获取指定Realm的有关openIdConnect的配置信息(可直接访问)
/realms/{realm-name}/.well-known/openid-configuration
如:http://localhost:8080/auth/realms/springboot/.well-known/openid-configuration
{ "issuer": "http://localhost:8080/auth/realms/springboot", "authorization_endpoint": "http://localhost:8080/auth/realms/springboot/protocol/openid-connect/auth", "token_endpoint": "http://localhost:8080/auth/realms/springboot/protocol/openid-connect/token", "token_introspection_endpoint": "http://localhost:8080/auth/realms/springboot/protocol/openid-connect/token/introspect", "userinfo_endpoint": "http://localhost:8080/auth/realms/springboot/protocol/openid-connect/userinfo", "end_session_endpoint": "http://localhost:8080/auth/realms/springboot/protocol/openid-connect/logout", "jwks_uri": "http://localhost:8080/auth/realms/springboot/protocol/openid-connect/certs", "check_session_iframe": "http://localhost:8080/auth/realms/springboot/protocol/openid-connect/login-status-iframe.html", "grant_types_supported": [ "authorization_code", "implicit", "refresh_token", "password", "client_credentials" ], "response_types_supported": [ "code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token" ], "subject_types_supported": [ "public", "pairwise" ], "id_token_signing_alg_values_supported": [ "RS256" ], "userinfo_signing_alg_values_supported": [ "RS256" ], "request_object_signing_alg_values_supported": [ "none", "RS256" ], "response_modes_supported": [ "query", "fragment", "form_post" ], "registration_endpoint": "http://localhost:8080/auth/realms/springboot/clients-registrations/openid-connect", "token_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_basic", "client_secret_post" ], "token_endpoint_auth_signing_alg_values_supported": [ "RS256" ], "claims_supported": [ "sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email" ], "claim_types_supported": [ "normal" ], "claims_parameter_supported": false, "scopes_supported": [ "openid", "offline_access" ], "request_parameter_supported": true, "request_uri_parameter_supported": true }
Authorization Endpoint
/realms/{realm-name}/protocol/openid-connect/auth
The authorization endpoint performs authentication of the end-user. This is done by redirecting the user agent to this endpoint.
Userinfo Endpoint
/realms/{realm-name}/protocol/openid-connect/userinfo
The userinfo endpoint returns standard claims about the authenticated user, and is protected by a bearer token.
如:
{ "sub": "66ef6608-7433-4607-b140-05a296b3f53b", "preferred_username": "hqq" }
Logout Endpoint
/realms/{realm-name}/protocol/openid-connect/logout
The logout endpoint logs out the authenticated user.
The user agent can be redirected to the endpoint, in which case the active user session is logged out. Afterward the user agent is redirected back to the application.
The endpoint can also be invoked directly by the application. To invoke this endpoint directly the refresh token needs to be included as well as the credentials required to authenticate the client.
如:http://localhost:8080/auth/realms/springboot/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fjs-console%2F
Certificate Endpoint
/realms/{realm-name}/protocol/openid-connect/certs
The certificate endpoint returns the public keys enabled by the realm, encoded as a JSON Web Key (JWK). Depending on the realm settings there can be one or more keys enabled for verifying tokens. For more information see the Server Administration Guide and the JSON Web Key specification.
如:
{ "keys": [ { "kid": "8WWb6dS1fl_5AeY8mLqYDrq-yctg2YLC9gUj0zVJKk4", "kty": "RSA", "alg": "RS256", "use": "sig", "n": "qmbsCc_LdW4NFtV6tJkY9sCALTSNY6_6wpFPe4lrVSa0HICzK12LhTYAetdBTwGdMLuIBiOhwQn8PiIcKDZJrhNOAG8ZsKNpOXrWAcopJB_J0kNBXi8zDHCFSWlGP4zdesjciEPye4kR1DqhScM_iOsJIVBaSURUvRvIM4PHMKQ0Xzuhdru4cPEstBItprS4UAfV5s3LsF268dZIJgnaRXlz_K4DGnzgypd3rpkWBtq0BWwvPSX78b0Kl01cLVptwt-D5a8nkjD3Vx9YtEJCeDFD9BQVJhtCPJgSec-_cy504RQEW5WMFtJiiNQsIaX27Nq5NBKnJ2IgLikO2X_XBQ", "e": "AQAB" } ] }
Introspection Endpoint
/realms/{realm-name}/protocol/openid-connect/token/introspect
The introspection endpoint is used to retrieve the active state of a token. It can only be invoked by confidential clients.
Dynamic Client Registration Endpoint
/realms/{realm-name}/clients-registrations/openid-connect
The dynamic client registration endpoint is used to dynamically register clients.