如何部署simplesamlphp的oidc模块?

目录或认证服务

1 基础知识

1.1 simplesamlphp-module-oid简介

– simplesamlphp-module-oidc是为SimpleSAMLphp增加OpenID Connect协议支持的模块
– simplesamlphp-module-oidc需要通过Composer进行安装
– simplesamlphp-module-oidc基于PHP League的OAuth2实现

1.2 simplesamlphp-module-oid功能

1.2.1 授权码流程

– 授权码流程为英文“Authorization Code flow”的翻译
– 授权码流程为最常用的OAuth 2.0流程
– 授权码流程适用于可以安全存储客户端秘钥的应用(例如服务器的Web应用)
– 授权码流程用户会被重定向到认证服务器的授权页面,如果用户同意授权,将被重定向回应用并附带一个授权码,应用凭授权码请求访问令牌
另外simplesamlphp-module-oid的授权码流程支持PKCE,
– PKCE为英文“Proof Key for Code Exchange”的缩写
– PKCE是OAuth 2.0授权码流程的一种扩展,用于提升客户端的安全性

1.2.2 隐式流程

– 隐式流程为英文“Implicit flow”的翻译
– 隐式流程不涉及授权码,而是直接在重定向URI中提供访问令牌
– 隐式流程适用于客户端无法安全存储客户端秘钥的情况,例如单页应用(SPA)
– 隐式流程由于访问令牌暴露给前端,因此有较高的安全风险

1.2.3 纯OAuth2隐式流程

– 纯OAuth2为英文“Plain OAuth2 Implicit Flow”的翻译
– 纯OAuth2是隐式流程的变体,没有额外的安全措施
– 纯OAuth2通常不推荐使用,因为容易受到跨站脚本攻击(XSS)

1.2.4 刷新令牌流程

– 刷新令牌流程为英文“Refresh Token Flow”的翻译
– 刷新令牌流程当访问令牌过期时,可使用刷新令牌去获取新的访问令牌,而无需用户再次授权
– 刷新令牌流程通常刷新令牌有更长的有效期并且应该安全存储

1.3 simplesamlphp-module-oid安装条件

OIDC module Tested SimpleSAMLphp PHP Note
v5.* v2.1.* >=8.1 Recommended
v4.* v2.0.* >=8.0
v3.* v2.0.* >=7.4 Abandoned from August 2023.
v2.* v1.19.* >=7.4

 

2 最佳实践

2.1 安装前的准备

2.1.1 准备SimpleSAMLphp环境

如何部署Oracle Linux 9.x simpleSAMLphp 2.1.3?

2.1.2 下载软件包

cd ~
wget -O simplesamlphp-module-oidc-5.1.0.tar.gz https://github.com/simplesamlphp/simplesamlphp-module-oidc/archive/refs/tags/v5.1.0.tar.gz

以上只是命令行演示,如果需要其他版本或不能下载,请使用浏览器从如下连接下载,
https://github.com/simplesamlphp/simplesamlphp-module-oidc/releases

2.1.3 解压软件包

cd ~
tar -xf simplesamlphp-module-oidc-5.1.0.tar.gz

2.2 安装配置软件包

2.2.1 部署软件包

cd ~
mv simplesamlphp-module-oidc-5.1.0 /var/www/simplesamlphp/modules/oidc
chown apache:apache -R /var/www/simplesamlphp/modules/oidc
chmod 775 -R /var/www/simplesamlphp/modules/oidc

2.2.2 部署软件包

cd /var/www/simplesamlphp
sudo -u apache /usr/local/bin/composer require simplesamlphp/simplesamlphp-module-oidc

2.2.3 部署配置文件

cp -a /var/www/simplesamlphp/modules/oidc/config-templates/module_oidc.php /var/www/simplesamlphp/config/

2.2.4 配置数据库

mysql -uroot -p

创建数据库

CREATE DATABASE `simplesamlphp`;

创建用户并授予权限

CREATE USER 'simplesamlphp'@'localhost' IDENTIFIED BY 'simplesamlphppwd';
GRANT ALL PRIVILEGES ON `simplesamlphp`.* TO 'simplesamlphp'@'localhost';
CREATE USER 'simplesamlphp'@'127.0.0.1' IDENTIFIED BY 'simplesamlphppwd';
GRANT ALL PRIVILEGES ON `simplesamlphp`.* TO 'simplesamlphp'@'127.0.0.1';

测试应用登录权限,

mysql -usimplesamlphp -psimplesamlphppwd

数据库创建后,我们通过修改如下配置连接数据库,

vim /var/www/simplesamlphp/config/config.php

加入如下配置,

'database.dsn' => 'mysql:host=127.0.0.1;dbname=simplesamlphp;charset=utf8',
'database.username' => 'simplesamlphp',
'database.password' => 'simplesamlphppwd',

2.2.5 创建RSA密钥对

cd /var/www/simplesamlphp/
openssl genrsa -out cert/oidc_module.key 3072

以上创建私钥,如果需要为私钥提供密码,请使用如下命令(可选),

openssl genrsa -passout pass:myPassPhrase -out cert/oidc_module.key 3072

从私钥总提供公钥,

openssl rsa -in cert/oidc_module.key -pubout -out cert/oidc_module.crt

如果提取公钥需要提供私钥密码,请使用如下命令(可选),

openssl rsa -in cert/oidc_module.key -passin pass:myPassPhrase -pubout -out cert/oidc_module.crt

然后,你需要执行以下命令设置证书的权限,

chown apache:apache /var/www/simplesamlphp/cert/oidc_module.*
chmod 660 /var/www/simplesamlphp/cert/oidc_module.*

2.2.6 启用模块

vim /var/www/simplesamlphp/config/config.php

加入如下配置,

    'module.enable' => [
        #...
        'oidc' => true
    ],

2.2.7 执行脚本创建数据库

cd /var/www/simplesamlphp
sudo -u apache /usr/bin/php modules/oidc/bin/install.php

如果见到如下错误,

Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 221
Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 231
Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 241
Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 251
Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 264
Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 271
Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 284
Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 319
Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 332

可通过如下命令解决,

cp /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php.save
sed -i 's~${~{$~g' /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php

如果遇到如下错误,

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Backtrace:
2 src/SimpleSAML/Error/ExceptionHandler.php:35 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler)
1 vendor/symfony/error-handler/ErrorHandler.php:541 (Symfony\Component\ErrorHandler\ErrorHandler::handleException)
0 [builtin] (N/A)
Caused by: Symfony\Component\ErrorHandler\Error\ClassNotFoundError: Attempted to load class "AttributeRouteControllerLoader" from namespace "Symfony\Bundle\FrameworkBundle\Routing".
Did you forget a "use" statement for another namespace?
Backtrace:
10 /var/cache/simplesamlphp/oidc/ContainerXFxMGQo/SimpleSAML_KernelProdContainer.php:176 (ContainerXFxMGQo\SimpleSAML_KernelProdContainer::getRouting_LoaderService)
9 /var/cache/simplesamlphp/oidc/ContainerXFxMGQo/SimpleSAML_KernelProdContainer.php:159 (ContainerXFxMGQo\SimpleSAML_KernelProdContainer::getRouterService)
8 /var/cache/simplesamlphp/oidc/ContainerXFxMGQo/SimpleSAML_KernelProdContainer.php:251 (ContainerXFxMGQo\SimpleSAML_KernelProdContainer::getRouterListenerService)
7 /var/cache/simplesamlphp/oidc/ContainerXFxMGQo/getHttpKernelService.php:22 (ContainerXFxMGQo\getHttpKernelService::do)
6 /var/cache/simplesamlphp/oidc/ContainerXFxMGQo/SimpleSAML_KernelProdContainer.php:101 (ContainerXFxMGQo\SimpleSAML_KernelProdContainer::load)
5 vendor/symfony/dependency-injection/Container.php:215 (Symfony\Component\DependencyInjection\Container::make)
4 vendor/symfony/dependency-injection/Container.php:197 (Symfony\Component\DependencyInjection\Container::get)
3 vendor/symfony/http-kernel/Kernel.php:213 (Symfony\Component\HttpKernel\Kernel::getHttpKernel)
2 vendor/symfony/http-kernel/Kernel.php:202 (Symfony\Component\HttpKernel\Kernel::handle)
1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process)
0 public/module.php:17 (N/A)

你需要使用如下命令解决,

rm -rf /var/cache/simplesamlphp/oidc/*

如果遇到如下错误,

Deprecated: Method ReflectionParameter::getClass() is deprecated in /var/www/simplesamlphp/modules/oidc/src/Services/RoutingService.php on line 147
Deprecated: Method ReflectionParameter::getClass() is deprecated in /var/www/simplesamlphp/modules/oidc/src/Services/RoutingService.php on line 147
Deprecated: Method ReflectionParameter::getClass() is deprecated in /var/www/simplesamlphp/modules/oidc/src/Services/RoutingService.php on line 147

可通过如下命令解决,

vim /var/www/simplesamlphp/modules/oidc/src/Services/RoutingService.php

修改如下代码,

        if (null !== $constructor) {
            foreach ($constructor->getParameters() as $parameter) {
                //$reflectionClass = $parameter->getClass();
                $reflectionClass = $parameter->getType();
                #...
            }
        }

如果见到如下错误,

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION
Backtrace:
1 src/SimpleSAML/Error/ExceptionHandler.php:32 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler)
0 [builtin] (N/A)
Caused by: RuntimeException: Unable to create the "cache" directory (/var/cache/simplesamlphp/oidc).
Backtrace:
5 vendor/symfony/http-kernel/Kernel.php:594 (Symfony\Component\HttpKernel\Kernel::buildContainer)
4 vendor/symfony/http-kernel/Kernel.php:505 (Symfony\Component\HttpKernel\Kernel::initializeContainer)
3 vendor/symfony/http-kernel/Kernel.php:759 (Symfony\Component\HttpKernel\Kernel::preBoot)
2 vendor/symfony/http-kernel/Kernel.php:185 (Symfony\Component\HttpKernel\Kernel::handle)
1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process)
0 public/module.php:17 (N/A)   

可通过如下命令解决,

mkdir -p /var/cache/simplesamlphp/oidc
chown apache:apache /var/cache/simplesamlphp/oidc
chmod 775 /var/cache/simplesamlphp/oidc

2.3 配置OIDC发现

2.3.1 获取端点信息

curl https://auth.cmdschool.org/simplesaml/module.php/oidc/openid-configuration.php | jq

加入如下配置,

{
  "issuer": "https://auth.cmdschool.org",
  "authorization_endpoint": "https://auth.cmdschool.org/simplesaml/module.php/oidc/authorize.php",
  "token_endpoint": "https://auth.cmdschool.org/simplesaml/module.php/oidc/token.php",
  "userinfo_endpoint": "https://auth.cmdschool.org/simplesaml/module.php/oidc/userinfo.php",
  "end_session_endpoint": "https://auth.cmdschool.org/simplesaml/module.php/oidc/logout.php",
  "jwks_uri": "https://auth.cmdschool.org/simplesaml/module.php/oidc/jwks.php",
  "scopes_supported": [
    "openid",
    "offline_access",
    "profile",
    "email",
    "address",
    "phone"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "id_token token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic"
  ],
  "request_parameter_supported": false,
  "grant_types_supported": [
    "authorization_code",
    "refresh_token"
  ],
  "claims_parameter_supported": true,
  "backchannel_logout_supported": true,
  "backchannel_logout_session_supported": true
}

– 属性“Issuer”声明认证提供商的身份标识符,范例为“https://auth.cmdschool.org”
– 属性“uthorization Endpoint”声明用于进行OIDC授权的端点,范例为“https://auth.cmdschool.org/simplesaml/module.php/oidc/authorize.php”
– 属性“Token Endpoint”声明获取访问令牌的端点,范例为“https://auth.cmdschool.org/simplesaml/module.php/oidc/token.php”
– 属性“UserInfo Endpoint”声明获取用户信息的端点,范例为“https://auth.cmdschool.org/simplesaml/module.php/oidc/userinfo.php”
– 属性“JWKS URI”声明获取JSON Web Key Set (JWKS)的端点,JWKS包含了用于验证 ID 令牌签名的公钥,范例为“https://auth.cmdschool.org/simplesaml/module.php/oidc/jwks.php”
– 属性“Supported Scopes”声明该提供商支持的范围包括“openid”、“offline_access”、“profile”、“email”、“address”和“phone”
– 属性“Supported Response Types”声明该提供商支持“code”、“token”、“id_token”和“id_token token”的响应类型。
– 属性“Supported Subject Types”声明该提供商支持public主体类型。
– 属性“Supported ID Token Signing Algorithms”声明该提供商支持RS256签名算法。
– 属性“Supported Code Challenge Methods”声明该提供商支持“plain”和“S256”代码挑战方法。
– 属性“Supported Token Endpoint Auth Methods”声明该提供商支持“client_secret_post”和“client_secret_basic” 客户端认证方法。
– 属性“Supported Grant Types”声明:该提供商支持“authorization_code”和“refresh_token”授权类型。

2.3.2 配置OIDC自动发现

vim /etc/nginx/conf.d/auth.cmdschool.org_443.conf

加入如下配置,

server {
    listen 0.0.0.0:443 ssl;
    server_name auth.cmdschool.org;
    #...
    location = /.well-known/openid-configuration {
        rewrite ^(.*)$ /simplesaml/module.php/oidc/openid-configuration.php break;
        proxy_pass https://auth.cmdschool.org;
    }
}

配置修改后,你需要测试配置并重载服务使配置生效,

nginx -t
systemctl reload nginx

参阅文档
================

官方GitHub
——————–
https://github.com/simplesamlphp/simplesamlphp-module-oidc

软件下载
——————–
https://github.com/simplesamlphp/simplesamlphp-module-oidc/releases

错误处理
————–
https://github.com/simplesamlphp/simplesamlphp-module-oidc/commit/91c431cde2233008f8ccdc96ff0845c3749e199b

没有评论

发表回复

目录或认证服务
如何解决SSSD的用户条目的UPN与PAC不匹配问题?

1 前言 一个问题,一篇文章,一出故事。 今天遇到域用户输入正确的用户名和密码不能登录问题,详细错误 …

目录或认证服务
如何解决SSSD的多域用户ID冲突问题?

1 前言 一个问题,一篇文章,一出故事。 笔者在生产环境中遇到SSSD因为同时使用两个不同的域导致U …

目录或认证服务
如何部署Oracle Linux 9.x simpleSAMLphp 2.1.3?

1 基础知识 1.1 断言的基本概念 1.1.1 断言的介绍 – 断言即assertio …