1 OpenID & OAuth2 & SAML
one point one Relevant information
Openid is an authentication standard. Many accounts on the Internet support openid, such as Google, Yahoo, paypal and so on.
To use openid, users must obtain openid account (such as Google account) in openid identity provider (IDP). Users can use openid account to log in to any service application (the relying party, RP) that accepts openid authentication. Openid protocol standard is to provide a framework for communication between IDP and RP.
In essence, the user’s openid is a special URL owned by the user (such as alice2016. Openid. Com), so some websites even provide options for users to fill in the openid themselves.
To be exact, oauth2 is a standard authorization protocol. Perhaps puzzling, oauth2 is the foundation of openid connect, but openid connect is an authentication protocol (in openid connect, ID token is also regarded as a resource).
Let’s go back to oauth2. Oauth2 provides a proxy access mechanism. That is to say, an application (which can be called a client) can replace a user to the resource server to obtain resources belonging to the user or to operate in accordance with the user’s permissions. The user does not need to share his user name, password and other identity credentials to the client. Oauth2 implements the above functions by issuing a token to the third-party application through IDP. The third-party application exchanges the corresponding resources from the resource service by using the token.
In Twitter’s OAuth guidebook, it is said that oauth2 is an authentication protocol. In fact, it is “pseudo authentication” based on authorization.
SAML is the longest protocol among the three. Its original version was made in 2001 and revised in 2005. As a security assertion markup language, SAML protocol can be used for both authentication and authorization.
The so-called security assertion is a collection of statements about authentication, authorization and user attributes (such as the valid or address information of the user). In SAML, these assertions are transmitted in XML format.
one point five Comparison of the three
Oidc is short for openid connect, oidc = (identity, authentication) + OAuth 2.0. It constructs an identity layer on oauth2, which is a standard identity authentication protocol based on oauth2 protocol. We all know that oauth2 is an authorization protocol, which can not provide perfect identity authentication function. Oidc uses the authorization server of oauth2 to provide the user’s identity authentication for the third party client, and transmits the corresponding identity authentication information to the client, And it can be applied to all types of clients (such as server applications, mobile apps, JS applications), and fully compatible with oauth2. That is to say, after you build an oidc service, you can also use it as an oauth2 service.
two point one Scene map
two point two Core concepts of oidc
Oauth2 provides access token to solve the problem of authorizing third-party clients to access protected resources; On this basis, oidc provides ID token to solve the problem of identity authentication of third-party clients. The core of oidc is to provide the user’s ID token to the third-party client in the authorization process of oauth2. The ID token is packaged in JWT format. Thanks to the self-contained, compact and tamper proof mechanism of JWT (JSON web token), the ID token can be passed to the third-party client safely and easily verified. In addition, it also provides the interface of userinfo, so that users can get more complete information of users.
two point three Main terms of oidc
- EU: end user: a human user.
- RP: related party, which is used to refer to trusted clients, consumers of authentication and authorization information in oauth2;
- OP: openid provider, which can provide EU authentication service (such as authorization service in oauth2) to provide EU authentication information for RP;
- ID token: data in JWT format, including EU authentication information.
- Userinfo endpoint: user information interface (protected by oauth2). When RP uses access token to access, it returns the information of authorized user. This interface must use HTTPS.
two point four Oidc workflow
From an abstract point of view, the oidc process consists of the following five steps:
- RP sends an authentication request to Op;
- The op authenticates the EU and then provides authorization;
- OP returns ID token and access token (if necessary) to RP;
- RP uses access token to send a request for userinfo endpoint;
- Userinfo endpoint returns the EU’s claims.
three Login unified
For user login, keycloak is under unified control. If you want to do personalized processing, you need to develop your own CSS file, generate the corresponding skin, and then specify it in the helm configuration.
three point one Custom skin
For multiple clients, as long as keycloak is docked, they will jump to the unified keycloak landing page for authentication.
3.1.1 Realm skin
3.1.2 Skin of client
three point two Login redirection
When configuring the client, you need to specify the redirection address of the client. After logging in, it will be redirected back. This configuration can be a wildcard or a specified address, as follows:
When you set the specified address, you cannot rewrite it on the client. If your redirection address is different from the keycloak configuration, the following error will appear:
If you set it as a wildcard, you can rewrite it in the client program.
We can rewrite this address in the configuration of the program, as long as it conforms to the wildcard rule.