Location>code7788 >text

keycloak~Practice on Scope in Authorization Code Authentication

Popularity:65 ℃/2024-09-25 11:14:25

preamble

In Keycloak 14.0.0, using theprotocol/openid-connect/auth When the interface gets an authorization code, thescope The parameter is optional, but it does serve a purpose. Here's what you need to know about thescope Some details of the parameters:

1. scope Role of parameters

  • Defining Permissionsscope Used to declare the resources and permissions for which access is requested. Common values includeopenidprofileemail etc.
  • Data affecting returns: If you specify in your authorization request certainscopeIn a subsequent token request, Keycloak will use thesescope Returns the appropriate information.
  • openid is used to indicate that the requester wishes to authenticate using OpenID Connect
  • Get ID Token: When you include openid in the authorization request, Keycloak will return an ID Token containing the user's identity information, conversely, without openid in the scope, the ID Token field will not be generated.

2. Use at different stagesscope

  • Authorization request phase (/protocol/openid-connect/auth):

    • transferablescope parameter to specify the requested permissions when the user agrees to authorization.
  • Token request phase (/protocol/openid-connect/token):

    • It can also be passed at this stagescope, but typically, if an authorization request has been specified in thescope, then you do not need to specify it again here;
    • Specified in the authorizationscope, it is invalid to specify it again here toThe value specified in the authorizationserve as the norm

3. Examples

The following is an example of a request to get an authorization code:

GET /auth/realms/{realm}/protocol/openid-connect/auth?
response_type=code&
client_id={client_id}&
redirect_uri={redirect_uri}&
scope=openid profile

4. Summary

  • suggestion: Althoughscope is optional in authorization requests, but to ensure that the correct permissions and data are obtained, it is recommended to include thescope Parameters.
  • take note of: In the actual development, rationalize the configuration according to your application needsscope It's very important.

fulfill

oauth2 authorization code authentication process

1. Configure the client and scope template

  • Default template, permissions in the default template are enabled regardless of whether the application passes scope or not
  • Optional templates, chosen by the user, are represented by scope, which is appended to the default template.

2. Obtaining an authorization code

  • The scope embodies getting the user's email, a step that is made public by the user's own choices
  • address:/auth/realms/{realm}/protocol/openid-connect/auth?client_id=dahengshuju&scope=profile email&redirect_uri=&response_type=code

3. Form certification

  • Prompts the user to enter their account password to log in
  • After a successful login, redirect to the source page with the code code
  • The code expires immediately after one use.

4. Obtaining a token

  • With step 3, get the code, which limits the scope of authorization by scope [i.e., token and get the set of fields contained in the user's information]
  • Step 2 specified the scope, this step to specify the scope is invalid, choose one of the two can be
  • address:/auth/realms/{realm}/protocol/openid-connect/token
  • Request form type: x-www-form-urlencoded
  • Request Parameters
grant_type:authorization_code
code:3be438fe-8651-4a84-8141-976b76e671e1.75cab95f-a1ec-4b9b-9a6e-8f1ecb651cd6.61d819de-33e4-4006-ae66-dd7609ea2d3e
client_id:dahengshuju
client_secret:9e3de70f-d5cd-4d11-a8aa-85fd3af13265
scope:profile
  • This is the token for the scope as profile email
{
    "exp": 1727233162,
    "iat": 1727231362,
    "auth_time": 1727229121,
    "jti": "bb296d9d-d521-45b1-aab9-8cb6bea0ddc3",
    "iss": "/auth/realms/xx",
    "sub": "347c9e9e-076c-45e3-be74-c482fffcc6e5",
    "typ": "Bearer",
    "azp": "dahengshuju",
    "session_state": "75cab95f-a1ec-4b9b-9a6e-8f1ecb651cd6",
    "acr": "0",
    "scope": "email profile",
    "email_verified": false,
    "preferred_username": "test",
    "locale": "zh-CN",
    "email": "bfyxzls@"
}
  • This is the token with scope as profile, there is no email information in it
{
    "exp": 1727233521,
    "iat": 1727231721,
    "auth_time": 1727229121,
    "jti": "f7de8ad9-7558-4f4a-8761-8724f685febb",
    "iss": "/auth/realms/xx",
    "sub": "347c9e9e-076c-45e3-be74-c482fffcc6e5",
    "typ": "Bearer",
    "azp": "dahengshuju",
    "session_state": "75cab95f-a1ec-4b9b-9a6e-8f1ecb651cd6",
    "acr": "0",
    "scope": "profile",
    "preferred_username": "test",
    "locale": "zh-CN"
}

5. Obtaining user information via access_token

  • The user information is mainly parsing the content in the token
  • address:/auth/realms/{realm}/protocol/openid-connect/userinfo
  • Request header: Authorization: Bearer
{
    "sub": "347c9e9e-076c-45e3-be74-c482fffcc6e5",
    "email_verified": false,
    "preferred_username": "test",
    "locale": "zh-CN",
    "email": "xxx@"
}