keycloak openIdConnect 常用 endpoints

 

获取指定Realm的有关openIdConnect的配置信息（可直接访问）

/realms/{realm-name}/.well-known/openid-configuration 

如：http://localhost:8080/auth/realms/springboot/.well-known/openid-configuration

{
    "issuer": "http://localhost:8080/auth/realms/springboot",
    "authorization_endpoint": "http://localhost:8080/auth/realms/springboot/protocol/openid-connect/auth",
    "token_endpoint": "http://localhost:8080/auth/realms/springboot/protocol/openid-connect/token",
    "token_introspection_endpoint": "http://localhost:8080/auth/realms/springboot/protocol/openid-connect/token/introspect",
    "userinfo_endpoint": "http://localhost:8080/auth/realms/springboot/protocol/openid-connect/userinfo",
    "end_session_endpoint": "http://localhost:8080/auth/realms/springboot/protocol/openid-connect/logout",
    "jwks_uri": "http://localhost:8080/auth/realms/springboot/protocol/openid-connect/certs",
    "check_session_iframe": "http://localhost:8080/auth/realms/springboot/protocol/openid-connect/login-status-iframe.html",
    "grant_types_supported": [
        "authorization_code",
        "implicit",
        "refresh_token",
        "password",
        "client_credentials"
    ],
    "response_types_supported": [
        "code",
        "none",
        "id_token",
        "token",
        "id_token token",
        "code id_token",
        "code token",
        "code id_token token"
    ],
    "subject_types_supported": [
        "public",
        "pairwise"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "userinfo_signing_alg_values_supported": [
        "RS256"
    ],
    "request_object_signing_alg_values_supported": [
        "none",
        "RS256"
    ],
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
    "registration_endpoint": "http://localhost:8080/auth/realms/springboot/clients-registrations/openid-connect",
    "token_endpoint_auth_methods_supported": [
        "private_key_jwt",
        "client_secret_basic",
        "client_secret_post"
    ],
    "token_endpoint_auth_signing_alg_values_supported": [
        "RS256"
    ],
    "claims_supported": [
        "sub",
        "iss",
        "auth_time",
        "name",
        "given_name",
        "family_name",
        "preferred_username",
        "email"
    ],
    "claim_types_supported": [
        "normal"
    ],
    "claims_parameter_supported": false,
    "scopes_supported": [
        "openid",
        "offline_access"
    ],
    "request_parameter_supported": true,
    "request_uri_parameter_supported": true
}

 

Authorization Endpoint

/realms/{realm-name}/protocol/openid-connect/auth

The authorization endpoint performs authentication of the end-user. This is done by redirecting the user agent to this endpoint.

Userinfo Endpoint

/realms/{realm-name}/protocol/openid-connect/userinfo

 The userinfo endpoint returns standard claims about the authenticated user, and is protected by a bearer token.

如： 

{
    "sub": "66ef6608-7433-4607-b140-05a296b3f53b", 
    "preferred_username": "hqq"
}

 

Logout Endpoint

 /realms/{realm-name}/protocol/openid-connect/logout

The logout endpoint logs out the authenticated user.

 The user agent can be redirected to the endpoint, in which case the active user session is logged out. Afterward the user agent is redirected back to the application.

 The endpoint can also be invoked directly by the application. To invoke this endpoint directly the refresh token needs to be included as well as the credentials required to authenticate the client.

如：http://localhost:8080/auth/realms/springboot/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fjs-console%2F

Certificate Endpoint

 /realms/{realm-name}/protocol/openid-connect/certs

The certificate endpoint returns the public keys enabled by the realm, encoded as a JSON Web Key (JWK). Depending on the realm settings there can be one or more keys enabled for verifying tokens. For more information see the Server Administration Guide and the JSON Web Key specification.

如：

{
    "keys": [
        {
            "kid": "8WWb6dS1fl_5AeY8mLqYDrq-yctg2YLC9gUj0zVJKk4",
            "kty": "RSA",
            "alg": "RS256",
            "use": "sig",
            "n": "qmbsCc_LdW4NFtV6tJkY9sCALTSNY6_6wpFPe4lrVSa0HICzK12LhTYAetdBTwGdMLuIBiOhwQn8PiIcKDZJrhNOAG8ZsKNpOXrWAcopJB_J0kNBXi8zDHCFSWlGP4zdesjciEPye4kR1DqhScM_iOsJIVBaSURUvRvIM4PHMKQ0Xzuhdru4cPEstBItprS4UAfV5s3LsF268dZIJgnaRXlz_K4DGnzgypd3rpkWBtq0BWwvPSX78b0Kl01cLVptwt-D5a8nkjD3Vx9YtEJCeDFD9BQVJhtCPJgSec-_cy504RQEW5WMFtJiiNQsIaX27Nq5NBKnJ2IgLikO2X_XBQ",
            "e": "AQAB"
        }
    ]
}

Introspection Endpoint

 /realms/{realm-name}/protocol/openid-connect/token/introspect

The introspection endpoint is used to retrieve the active state of a token. It can only be invoked by confidential clients.

Dynamic Client Registration Endpoint

 /realms/{realm-name}/clients-registrations/openid-connect

The dynamic client registration endpoint is used to dynamically register clients.