背景信息
OIDC SSO相关文档总共4篇,主要内容为对OIDC实现SSO登录流程时的各个细节和相关技术的阐述:
基于OIDC实现SSO,除了选择对应的OAuth 2.0 授权模式外,在RP-init SSO和OP-init SSO两个不同的流程中也存在不同的差别,本文将其进行了显示化描述。
RP-init SSO流程
The login flow initiated by the Relying Party.
在SAML协议中,为SP-init SSO。
OP-init SSO流程
The login flow initiated by an OpenID Provider.
在SAML协议中,为IdP-init SSO。
其它重要信息
id token with nonce
OIDC规范要求implicit flow和hybrid flow中的Authentication request必须指定nonce;
client接受到Authorization Server返回的id token后必须校验nonce;
refresh_token & offline_access
- 能否从Token Endpoint获取到Refresh Token,需要对应的client id具备refresh_token的授权;
- 授权服务器必须确保使用refresh_token的客户端是认证过的,当一个refresh_token被使用过以后,一个新的refresh_token被签发出来,授权服务器应该维护旧的refresh_token和客户端的关系,当恶意攻击者使用一个无效的refresh_token来刷新时,应该吊销颁发的refresh_token以及所有的access_token;
- offline_access是一个新的scope授权,具备此属性的授权情况下,客户端可以在终端用户未登录的情况下,请求刷新access token,即终端用户未登录状态下,客户端也可以获取access token访问资源;
A request to the Token Endpoint can also use a Refresh Token by using the grant_type value refresh_token, as described in Section 6 of OAuth 2.0 [RFC6749]
The authorization server MUST verify the binding between the refresh token and client identity whenever the client identity can be authenticated. When client authentication is not possible, the authorization server SHOULD deploy other means to detect refresh token abuse.
SLO机制
OIDC中目前存在4中草案来做对应的End-User Session管理:
- OpenID Connect Session Management 1.0
- OpenID Connect Back-Channel Logout 1.0
- OpenID Connect Front-Channel Logout 1.0
- OpenID Connect RP-Initiated Logout 1.0
当下来讲,我们暂不实现,如果支持OIDC的SLO,我们基于Logout方式来做,Session Management方式暂不支持;
参考文档
- OIDC Core:https://openid.net/specs/openid-connect-core-1_0.html
- OpenID Connect Session Management 1.0:https://openid.net/specs/openid-connect-session-1_0.html
- OpenID Connect RP-Initiated Logout 1.0 :https://openid.net/specs/openid-connect-rpinitiated-1_0.html
- OpenID Connect Back-Channel Logout 1.0 :https://openid.net/specs/openid-connect-backchannel-1_0.html
- OpenID Connect Front-Channel Logout 1.0 :https://openid.net/specs/openid-connect-frontchannel-1_0.html