OpenID 认证

Keycloak 对接

1. 创建设置 KeyCloak Client

2. 获取 Secret key

3. 查看配置

{
    "issuer":"https://id.jumpserver.org/auth/realms/jumpserver",
    "authorization_endpoint":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/auth",
    "token_endpoint":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/token",
    "token_introspection_endpoint":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/token/introspect",
    "userinfo_endpoint":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/userinfo",
    "end_session_endpoint":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/logout",
    "jwks_uri":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/certs",
    "check_session_iframe":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/login-status-iframe.html",
    "grant_types_supported":[
        "authorization_code",
        "implicit",
        "refresh_token",
        "password",
        "client_credentials"
    ],
    "response_types_supported":[
        "code",
        "none",
        "id_token",
        "token",
        "id_token token",
        "code id_token",
        "code token",
        "code id_token token"
    ],
    "subject_types_supported":[
        "public",
        "pairwise"
    ],
    "id_token_signing_alg_values_supported":[
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "RS512"
    ],
    "userinfo_signing_alg_values_supported":[
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "RS512",
        "none"
    ],
    "request_object_signing_alg_values_supported":[
        "ES384",
        "RS384",
        "ES256",
        "RS256",
        "ES512",
        "RS512",
        "none"
    ],
    "response_modes_supported":[
        "query",
        "fragment",
        "form_post"
    ],
    "registration_endpoint":"https://id.jumpserver.org/auth/realms/jumpserver/clients-registrations/openid-connect",
    "token_endpoint_auth_methods_supported":[
        "private_key_jwt",
        "client_secret_basic",
        "client_secret_post",
        "client_secret_jwt"
    ],
    "token_endpoint_auth_signing_alg_values_supported":[
        "RS256"
    ],
    "claims_supported":[
        "sub",
        "iss",
        "auth_time",
        "name",
        "given_name",
        "family_name",
        "preferred_username",
        "email"
    ],
    "claim_types_supported":[
        "normal"
    ],
    "claims_parameter_supported":false,
    "scopes_supported":[
        "openid",
        "address",
        "email",
        "offline_access",
        "phone",
        "profile",
        "roles",
        "web-origins"
    ],
    "request_parameter_supported":true,
    "request_uri_parameter_supported":true,
    "code_challenge_methods_supported":[
        "plain",
        "S256"
    ],
    "tls_client_certificate_bound_access_tokens":true,
    "introspection_endpoint":"https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/token/introspect"
}

5. 配置 JumpServer

配置有两种方式，一种是 Keycloak 的配置，一种是 OIDC 的配置

Keycloak 方式使用配置

vi /opt/jumpserver/config/config.txt

# OPENID配置
# version <= 1.5.8
AUTH_OPENID=true
BASE_SITE_URL=http://demo.jumpserver.org/
AUTH_OPENID_SERVER_URL=https://id.jumpserver.org/auth
AUTH_OPENID_REALM_NAME=jumpserver
AUTH_OPENID_CLIENT_ID=jumpserver
AUTH_OPENID_CLIENT_SECRET=****************
AUTH_OPENID_SHARE_SESSION=true
AUTH_OPENID_IGNORE_SSL_VERIFICATION=true

设置参数说明

BASE_SITE_URL: JumpServer服务的地址（注意末尾加 “/“）

AUTH_OPENID: 是否启用 OpenID 认证

AUTH_OPENID_SERVER_URL: OpenID Server 服务的地址（注意末尾要加 “/“）

AUTH_OPENID_REALM_NAME: realm 名称（client 所在的的 realm

AUTH_OPENID_CLIENT_ID: Client ID

AUTH_OPENID_CLIENT_SECRET: Client Secret

AUTH_OPENID_IGNORE_SSL_VERIFICATION: 是否忽略 SSL 验证（在向 OpenID Server 发送请求获取数据时）

AUTH_OPENID_SHARE_SESSION: 是否共享 session（控制用户是否可以单点退出）

标准 OIDC 配置方式

vi /opt/jumpserver/config/config.txt

# OPENID配置
AUTH_OPENID=true
BASE_SITE_URL=https://demo.jumpserver.org/
AUTH_OPENID_CLIENT_ID=jumpserver
AUTH_OPENID_CLIENT_SECRET=****************
AUTH_OPENID_PROVIDER_ENDPOINT=https://id.jumpserver.org/auth
AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT=https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/auth
AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT=https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/token
AUTH_OPENID_PROVIDER_JWKS_ENDPOINT=https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/certs
AUTH_OPENID_PROVIDER_USERINFO_ENDPOINT=https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/userinfo
AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT=https://id.jumpserver.org/auth/realms/jumpserver/protocol/openid-connect/logout
AUTH_OPENID_PROVIDER_SIGNATURE_ALG=HS256
AUTH_OPENID_PROVIDER_SIGNATURE_KEY=null
AUTH_OPENID_SCOPES=openid profile email
AUTH_OPENID_ID_TOKEN_MAX_AGE=60
AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS=true
AUTH_OPENID_USE_STATE=true
AUTH_OPENID_USE_NONCE=true
AUTH_OPENID_SHARE_SESSION=true
AUTH_OPENID_IGNORE_SSL_VERIFICATION=true

设置参数说明

BASE_SITE_URL: JumpServer service URL

AUTH_OPENID: Whether to enable OpenID authentication

AUTH_OPENID_CLIENT_ID: This setting defines the Client ID that should be provided by the considered OIDC provider.

AUTH_OPENID_CLIENT_SECRET: This setting defines the Client Secret that should be provided by the considered OIDC provider.

AUTH_OPENID_PROVIDER_ENDPOINT: This setting defines the top-level endpoint under which all OIDC-specific endpoints are available (such as the authotization, token and userinfo endpoints).

AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT: This setting defines the authorization endpoint URL of the OIDC provider.

AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT: This setting defines the token endpoint URL of the OIDC provider.

AUTH_OPENID_PROVIDER_JWKS_ENDPOINT: This setting defines the JWKs endpoint URL of the OIDC provider.

AUTH_OPENID_PROVIDER_USERINFO_ENDPOINT: This setting defines the userinfo endpoint URL of the OIDC provider.

AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT: This setting defines the end session endpoint URL of the OIDC provider.

AUTH_OPENID_PROVIDER_SIGNATURE_ALG: This setting defines the signature algorithm used by the OpenID Connect Provider to sign ID tokens. The value of this setting should be HS256 or RS256.

AUTH_OPENID_PROVIDER_SIGNATURE_KEY: This setting defines the value of the key used by the OP to the sign ID tokens. It should be used only when the AUTH_OPENID_PROVIDER_SIGNATURE_ALG setting is set to RS256.

AUTH_OPENID_SCOPES: This setting defines the OpenID Connect scopes to request during authentication.

AUTH_OPENID_ID_TOKEN_MAX_AGE: This setting defines the amount of time (in seconds) an id_token should be considered valid.

AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIM: This settings defines whether the id_token content can be used to retrieve userinfo claims and scopes in order to create and update the user being authenticated.

AUTH_OPENID_USE_STATE: This setting defines whether or not states should be used when forging authorization requests. States are used to maintain state between the authentication request and the callback.

AUTH_OPENID_USE_NONCE: This setting defines whether or not nonces should be used when forging authorization requests. Nonces are used to mitigate replay attacks.

AUTH_OPENID_SHARE_SESSION: Whether or not to share session (controls whether or not the user can exit with a single point)

AUTH_OPENID_IGNORE_SSL_VERIFICATION: Whether to ignore SSL validation (when sending a request to OpenID Server for data)

AUTH_OPENID_ALWAYS_UPDATE_USER: Whether the user information is always updated (when the user logs in and authenticates successfully every time)