256 lines
16 KiB
Text
256 lines
16 KiB
Text
=== Other OpenID Connect Libraries
|
|
|
|
{project_name} can be secured by supplied adapters that are usually easier to use and provide better integration with {project_name}. However, if an adapter is not available for your programming language, framework, or platform you might opt to use a generic OpenID Connect Relying Party (RP) library instead. This chapter describes details specific to {project_name} and does not contain specific protocol details. For more information see the https://openid.net/connect/[OpenID Connect specifications] and https://datatracker.ietf.org/doc/html/rfc6749[OAuth2 specification].
|
|
|
|
==== Endpoints
|
|
|
|
The most important endpoint to understand is the `well-known` configuration endpoint. It lists endpoints and other configuration options relevant to the OpenID Connect implementation in {project_name}. The endpoint is:
|
|
|
|
....
|
|
/realms/{realm-name}/.well-known/openid-configuration
|
|
....
|
|
|
|
To obtain the full URL, add the base URL for {project_name} and replace `{realm-name}` with the name of your realm. For example:
|
|
|
|
$$http://localhost:8080/auth/realms/master/.well-known/openid-configuration$$
|
|
|
|
Some RP libraries retrieve all required endpoints from this endpoint, but for others you might need to list the endpoints individually.
|
|
|
|
===== Authorization Endpoint
|
|
....
|
|
/realms/{realm-name}/protocol/openid-connect/auth
|
|
....
|
|
|
|
The authorization endpoint performs authentication of the end-user. This is done by redirecting the user agent to this endpoint.
|
|
|
|
For more details see the https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint[Authorization Endpoint] section in the OpenID Connect specification.
|
|
|
|
===== Token Endpoint
|
|
....
|
|
/realms/{realm-name}/protocol/openid-connect/token
|
|
....
|
|
|
|
The token endpoint is used to obtain tokens. Tokens can either be obtained by exchanging an authorization code or by supplying credentials directly depending on what flow is used.
|
|
The token endpoint is also used to obtain new access tokens when they expire.
|
|
|
|
For more details see the https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint[Token Endpoint] section in the OpenID Connect specification.
|
|
|
|
===== Userinfo Endpoint
|
|
....
|
|
/realms/{realm-name}/protocol/openid-connect/userinfo
|
|
....
|
|
|
|
The userinfo endpoint returns standard claims about the authenticated user, and is protected by a bearer token.
|
|
|
|
For more details see the https://openid.net/specs/openid-connect-core-1_0.html#UserInfo[Userinfo Endpoint] section in the OpenID Connect specification.
|
|
|
|
===== Logout Endpoint
|
|
....
|
|
/realms/{realm-name}/protocol/openid-connect/logout
|
|
....
|
|
|
|
The logout endpoint logs out the authenticated user.
|
|
|
|
The user agent can be redirected to the endpoint, in which case the active user session is logged out. Afterward the user agent is redirected back to the application.
|
|
|
|
The endpoint can also be invoked directly by the application. To invoke this endpoint directly the refresh token needs to be included as well as the credentials required to authenticate the client.
|
|
|
|
[[_certificate_endpoint]]
|
|
===== Certificate Endpoint
|
|
....
|
|
/realms/{realm-name}/protocol/openid-connect/certs
|
|
....
|
|
|
|
The certificate endpoint returns the public keys enabled by the realm, encoded as a JSON Web Key (JWK). Depending on the realm settings there can be one or more keys enabled for verifying tokens. For more information see the link:{adminguide_link}[{adminguide_name}] and the https://datatracker.ietf.org/doc/html/rfc7517[JSON Web Key specification].
|
|
|
|
[[_token_introspection_endpoint]]
|
|
===== Introspection Endpoint
|
|
....
|
|
/realms/{realm-name}/protocol/openid-connect/token/introspect
|
|
....
|
|
|
|
The introspection endpoint is used to retrieve the active state of a token. In other words, you can use it to validate an access or refresh token.
|
|
It can only be invoked by confidential clients.
|
|
|
|
For more details on how to invoke on this endpoint, see https://datatracker.ietf.org/doc/html/rfc7662[OAuth 2.0 Token Introspection specification].
|
|
|
|
===== Dynamic Client Registration Endpoint
|
|
....
|
|
/realms/{realm-name}/clients-registrations/openid-connect
|
|
....
|
|
|
|
The dynamic client registration endpoint is used to dynamically register clients.
|
|
|
|
For more details see the <<_client_registration,Client Registration chapter>> and the
|
|
https://openid.net/specs/openid-connect-registration-1_0.html[OpenID Connect Dynamic Client Registration specification].
|
|
|
|
[[_token_revocation_endpoint]]
|
|
===== Token Revocation Endpoint
|
|
....
|
|
/realms/{realm-name}/protocol/openid-connect/revoke
|
|
....
|
|
|
|
The token revocation endpoint is used to revoke tokens. Both refresh tokens and access tokens are supported by this endpoint.
|
|
|
|
For more details on how to invoke on this endpoint, see https://datatracker.ietf.org/doc/html/rfc7009[OAuth 2.0 Token Revocation specification].
|
|
|
|
===== Device Authorization Endpoint
|
|
....
|
|
/realms/{realm-name}/protocol/openid-connect/auth/device
|
|
....
|
|
|
|
The device authorization endpoint is used to obtain a device code and a user code. It can only be invoked by confidential clients.
|
|
|
|
For more details on how to invoke on this endpoint, see https://datatracker.ietf.org/doc/html/rfc8628[OAuth 2.0 Device Authorization Grant specification].
|
|
|
|
[[_backchannel_authentication_endpoint]]
|
|
===== Backchannel Authentication Endpoint
|
|
....
|
|
/realms/{realm-name}/protocol/openid-connect/ext/ciba/auth
|
|
....
|
|
|
|
The backchannel authentication endpoint is used to obtain an auth_req_id that identifies the authentication request made by the client. It can only be invoked by confidential clients.
|
|
|
|
For more details on how to invoke on this endpoint, see https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html[OpenID Connect Client Initiated Backchannel Authentication Flow specification].
|
|
|
|
Also please refer to other places of {project_name} documentation like <<_client_initiated_backchannel_authentication_grant,Client Initiated Backchannel Authentication Grant section of this guide>> and link:{adminguide_link}#_client_initiated_backchannel_authentication_grant[Client Initiated Backchannel Authentication Grant section] of {adminguide_name}.
|
|
|
|
==== Validating Access Tokens
|
|
|
|
If you need to manually validate access tokens issued by {project_name} you can invoke the <<_token_introspection_endpoint,Introspection Endpoint>>.
|
|
The downside to this approach is that you have to make a network invocation to the {project_name} server. This can be slow and possibly overload the
|
|
server if you have too many validation requests going on at the same time. {project_name} issued access tokens are https://datatracker.ietf.org/doc/html/rfc7519[JSON Web Tokens (JWT)] digitally signed and encoded using https://datatracker.ietf.org/doc/html/rfc7515[JSON Web Signature (JWS)].
|
|
Because they are encoded in this way, this allows you to locally validate access tokens using the public key of the issuing realm. You can either hard code the
|
|
realm's public key in your validation code, or lookup and cache the public key using the <<_certificate_endpoint, certificate endpoint>> with the Key ID (KID) embedded within the
|
|
JWS. Depending what language you code in, there are a multitude of third party libraries out there that can help you with JWS validation.
|
|
|
|
|
|
==== Flows
|
|
|
|
===== Authorization Code
|
|
|
|
The Authorization Code flow redirects the user agent to {project_name}. Once the user has successfully authenticated with {project_name} an
|
|
Authorization Code is created and the user agent is redirected back to the application. The application then uses the authorization code along with its
|
|
credentials to obtain an Access Token, Refresh Token and ID Token from {project_name}.
|
|
|
|
The flow is targeted towards web applications, but is also recommended for native applications, including mobile applications, where it is possible to embed
|
|
a user agent.
|
|
|
|
For more details refer to the https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authorization Code Flow] in the OpenID Connect specification.
|
|
|
|
===== Implicit
|
|
|
|
The Implicit flow redirects works similarly to the Authorization Code flow, but instead of returning an Authorization Code the Access Token and ID Token is
|
|
returned. This reduces the need for the extra invocation to exchange the Authorization Code for an Access Token. However, it does not include a Refresh
|
|
Token. This results in the need to either permit Access Tokens with a long expiration, which is problematic as it's very hard to invalidate these. Or
|
|
requires a new redirect to obtain new Access Token once the initial Access Token has expired. The Implicit flow is useful if the application only wants to
|
|
authenticate the user and deals with logout itself.
|
|
|
|
There's also a Hybrid flow where both the Access Token and an Authorization Code is returned.
|
|
|
|
One thing to note is that both the Implicit flow and Hybrid flow has potential security risks as the Access Token may be leaked through web server logs and
|
|
browser history. This is somewhat mitigated by using short expiration for Access Tokens.
|
|
|
|
For more details refer to the https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth[Implicit Flow] in the OpenID Connect specification.
|
|
|
|
[[_resource_owner_password_credentials_flow]]
|
|
===== Resource Owner Password Credentials
|
|
|
|
Resource Owner Password Credentials, referred to as Direct Grant in {project_name}, allows exchanging user credentials for tokens. It's not recommended
|
|
to use this flow unless you absolutely need to. Examples where this could be useful are legacy applications and command-line interfaces.
|
|
|
|
There are a number of limitations of using this flow, including:
|
|
|
|
* User credentials are exposed to the application
|
|
* Applications need login pages
|
|
* Application needs to be aware of the authentication scheme
|
|
* Changes to authentication flow requires changes to application
|
|
* No support for identity brokering or social login
|
|
* Flows are not supported (user self-registration, required actions, etc.)
|
|
|
|
For a client to be permitted to use the Resource Owner Password Credentials grant the client has to have the `Direct Access Grants Enabled` option enabled.
|
|
|
|
This flow is not included in OpenID Connect, but is a part of the OAuth 2.0 specification.
|
|
|
|
For more details refer to the https://datatracker.ietf.org/doc/html/rfc6749#section-4.3[Resource Owner Password Credentials Grant] chapter in the OAuth 2.0 specification.
|
|
|
|
====== Example using CURL
|
|
|
|
The following example shows how to obtain an access token for a user in the realm `master` with username `user` and password `password`. The example is using
|
|
the confidential client `myclient`:
|
|
|
|
[source,bash]
|
|
----
|
|
curl \
|
|
-d "client_id=myclient" \
|
|
-d "client_secret=40cc097b-2a57-4c17-b36a-8fdf3fc2d578" \
|
|
-d "username=user" \
|
|
-d "password=password" \
|
|
-d "grant_type=password" \
|
|
"http://localhost:8080/auth/realms/master/protocol/openid-connect/token"
|
|
----
|
|
|
|
===== Client Credentials
|
|
|
|
Client Credentials is used when clients (applications and services) wants to obtain access on behalf of themselves rather than on behalf of a user. This can
|
|
for example be useful for background services that applies changes to the system in general rather than for a specific user.
|
|
|
|
{project_name} provides support for clients to authenticate either with a secret or with public/private keys.
|
|
|
|
This flow is not included in OpenID Connect, but is a part of the OAuth 2.0 specification.
|
|
|
|
For more details refer to the https://datatracker.ietf.org/doc/html/rfc6749#section-4.4[Client Credentials Grant] chapter in the OAuth 2.0 specification.
|
|
|
|
===== Device Authorization Grant
|
|
|
|
Device Authorization Grant is used by clients running on internet-connected devices that have limited input capabilities or lack a suitable browser.
|
|
The application requests {project_name} a device code and a user code. {project_name} creates a device code and a user code.
|
|
{project_name} returns a response including the device code and the user code to the application.
|
|
Then the application provides the user with the user code and the verification URI. The user accesses a verification URI to be authenticated by using another browser.
|
|
The application repeatedly polls {project_name} until {project_name} completes the user authorization.
|
|
If user authentication is complete, the application obtains the device code. Then the application uses the device code along with its credentials to obtain an Access Token, Refresh Token and ID Token from {project_name}.
|
|
|
|
For more details refer to the https://datatracker.ietf.org/doc/html/rfc8628[OAuth 2.0 Device Authorization Grant specification].
|
|
|
|
[[_client_initiated_backchannel_authentication_grant]]
|
|
===== Client Initiated Backchannel Authentication Grant
|
|
|
|
Client Initiated Backchannel Authentication Grant is used by clients who want to initiate the authentication flow by communicating with the OpenID Provider directly without redirect through the user's browser like OAuth 2.0's authorization code grant.
|
|
|
|
The client requests {project_name} an auth_req_id that identifies the authentication request made by the client. {project_name} creates the auth_req_id.
|
|
|
|
After receiving this auth_req_id, this client repeatedly needs to poll {project_name} to obtain an Access Token, Refresh Token and ID Token from {project_name} in return for the auth_req_id until the user is authenticated.
|
|
|
|
In case that client uses `ping` mode, it does not need to repeatedly poll the token endpoint, but it can wait for the notification sent by {project_name} to the specified Client Notification Endpoint.
|
|
The Client Notification Endpoint can be configured in the {project_name} Admin Console. The details of the contract for Client Notification Endpoint are described in the CIBA specification.
|
|
|
|
For more details refer to https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html[OpenID Connect Client Initiated Backchannel Authentication Flow specification].
|
|
|
|
Also please refer to other places of {project_name} documentation like <<_backchannel_authentication_endpoint,Backchannel Authentication Endpoint of this guide>> and link:{adminguide_link}#_client_initiated_backchannel_authentication_grant[Client Initiated Backchannel Authentication Grant section] of {adminguide_name}.
|
|
For the details about FAPI CIBA compliance, please refer to the <<_fapi-support,FAPI section of this guide>>.
|
|
|
|
==== Redirect URIs
|
|
|
|
When using the redirect based flows it's important to use valid redirect uris for your clients. The redirect uris should be as specific as possible. This
|
|
especially applies to client-side (public clients) applications. Failing to do so could result in:
|
|
|
|
* Open redirects - this can allow attackers to create spoof links that looks like they are coming from your domain
|
|
* Unauthorized entry - when users are already authenticated with {project_name} an attacker can use a public client where redirect uris have not be configured correctly to gain access by redirecting the user without the users knowledge
|
|
|
|
In production for web applications always use `https` for all redirect URIs. Do not allow redirects to http.
|
|
|
|
There's also a few special redirect URIs:
|
|
|
|
[[_installed_applications_url]]
|
|
`$$http://localhost$$`::
|
|
|
|
This redirect URI is useful for native applications and allows the native application to create a web server on a random port that can be used to obtain the
|
|
authorization code. This redirect uri allows any port.
|
|
|
|
[[_installed_applications_urn]]
|
|
`urn:ietf:wg:oauth:2.0:oob`::
|
|
|
|
If its not possible to start a web server in the client (or a browser is not available) it is possible to use the special `urn:ietf:wg:oauth:2.0:oob` redirect uri.
|
|
When this redirect uri is used {project_name} displays a page with the code in the title and in a box on the page.
|
|
The application can either detect that the browser title has changed, or the user can copy/paste the code manually to the application.
|
|
With this redirect uri it is also possible for a user to use a different device to obtain a code to paste back to the application.
|