有没有使用authlib设置知名url的例子？

Question

我正在评估用于设置OpenID连接和Oauth2.0授权服务器的Authlib。到目前为止，它对我来说运行得很好。我试着看看大家所熟知的url是否可以很容易地发布，这样我就可以让用SpringBoot编写的应用程序与Authlib服务器发布的JWTs一起工作。

https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2resourceserver

我找不到太多关于如何发布众所周知的url端点的文档或示例。在这方面的任何指导，都将受到高度赞赏。

Answer 1

我也找不到这个问题的答案，所以复制一份Google知名的回复。希望能有所帮助。

def openid_configuration():
    return dict(
        issuer=current_app.config['BACKEND_URL'],
        authorization_endpoint=f"{current_app.config['FRONTEND_URL']}/authorize",
        device_authorization_endpoint=None,
        token_endpoint=f"{current_app.config['BACKEND_URL']}/api/token",
        userinfo_endpoint=None,
        revocation_endpoint=None,
        jwks_uri=f"{current_app.config['BACKEND_URL']}/api/public-key",
        response_types_supported=["code"],
        subject_types_supported=[],
        id_token_signing_alg_values_supported=["RS256"],
        scopes_supported=["openid", "email", "actions", "meta"],
        token_endpoint_auth_methods_supported=["client_secret_post"],
        claims_supported=["email", "iat", "iss", "name", "sub"],
        code_challenge_methods_supported=[],
        grant_types_supported=["authorization_code"]
    )

Answer 2

我能够用这个处理程序扩展oidc flask示例。

@bp.route("/.well-known/openid-configuration")
def well_known_openid_configuration():
    def external_url(function_name):
        return url_for(function_name, _external=True)
    
    return jsonify({
        "authorization_endpoint": external_url('.authorize_endpoint'),
        "token_endpoint": external_url('.token_endpoint'),
        "userinfo_endpoint": external_url('.userinfo_endpoint'),
        "jwks_uri": external_url('.jwks_endpoint'),
        # Do I even need this one?
        # IMO the OIDC server doesn't have a concept of a user being still logged in? --mh
        # "end_session_endpoint": "http://oidc:4000/openid/end-session",
        "id_token_signing_alg_values_supported": [
            "HS256",
            "RS256"
        ],
        "issuer": JWT_CONFIG['iss'],
        "response_types_supported": [
            "code",
            # TODO check what it takes to support these too
            # "id_token",
            # "id_token token",
            # "code token",
            # "code id_token",
            # "code id_token token"
        ],
        "subject_types_supported": [
            "public"
        ],
        "token_endpoint_auth_methods_supported": [
            # TODO is supporting both a good idea? --mh
            "client_secret_post",
            "client_secret_basic"
        ],
    })

事实证明，实现jwks_uri端点并不是很难，它的工作原理大致如下：

def load_public_keys():
    public_key_path = Path("etc") / "public.pem"
    public_key = JsonWebKey.import_key(public_key_path.read_bytes())
    public_key["use"] = "sig"
    public_key["alg"] = "RS256"    
    return KeySet([public_key])

@bp.route("/oauth/jwks")
def jwks_endpoint():
    return jsonify(load_public_keys().as_dict())

要让authlib使用私钥并设置密钥id (kid)，这在JWT_CONFIG中是必需的

JWT_CONFIG = {
    "key": "secret-key",
    "alg": "RS256",
    "iss": "https://sntl-publishing.com",
    "exp": 3600,
}
private_key_path = Path('etc') / 'private.pem'
private_key = JsonWebKey.import_key(private_key_path.read_text())
JWT_CONFIG['key'] = KeySet([private_key]).as_dict()

它似乎在存储库的主版本中得到了修复，但在当前发布的版本中，您需要在KeySet上调用as_dict() -否则kid不是生成的id令牌的一部分，客户端将无法使用来自jwks_uri端点的信息对其进行验证。