OpenID 认证

Keycloak 对接

1. 创建设置 KeyCloak Client

KeyCloak

2. 获取 Secret key

KeyCloak

3. 查看配置

KeyCloak

  1. {
  2. "issuer":"https://id.jumpserver.org/auth/realms/jumpserver",
  3. "authorization_endpoint":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/auth",
  4. "token_endpoint":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/token",
  5. "token_introspection_endpoint":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/token/introspect",
  6. "userinfo_endpoint":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/userinfo",
  7. "end_session_endpoint":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/logout",
  8. "jwks_uri":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/certs",
  9. "check_session_iframe":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/login-status-iframe.html",
  10. "grant_types_supported":[
  11. "authorization_code",
  12. "implicit",
  13. "refresh_token",
  14. "password",
  15. "client_credentials"
  16. ],
  17. "response_types_supported":[
  18. "code",
  19. "none",
  20. "id_token",
  21. "token",
  22. "id_token token",
  23. "code id_token",
  24. "code token",
  25. "code id_token token"
  26. ],
  27. "subject_types_supported":[
  28. "public",
  29. "pairwise"
  30. ],
  31. "id_token_signing_alg_values_supported":[
  32. "ES384",
  33. "RS384",
  34. "HS256",
  35. "HS512",
  36. "ES256",
  37. "RS256",
  38. "HS384",
  39. "ES512",
  40. "RS512"
  41. ],
  42. "userinfo_signing_alg_values_supported":[
  43. "ES384",
  44. "RS384",
  45. "HS256",
  46. "HS512",
  47. "ES256",
  48. "RS256",
  49. "HS384",
  50. "ES512",
  51. "RS512",
  52. "none"
  53. ],
  54. "request_object_signing_alg_values_supported":[
  55. "ES384",
  56. "RS384",
  57. "ES256",
  58. "RS256",
  59. "ES512",
  60. "RS512",
  61. "none"
  62. ],
  63. "response_modes_supported":[
  64. "query",
  65. "fragment",
  66. "form_post"
  67. ],
  68. "registration_endpoint":"https://id.jumpserver.org/auth/realms/jumpserver/clients-registrations/openid-connect",
  69. "token_endpoint_auth_methods_supported":[
  70. "private_key_jwt",
  71. "client_secret_basic",
  72. "client_secret_post",
  73. "client_secret_jwt"
  74. ],
  75. "token_endpoint_auth_signing_alg_values_supported":[
  76. "RS256"
  77. ],
  78. "claims_supported":[
  79. "sub",
  80. "iss",
  81. "auth_time",
  82. "name",
  83. "given_name",
  84. "family_name",
  85. "preferred_username",
  86. "email"
  87. ],
  88. "claim_types_supported":[
  89. "normal"
  90. ],
  91. "claims_parameter_supported":false,
  92. "scopes_supported":[
  93. "openid",
  94. "address",
  95. "email",
  96. "offline_access",
  97. "phone",
  98. "profile",
  99. "roles",
  100. "web-origins"
  101. ],
  102. "request_parameter_supported":true,
  103. "request_uri_parameter_supported":true,
  104. "code_challenge_methods_supported":[
  105. "plain",
  106. "S256"
  107. ],
  108. "tls_client_certificate_bound_access_tokens":true,
  109. "introspection_endpoint":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/token/introspect"
  110. }

5. 配置 JumpServer

配置有两种方式,一种是 Keycloak 的配置,一种是 OIDC 的配置

Keycloak 方式使用配置

  1. vi /opt/jumpserver/config/config.txt
  1. # OPENID配置
  2. # version <= 1.5.8
  3. AUTH_OPENID=true
  4. BASE_SITE_URL=http://demo.jumpserver.org/
  5. AUTH_OPENID_SERVER_URL=https://id.jumpserver.org/auth
  6. AUTH_OPENID_REALM_NAME=jumpserver
  7. AUTH_OPENID_CLIENT_ID=jumpserver
  8. AUTH_OPENID_CLIENT_SECRET=****************
  9. AUTH_OPENID_SHARE_SESSION=true
  10. AUTH_OPENID_IGNORE_SSL_VERIFICATION=true

设置参数说明

BASE_SITE_URL: JumpServer服务的地址(注意末尾加 “/“)

AUTH_OPENID: 是否启用 OpenID 认证

AUTH_OPENID_SERVER_URL: OpenID Server 服务的地址(注意末尾要加 “/“)

AUTH_OPENID_REALM_NAME: realm 名称(client 所在的的 realm

AUTH_OPENID_CLIENT_ID: Client ID

AUTH_OPENID_CLIENT_SECRET: Client Secret

AUTH_OPENID_IGNORE_SSL_VERIFICATION: 是否忽略 SSL 验证(在向 OpenID Server 发送请求获取数据时)

AUTH_OPENID_SHARE_SESSION: 是否共享 session(控制用户是否可以单点退出)

标准 OICD 配置方式

  1. vi /opt/jumpserver/config/config.txt
  1. # OPENID配置
  2. AUTH_OPENID=true
  3. BASE_SITE_URL=https://demo.jumpserver.org/
  4. AUTH_OPENID_CLIENT_ID=jumpserver
  5. AUTH_OPENID_CLIENT_SECRET=****************
  6. AUTH_OPENID_PROVIDER_ENDPOINT=https://id.jumpserver.org/auth
  7. AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT=https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/auth
  8. AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT=https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/token
  9. AUTH_OPENID_PROVIDER_JWKS_ENDPOINT=https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/certs
  10. AUTH_OPENID_PROVIDER_USERINFO_ENDPOINT=https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/userinfo
  11. AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT=https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/logout
  12. AUTH_OPENID_PROVIDER_SIGNATURE_ALG=HS256
  13. AUTH_OPENID_PROVIDER_SIGNATURE_KEY=null
  14. AUTH_OPENID_SCOPES=openid profile email
  15. AUTH_OPENID_ID_TOKEN_MAX_AGE=60
  16. AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS=true
  17. AUTH_OPENID_USE_STATE=true
  18. AUTH_OPENID_USE_NONCE=true
  19. AUTH_OPENID_SHARE_SESSION=true
  20. AUTH_OPENID_IGNORE_SSL_VERIFICATION=true

设置参数说明

BASE_SITE_URL: JumpServer service URL

AUTH_OPENID: Whether to enable OpenID authentication

AUTH_OPENID_CLIENT_ID: This setting defines the Client ID that should be provided by the considered OIDC provider.

AUTH_OPENID_CLIENT_SECRET: This setting defines the Client Secret that should be provided by the considered OIDC provider.

AUTH_OPENID_PROVIDER_ENDPOINT: This setting defines the top-level endpoint under which all OIDC-specific endpoints are available (such as the authotization, token and userinfo endpoints).

AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT: This setting defines the authorization endpoint URL of the OIDC provider.

AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT: This setting defines the token endpoint URL of the OIDC provider.

AUTH_OPENID_PROVIDER_JWKS_ENDPOINT: This setting defines the JWKs endpoint URL of the OIDC provider.

AUTH_OPENID_PROVIDER_USERINFO_ENDPOINT: This setting defines the userinfo endpoint URL of the OIDC provider.

AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT: This setting defines the end session endpoint URL of the OIDC provider.

AUTH_OPENID_PROVIDER_SIGNATURE_ALG: This setting defines the signature algorithm used by the OpenID Connect Provider to sign ID tokens. The value of this setting should be HS256 or RS256.

AUTH_OPENID_PROVIDER_SIGNATURE_KEY: This setting defines the value of the key used by the OP to the sign ID tokens. It should be used only when the AUTH_OPENID_PROVIDER_SIGNATURE_ALG setting is set to RS256.

AUTH_OPENID_SCOPES: This setting defines the OpenID Connect scopes to request during authentication.

AUTH_OPENID_ID_TOKEN_MAX_AGE: This setting defines the amount of time (in seconds) an id_token should be considered valid.

AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIM: This settings defines whether the id_token content can be used to retrieve userinfo claims and scopes in order to create and update the user being authenticated.

AUTH_OPENID_USE_STATE: This setting defines whether or not states should be used when forging authorization requests. States are used to maintain state between the authentication request and the callback.

AUTH_OPENID_USE_NONCE: This setting defines whether or not nonces should be used when forging authorization requests. Nonces are used to mitigate replay attacks.

AUTH_OPENID_SHARE_SESSION: Whether or not to share session (controls whether or not the user can exit with a single point)

AUTH_OPENID_IGNORE_SSL_VERIFICATION: Whether to ignore SSL validation (when sending a request to OpenID Server for data)

AUTH_OPENID_ALWAYS_UPDATE_USER: Whether the user information is always updated (when the user logs in and authenticates successfully every time)