GET /.well-known/openid-configuration

oidc的发现服务,这个接口返回了服务的详细信息。

客户端注册

POST /reg

客户端注册接口

参数

{
    "application_type": "web",
	"redirect_uris": ["https://127.0.0.1:3000"],
	"response_types": ["id_token token"],
	"grant_types":["implicit"],
	"token_endpoint_auth_method":"client_secret_post"
}

响应

{
    "application_type": "web",
    "grant_types": [
        "implicit"
    ],
    "id_token_signed_response_alg": "RS256",
    "require_auth_time": false,
    "response_types": [
        "id_token token"
    ],
    "subject_type": "public",
    "token_endpoint_auth_method": "client_secret_post",
    "request_uris": [],
    "client_id_issued_at": 1533610994,
    "client_id": "0d3612b8-0c85-430e-815a-70a369b99797",
    "client_secret_expires_at": 0,
    "client_secret": "XLYyczWIUjvl2bDkP1eynj7rPprKlBvpU5EQn5+XdR8xe2TR/F3wlTT9JL11HboV",
    "redirect_uris": [
        "https://127.0.0.1:3000"
    ],
    "introspection_endpoint_auth_method": "client_secret_post",
    "revocation_endpoint_auth_method": "client_secret_post",
    "registration_client_uri": "http://localhost:7001/reg/0d3612b8-0c85-430e-815a-70a369b99797",
    "registration_access_token": "fFjKuyAgHNxjfXB4DHNzpHhAfqSrbm4f96eYEaf_75B"
}

获取token

POST /token

这个示例只展示了通过password的授权方式获取token。其他方式的token获取方式需要详细了解下OAuth2协议。同时oidc不支持password授权方式,我在框架的app.js中对oidc进行了扩展。

参数

{
    "client_id": "ab812216-5c28-44d0-841e-59cd9bf7385d",
    "grant_type": "password",
    "username": "1",
    "password": "1",
    "client_secret": "9DLNXp1dXI4T4KLWTWyqlCKgVHMYdTKgqSXt3Mho02/VJPziD85rbdxF7/WKX27p"
}

响应

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IklxeEcyV185VTZGczB3dEVZNHFBNkhEV3dXcGFTeWtobEZUeld6MlVuYUUifQ.eyJqdGkiOiJscGlVNXR0aTRqU3JCZHdkcUpEXzgiLCJzdWIiOjEsImlzcyI6Imh0dHA6Ly8xMjcuMC4wLjE6MzAwMCIsImlhdCI6MTUzMzYxMTIyMiwiZXhwIjoxNTMzNjE0ODIyLCJhdWQiOiJhYjgxMjIxNi01YzI4LTQ0ZDAtODQxZS01OWNkOWJmNzM4NWQifQ.lEOB3MdNsvO-M88tVYaqAZi13F7K0ij25X5h3mW4krVV_xTWECRDWWHq_UTWhso-CIBIeogDzMzwv1jaVfWZWJgNqkZWWf20XOgUEyZkP_nbsH10YjpPYRVXXorJF-dENv-RA7aUSBg6JwN0C5Lh4XTUJ7zB1Pdz7PGAAIfbnhVhUpa4iPhG5XfY7iLCnY5Xv1BP903CgZLvY8P9Mvz4cc_hpQRK4DUML8N3592F5WgeDBS2BRLycG-FjpckVCO_H8zj51vzuJNS0hWqpbQeu4lXfDbHhX1L3Y1chhHaDIq888lCuweJDrjaD3CFsKmigSlRPRiOrN2sflz-kiCRoQ",
    "expires_in": 3600,
    "token_type": "Bearer"
}

授权

POST /auth

请求示例

http://localhost:7001/auth?scope=openid&response_type=id_token+token&client_id=b4735627-252c-480d-93aa-c635816a1e2c&nonce=odekghsaoghoashg

这个示例使用了implicit授权模式,该请求会打开一个认证页面,认证成功后通过重定向返回access_token和id_token。这个id_token也就是oidc在OAuth2基础之上的扩展。

// http://localhost:7001/auth?scope=openid&response_type=code&client_id=5533b6d4-cddc-42f2-9d4e-d8d9b0b266ab&nonce=odekghsaoghoashg

关于OAuth2和OIDC

OAuth2中通过授权后返回一个access_token给客户端,客户端拿着这个access_token去资源服务器获取受保护的资源。通常这个access_token是jwt格式的。由于jwt的自包含特性,所以资源服务器可以获取jwt中的签名来实现对access_token验证。验证的目的就是判断这个access_token是不是资源服务器信任的授权服务器颁发的。OIDC除了返回一个access_token还会返回一个id_token,这个id_token就是认证后的产物也是OIDC的重点,它包含了认证的用户信息,它也是jwt格式的。id_token它跟access_token的区别在于id_token的产生一定要有用户(资源所有者)参与,同时id_token的受众是客户端,客户端需要通过它拿到认证用户的信息。access_token是授权后的产物,在有些OAuth2授权模式下并不会有用户(资源所有者)这个角色参与,比如客户端模式。同时access_token的受众是资源服务器。

推荐一位前辈关于协议的几篇文章

http://www.cnblogs.com/linianhui/tag/OIDC/

egg-oidc-server's People

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.