A, description,

This article mainly introduces the core concepts of OIDC and how to implement single sign-on of OIDC by extending the authorization code pattern of Spring Security.

OIDC is short for OpenID Connect. OIDC=(Identity, Authentication) + OAuth 2.0. It constructs an identity layer on OAuth2 and is an identity authentication standard protocol based on OAuth2 protocol. We all know that OAuth2 is an authorization protocol, it can not provide perfect identity authentication function, OIDC uses OAuth2 authorization server to provide user identity authentication for third-party clients, and the corresponding identity authentication information to the client, and fully compatible with OAuth2.

PS: The premise of understanding OAuth2 is to understand OAuth2 single sign-on, if the principle and process of OAuth2 is not quite understood, you can see my previous article “Spring Security based on OAuth2 SSO SSO how to do?

 

Two, OIDC core concepts

OAuth2 provides Access tokens to solve the problem of authorizing third-party clients to Access protected resources; On this basis, OIDC provides ID Token to solve the problem of third-party client identification user identity authentication. The core of OIDC lies in the authorization process of OAuth2, which provides the ID Token of the user’s identity authentication information to the third-party client. The ID Token is packaged in JWT format.

 

Example Of OIDC protocol authorization:

{
    "resp_code": 200."resp_msg": "ok"."datas": {
        "access_token": "d1186597-aeb4-4214-b176-08ec09b1f1ed"."token_type": "bearer"."refresh_token": "37fd65d8-f017-4b5a-9975-22b3067fb30b"."expires_in": 3599."id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vemx0MjAwMC5jbiIsImlhdCI6MTYyMTY5NjU4MjYxNSwiZXhwIjoxNjIxNjk2Nj QyNjE1LCJzdWIiOiIxIiwibmFtZSI6IueuoeeQhuWRmCIsImxvZ2luX25hbWUiOiJhZG1pbiIsInBpY3R1cmUiOiJodHRwOi8vcGtxdG1uMHAxLmJrdC5jbG 91ZGRuLmNvbS_lpLTlg48ucG5nIiwiYXVkIjoiYXBwIiwibm9uY2UiOiJ0NDlicGcifQ.UhsJpHYMWRmny45K0CygXeaASFawqtP2-zgWPDnn0XiBJ6yeiNo 5QAwerjf9NFP1YBxuobRUzzhkzRikWGwzramNG9na0NPi4yUQjPNZitX1JzlIA8XSq4LNsuPKO7hS1ALqqiAEHS3oUqKAsjuE-ygt0fN9iVj2LyL3-GFpql0 UAFIHhew_J7yIpR14snSh3iLVTmSWNknGu2boDvyO5LWonnUjkNB3XSGD0ukI3UEEFXBJWyOD9rPqfTDOy0sTG_-9wjDEV0WbtJf4FyfO3hPu--bwtM_U0kx RbfLnOujFXyVUStiCKG45wg7iI4Du2lamPJoJCplwjHKWdPc6Zw"}}Copy the code

You can see that in addition to the access_token, there is an id_token attribute in the returned information compared to the normal OAuth2.

 

What is ID Token

The ID Token is a secure Token, a JWT-formatted data structure provided by an authorized server that contains user information. Thanks to the self-inclusion, compactness, and tamper-proof mechanism of JWT, This allows ID tokens to be securely passed to third party clients and easily verified.

 

The ID_token contains the following contents:

{
  "iss": "http://zlt2000.cn"."iat": 1621696582615."exp": 1621696642615."sub": "1"."name": "Administrator"."login_name": "admin"."picture": "Http://xxx/'s head. PNG"."aud": "app"."nonce": "t49bpg"
}
Copy the code
  • Iss: Token issuer
  • Iat: token issue timestamp
  • Exp: indicates the token expiration time stamp
  • Sub: indicates the user ID
  • Name: indicates the user name
  • Login_name: indicates the user login name
  • Picture: user’s picture
  • Aud: token receiver, OAuth application ID
  • Nonce: a random string used to prevent replay attacks

 

3.1. Difference with JWT Access Token

Is it possible to use JWT Access tokens and add user information to Payload instead of ID tokens?

 

Although the user’s information can be added to the Access Token and tamper-proof, each request of the user needs to carry the Access Token, which not only increases bandwidth, but also easily reveals the user’s information.

 

3.2. Differences with UserInfo endpoints

Generally, OIDC requires another Get /userinfo Endpoint. You need to use the Access Token to invoke this Endpoint to obtain detailed user information. This method can obtain user information as well as the ID Token. So what’s the difference?

 

Using ID tokens can reduce the overhead of remote API calls compared to Get /userinfo interfaces. When you need to Get the basic information of the user, you can use the ID Token directly. You don’t need to call Get /userinfo every time through the Access Token to Get the detailed user information.

 

4. OIDC single sign-on process

Let’s look at a common scenario of OIDC protocol, that is, single sign-on between systems with independent user systems. This means that user data is not shared uniformly, but each system has its own independent user data, so at the end of the process, a step is added to automatically register users.

Most of the processes are the same as the authorization code pattern of OAuth2, which is not covered here. The following two steps need to be explained:

  • The public key used to resolve the ID Token can be provided to a third-party system in advance or obtained through an interface.
  • Automatic user registration refers to the first single sign-on. The user data needs to be generated in the system because the user information does not exist. For example, if you have never registered in CSDN, you can use wechat to log in to the website.

 

Implementation of Spring Security

First, the ultimate goal of extension is to achieve the following effects:

  • Authorization Code Mode:/oauth/authorize? client_id={client_id}&redirect_uri={redirect_uri}&response_type=code
  • OIDC mode:/oauth/authorize? client_id={client_id}&redirect_uri={redirect_uri}&response_type=code id_token

The goal is to control whether to use the OIDC mode by passing a value in response_type and, if so, to increment the value of id_token in response_type.

Since the ID Token attribute needs to be added to the content returned by OAuth2, the key to implementing this extension is to add a custom field to the Token via Security’s TokenEnhancer;

Define TokenEnhancer Bean to extend Token:

The response_type parameter of the authorization is used to determine whether the ID_token generation is required.

Generate JWT for ID Token:

 

PS: Only part of the key code is listed above, please download the complete code through the following demo address.

 

6. Complete demo download address

Gitee.com/zlt2000/mic…

 

Scan code attention has surprise!