- OpenID Connect是什么?OpenID Connect(目前版本是1.0)是OAuth 2.0协议(可参考本人此篇:OAuth 2.0 / RCF6749 协议解读)之上的简单身份层,用 API 进行身份交互的框架,允许客户端根据授权服务器的认证结果最终确认用户的身份,以及获取基本的用户信息;它支持包括Web、移动、JavaScript在内的所有客户端类型;它是可扩展的协议,允许你使用某些可选功能,如身份数据加密、OpenID提供商发现、会话管理
- OpenID Connect vs OpenID 2.0:OpenID Connect完成很多与OpenID 2.0相同的任务,是API-friendly,定义了可选的签名和加密的机制;OAuth 1.0a和OpenID 2.0的集成需要扩展,而OpenID Connect协议本身就建立在OAuth 2.0之上
- 部分名词解释:
1. Relying Party(RP):依赖方,通常是第三方应用程序(客户端) 2. OpenID Provider(OP):OpenID 提供方,通常是一个 OpenID 认证服务器,它能为依赖方提供断言以证实用户拥有某个标识 3. End-User(EU):终端用户,指持有账号的人
- OpenID Connect协议构成:
- Core – 定义 OpenID Connect 核心功能: 认证建立在OAuth 2.0之上,使用声明与终端用户进行信息交互
- Discovery – (Optional) Defines how Clients dynamically discover information about OpenID Providers
- Dynamic Registration – (Optional) Defines how clients dynamically register with OpenID Providers
- OAuth 2.0 Multiple Response Types – 定义了几种新的OAuth 2.0响应类型
- OAuth 2.0 Form Post Response Mode – (Optional) Defines how to return OAuth 2.0 Authorization Response parameters (including OpenID Connect Authentication Response parameters) using HTML form values that are auto-submitted by the User Agent using HTTP POST
- Session Management – (Optional) Defines how to manage OpenID Connect sessions, including postMessage-based logout functionality
- Front-Channel Logout – (Optional) Defines a front-channel logout mechanism that does not use an OP iframe on RP pages
- Back-Channel Logout – (Optional) Defines a logout mechanism that uses direct back-channel communication between the OP and RPs being logged out
下边两条是 Web RPs 实现者的独立参考指南:
- Basic Client Implementer’s Guide – Simple subset of the Core functionality for a web-based Re
OpenID Connect:OAuth 2.0协议之上的简单身份层
最新推荐文章于 2024-07-06 14:25:18 发布
![](https://img-home.csdnimg.cn/images/20240711042549.png)