在authorization_code工作流中使用节点-oidc-provider发出JWT访问令牌
在authorization_code工作流中使用节点-oidc-provider发出JWT访问令牌
提问于 2022-07-15 16:19:59
下面是我对oidc提供程序的配置。我在这些特性下添加了资源指标。但这根本行不通。如何在authorization_code工作流中使用节点-oidc-provider发布JWT访问令牌?
提供程序版本为7.11.4。
clients: [
{
client_id: '0oa5pa23mzKPWYtvV5d7',
redirect_uris: ['https://jwt.io', 'http://localhost:3000/login/callback'], // using jwt.io as redirect_uri to show the ID Token contents
response_types: ['code'],
application_type: 'web',
token_endpoint_auth_method: 'none',
scope: 'openid offline_access profile email',
grant_types: ['authorization_code', 'refresh_token'],
},
],
routes: {
authorization: '/oauth2/v1/authorize',
token: '/oauth2/v1/token',
revocation: '/oauth2/v1/revoke',
userinfo: '/oauth2/v1/userinfo',
},
clientBasedCORS(ctx, origin, client) {
if (client.clientId === '0oa5pa23mzKPWYtvV5d7' && origin === 'http://localhost:3000') {
return true;
}
return false;
},
pkce: {
required: () => true,
},
interactions: {
url(ctx, interaction) { // eslint-disable-line no-unused-vars
return `/interaction/${interaction.uid}`;
},
},
cookies: {
keys: ['some secret key', 'and also the old rotated away some time ago', 'and one more'],
},
claims: {
address: ['address'],
email: ['email', 'email_verified'],
phone: ['phone_number', 'phone_number_verified'],
profile: ['birthdate', 'family_name', 'gender', 'given_name', 'locale', 'middle_name', 'name',
'nickname', 'picture', 'preferred_username', 'profile', 'updated_at', 'website', 'zoneinfo'],
},
features: {
resourceIndicators: {
getResourceServerInfo: () => ({
audience: 'solid',
accessTokenTTL: 2 * 60 * 60, // 2 hours
accessTokenFormat: 'jwt',
jwt: {
sign: { alg: 'ES256' },
},
}),
},
},回答 3
Stack Overflow用户
发布于 2022-08-02 07:56:53
defaultResource也需要更新。对于jwt,此函数必须返回适当的值。默认情况下,它返回未定义的。
resourceIndicators: {
defaultResource: (ctx, client, oneOf) => {
if (oneOf) return oneOf;
return client['access_token_type'] === 'opaque' ? undefined : `https://${clientId}.com`;
},
getResourceServerInfo: (ctx, resourceIndicator, client) => {
return ({
scope: client.scope,
accessTokenTTL: 2 * 60 * 60,
accessTokenFormat: 'jwt',
});
}
},Stack Overflow用户
发布于 2022-10-12 14:00:35
还将useGrantedResource添加到resourceIndicators
useGrantedResource: (ctx, model) => {
// @param ctx - koa request context
// @param model - depending on the request's grant_type this can be either an AuthorizationCode, BackchannelAuthenticationRequest, RefreshToken, or DeviceCode model instance.
return true;
}Stack Overflow用户
发布于 2022-11-14 09:58:36
要在受保护的资源上使用accessToken,可以:
- Ensure你有你的api: api1.example.com,api2.example.com,api3.example.com
- Ensure你定义了extraClientMetadata
/** @See https://github.com/panva/node-oidc-provider/tree/main/docs#extraClientMetadata */
/** Allows for custom client metadata to be defined, validated, manipulated as well as for existing property validations to be extended. Existing properties are snakeCased on a Client instance (e.g. client.redirectUris), new properties (defined by this configuration) will be avaialable with their names verbatim (e.g. client['urn:example:client:my-property']) */
module.exports = {
/**
* isInternalClient: true | false, wether the client is for first party or for third party
*
* resourcesScopes: ressource scope clients is allowed to requested for
*
* allowedResources: ressource server client is allowed to request token for
*/
properties: ['allowedResources', 'resourcesScopes', "isInternalClient"],
validator: function extraClientMetadataValidator(ctx, key, value, metadata) {},
};- You可以在idP
上注册apis
// src/oidc/config/resources-servers.js
// Define list of resources server
let resourcesList = {
};
// Register api 1 on the IdProvider
// Assume process.env.API1_BASE_URL = https://api1.example.com
resourcesList[process.env.API1_BASE_URL] = {
// These scope is accept the by the resource server to make authorization decisions
scope: 'offline_access api:query api:get api:post api:patch api:delete',
// Audience
audience: process.env.API1_BASE_URL,
// accessTokenFormat?: 'opaque' | 'jwt' | 'paseto'
// Please see https://github.com/panva/node-oidc-provider/tree/main/docs#getresourceserverinfo sections Resource Server (API) for more customization
accessTokenFormat: 'opaque',
};
// Register api 2 on the IdProvider
// Assume process.env.API2_BASE_URL = https://api2.example.com
resourcesList[process.env.API2_BASE_URL] = {
scope: 'offline_access api:query api:get api:post api:patch api:delete',
audience: process.env.API2_BASE_URL,
accessTokenFormat: 'opaque',
};
// Register api 3 on the IdProvider
// Assume process.env.API3_BASE_URL = https://api3.example.com
resourcesList[process.env.API3_BASE_URL] = {
scope: 'offline_access api:query api:get api:post api:patch api:delete',
audience: process.env.API3_BASE_URL,
accessTokenFormat: 'opaque',
};- Now使用它允许的资源服务器配置每个客户端,它可以请求accessToken和相关的资源scope:
。
// src/oidc/config/clients.js
{
client_id: "client1",
// ...
// Other client meta data
// ...
// These below are clientExtraMetadata. Mandatory for api access_token usage
allowedResources: [process.env.API1_BASE_URL, process.env.API2_BASE_URL],
resourcesScopes: "offline_access api:query api:get api:post api:patch api:delete",
isInternalClient: true
},
{
client_id: "client2",
// ...
// Other clie
// ...
// These below are clientExtraMetadata. Mandatory for api access_token usage
allowedResources: [process.env.API1_BASE_URL, process.env.API3_BASE_URL],
resourcesScopes: "offline_access api:query api:get api:post api:patch api:delete",
isInternalClient: true
}正确地
- Define您的config.features.resourceIndicator,就像以前的stuffs
/** @See https://github.com/panva/node-oidc-provider/tree/main/docs#featuresresourceindicators */
resourceIndicators: {
enabled: true,
defaultResource(ctx, client, oneOf) {
return Array.isArray(ctx.oidc.params?.resource)
? ctx.oidc.params?.resource[0]
: ctx.oidc.params?.resource;
},
useGrantedResource: async function useGrantedResource(ctx, model) {
return true;
},
getResourceServerInfo(ctx, resourceIndicator, client) {
// Ensure resourceIndicator is provided and this resource exist
if (!resourceIndicator || !resourcesList[resourceIndicator]) {
throw new errors.InvalidRequest("invalid_request", "Invalid resource server");
}
// Get this resource infos
var targetResourceServer = resourcesList[resourceIndicator];
// Client request access_token for api must defined these 2 metadata: allowResources, ressourcesScopes
if (!Array.isArray(client.allowedResources) || !(client.allowedResources.includes(resourceIndicator))) {
throw new errors.InvalidClientMetadata("invalid_client_metadata", "allowedResources & allowedResources are mandatory or you cannot request access token for this server");
}
// Now ensure client get access_token for scope it not defined
let clientAllowedScope = "";
if (client.resourcesScopes) {
var scopesList = client.resourcesScopes.split(' ');
clientAllowedScope = scopesList.filter((scopeItem) => {
return targetResourceServer.scope.includes(scopeItem);
});
} else {
throw new errors.InvalidClientMetadata("invalid_client_metadata", "Please specify at least one scope");
}
console.log(">>----Client ressource allowed:", client.allowedResources)
console.log(">>----Client ressource scopes:", client.resourcesScopes)
console.log(">>----Target ressource server is:", targetResourceServer)
console.log(">>----resourceIndicator is :", resourceIndicator)
console.log(">>----Client Scope allowed:", clientAllowedScope.join(' '))
// Update the acces_token ressource to issued
targetResourceServer.scope = clientAllowedScope.join(' ');
return targetResourceServer;
},
}- Now您可以针对您的api发布accessToken,即使是jwt、passeto或opaque
。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/72996953
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号