使用標準 OIDC 客戶端連接 Casdoor

image

https://casdoor.org/docs/how-to-connect/oidc-client

OIDC 探索 (OIDC Discovery)

Casdoor 完整實作了 OIDC(OpenID Connect)協議。如果您的應用程式已經使用標準 OIDC 客戶端庫來連接其他 OAuth 2.0 身份提供者(Identity Provider),並希望遷移到 Casdoor,那麼使用 OIDC 探索機制(OIDC Discovery) 將使切換變得非常簡單。

Casdoor 的 OIDC 探索 URL 格式如下: 

1
<你的 Casdoor 伺服器域名>/.well-known/openid-configuration

例如,Casdoor 官方示範站點的 OIDC 探索 URL 為:
https://door.casdoor.com/.well-known/openid-configuration

此 URL 會返回一個 JSON 配置文件,其中包含 OIDC 相關的端點與支持的功能。例如: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
{
  "issuer": "https://door.casdoor.com",
  "authorization_endpoint": "https://door.casdoor.com/login/oauth/authorize",
  "token_endpoint": "https://door.casdoor.com/api/login/oauth/access_token",
  "userinfo_endpoint": "https://door.casdoor.com/api/userinfo",
  "jwks_uri": "https://door.casdoor.com/.well-known/jwks",
  "introspection_endpoint": "https://door.casdoor.com/api/login/oauth/introspect",
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "code token",
    "code id_token",
    "token id_token",
    "code token id_token",
    "none"
  ],
  "response_modes_supported": [
    "login",
    "code",
    "link"
  ],
  "grant_types_supported": [
    "password",
    "authorization_code"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "profile",
    "address",
    "phone",
    "offline_access"
  ],
  "claims_supported": [
    "iss",
    "ver",
    "sub",
    "aud",
    "iat",
    "exp",
    "id",
    "type",
    "displayName",
    "avatar",
    "permanentAvatar",
    "email",
    "phone",
    "location",
    "affiliation",
    "title",
    "homepage",
    "bio",
    "tag",
    "region",
    "language",
    "score",
    "ranking",
    "isOnline",
    "isAdmin",
    "isGlobalAdmin",
    "isForbidden",
    "signupApplication",
    "ldap"
  ],
  "request_parameter_supported": true,
  "request_object_signing_alg_values_supported": [
    "HS256",
    "HS384",
    "HS512"
  ]
}

OIDC 客戶端函式庫

以下是一些常見的 OIDC 客戶端函式庫,可用於不同程式語言來實現 OIDC 驗證功能:

OIDC 客戶端函式庫 程式語言 連結
go-oidc Go GitHub
pac4j-oidc Java 官方文件

這份清單並不完整,您可以在以下連結找到更多 OIDC 客戶端函式庫的資訊:

OIDC UserInfo 欄位對應

當使用 /api/userinfo API 取得 OIDC 使用者資訊時,Casdoor 會將內部的使用者屬性對應到標準的 OIDC UserInfo 欄位,如下表所示:

Casdoor 使用者欄位 OIDC UserInfo 欄位
Id sub
originBackend iss
Aud aud
Name preferred_username
DisplayName name
Email email
Avatar picture
Location address
Phone phone

完整的 UserInfo 定義可參閱 Casdoor 官方文件。

這樣的 OIDC 探索與標準 OIDC 客戶端函式庫相結合,可以輕鬆地將 Casdoor 整合到您的應用程式中,無論是身份驗證還是權限管理,都能實現標準化與便捷的對接。