Keycloak 及其不同的适配器是否实现了 Openid Connect Backchannel 注销规范
Do Keycloak and its different adapters implement the Openid Connect Backchannel logout spec
Keycloak 确实支持后台通道注销,但它是否符合 Openid Connect 后台通道注销草案规范? https://openid.net/specs/openid-connect-backchannel-1_0.html
这是关于这个话题的Keycloak's Jira Issue。去投票吧!
在检查了规范和 Keycloaks 实现之后,我不得不说它不符合规范。例如,这是应该从 OP 发送到 RP 的所需注销令牌格式的差异:
2.4. Logout Token
OPs send a JWT similar to an ID Token to RPs called a Logout Token to
request that they log out. ID Tokens are defined in Section 2 of
[OpenID.Core].
The following Claims are used within the Logout Token:
iss
REQUIRED. Issuer Identifier, as specified in Section 2 of [OpenID.Core].
sub
OPTIONAL. Subject Identifier, as specified in Section 2 of [OpenID.Core].
aud
REQUIRED. Audience(s), as specified in Section 2 of [OpenID.Core].
iat
REQUIRED. Issued at time, as specified in Section 2 of [OpenID.Core].
jti
REQUIRED. Unique identifier for the token, as specified in Section 9 of [OpenID.Core].
events
REQUIRED. Claim whose value is a JSON object containing the member name http://schemas.openid.net/event/backchannel-logout. This declares that the JWT is a Logout Token. The corresponding member value MUST be a JSON object and SHOULD be the empty JSON object {}.
sid
OPTIONAL. Session ID - String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP. Different sid values are used to identify distinct sessions at an OP. The sid value need only be unique in the context of a particular issuer. Its contents are opaque to the RP. Its syntax is the same as an OAuth 2.0 Client Identifier.
A Logout Token MUST contain either a sub or a sid Claim, and MAY
contain both. If a sid Claim is not present, the intent is that all
sessions at the RP for the End-User identified by the iss and sub
Claims be logged out.
这是 Keycloak 在其当前版本 (8.0.1) 中发送的内容:
{
"id": "3536c4c4-fa51-4691-bc09-d229df83f774-1579360301277",
"expiration": 1579360331,
"resource": "resource-server-1",
"action": "LOGOUT",
"adapterSessionIds": [
"6569208C4937FD9C6E138C9DD9CF7C6F"
],
"notBefore": 0,
"keycloakSessionIds": [
"ca8060fd-48e9-4d26-b2d6-d6edb095f4b7"
]
}
OpenID Connect 后台通道注销已在 Keycloak 12.0 中实现,shipped in December 2020。
早期版本仅实现了一种替代的专有机制。
Keycloak 确实支持后台通道注销,但它是否符合 Openid Connect 后台通道注销草案规范? https://openid.net/specs/openid-connect-backchannel-1_0.html
这是关于这个话题的Keycloak's Jira Issue。去投票吧!
在检查了规范和 Keycloaks 实现之后,我不得不说它不符合规范。例如,这是应该从 OP 发送到 RP 的所需注销令牌格式的差异:
2.4. Logout Token
OPs send a JWT similar to an ID Token to RPs called a Logout Token to request that they log out. ID Tokens are defined in Section 2 of [OpenID.Core].
The following Claims are used within the Logout Token:
iss REQUIRED. Issuer Identifier, as specified in Section 2 of [OpenID.Core]. sub OPTIONAL. Subject Identifier, as specified in Section 2 of [OpenID.Core]. aud REQUIRED. Audience(s), as specified in Section 2 of [OpenID.Core]. iat REQUIRED. Issued at time, as specified in Section 2 of [OpenID.Core]. jti REQUIRED. Unique identifier for the token, as specified in Section 9 of [OpenID.Core]. events REQUIRED. Claim whose value is a JSON object containing the member name http://schemas.openid.net/event/backchannel-logout. This declares that the JWT is a Logout Token. The corresponding member value MUST be a JSON object and SHOULD be the empty JSON object {}. sid OPTIONAL. Session ID - String identifier for a Session. This represents a Session of a User Agent or device for a logged-in End-User at an RP. Different sid values are used to identify distinct sessions at an OP. The sid value need only be unique in the context of a particular issuer. Its contents are opaque to the RP. Its syntax is the same as an OAuth 2.0 Client Identifier.A Logout Token MUST contain either a sub or a sid Claim, and MAY contain both. If a sid Claim is not present, the intent is that all sessions at the RP for the End-User identified by the iss and sub Claims be logged out.
这是 Keycloak 在其当前版本 (8.0.1) 中发送的内容:
{
"id": "3536c4c4-fa51-4691-bc09-d229df83f774-1579360301277",
"expiration": 1579360331,
"resource": "resource-server-1",
"action": "LOGOUT",
"adapterSessionIds": [
"6569208C4937FD9C6E138C9DD9CF7C6F"
],
"notBefore": 0,
"keycloakSessionIds": [
"ca8060fd-48e9-4d26-b2d6-d6edb095f4b7"
]
}
OpenID Connect 后台通道注销已在 Keycloak 12.0 中实现,shipped in December 2020。
早期版本仅实现了一种替代的专有机制。