1 基础知识
1.1 simplesamlphp-module-oid简介
– simplesamlphp-module-oidc是为SimpleSAMLphp增加OpenID Connect协议支持的模块
– simplesamlphp-module-oidc需要通过Composer进行安装
– simplesamlphp-module-oidc基于PHP League的OAuth2实现
1.2 simplesamlphp-module-oid功能
1.2.1 授权码流程
– 授权码流程为英文“Authorization Code flow”的翻译
– 授权码流程为最常用的OAuth 2.0流程
– 授权码流程适用于可以安全存储客户端秘钥的应用(例如服务器的Web应用)
– 授权码流程用户会被重定向到认证服务器的授权页面,如果用户同意授权,将被重定向回应用并附带一个授权码,应用凭授权码请求访问令牌
另外simplesamlphp-module-oid的授权码流程支持PKCE,
– PKCE为英文“Proof Key for Code Exchange”的缩写
– PKCE是OAuth 2.0授权码流程的一种扩展,用于提升客户端的安全性
1.2.2 隐式流程
– 隐式流程为英文“Implicit flow”的翻译
– 隐式流程不涉及授权码,而是直接在重定向URI中提供访问令牌
– 隐式流程适用于客户端无法安全存储客户端秘钥的情况,例如单页应用(SPA)
– 隐式流程由于访问令牌暴露给前端,因此有较高的安全风险
1.2.3 纯OAuth2隐式流程
– 纯OAuth2为英文“Plain OAuth2 Implicit Flow”的翻译
– 纯OAuth2是隐式流程的变体,没有额外的安全措施
– 纯OAuth2通常不推荐使用,因为容易受到跨站脚本攻击(XSS)
1.2.4 刷新令牌流程
– 刷新令牌流程为英文“Refresh Token Flow”的翻译
– 刷新令牌流程当访问令牌过期时,可使用刷新令牌去获取新的访问令牌,而无需用户再次授权
– 刷新令牌流程通常刷新令牌有更长的有效期并且应该安全存储
1.3 simplesamlphp-module-oid安装条件
OIDC module | Tested SimpleSAMLphp | PHP | Note |
v5.* | v2.1.* | >=8.1 | Recommended |
v4.* | v2.0.* | >=8.0 | |
v3.* | v2.0.* | >=7.4 | Abandoned from August 2023. |
v2.* | v1.19.* | >=7.4 |
2 最佳实践
2.1 安装前的准备
2.1.1 准备SimpleSAMLphp环境
2.1.2 下载软件包
cd ~ wget -O simplesamlphp-module-oidc-5.1.0.tar.gz https://github.com/simplesamlphp/simplesamlphp-module-oidc/archive/refs/tags/v5.1.0.tar.gz
以上只是命令行演示,如果需要其他版本或不能下载,请使用浏览器从如下连接下载,
https://github.com/simplesamlphp/simplesamlphp-module-oidc/releases
2.1.3 解压软件包
cd ~ tar -xf simplesamlphp-module-oidc-5.1.0.tar.gz
2.2 安装配置软件包
2.2.1 部署软件包
cd ~ mv simplesamlphp-module-oidc-5.1.0 /var/www/simplesamlphp/modules/oidc chown apache:apache -R /var/www/simplesamlphp/modules/oidc chmod 775 -R /var/www/simplesamlphp/modules/oidc
2.2.2 部署软件包
cd /var/www/simplesamlphp sudo -u apache /usr/local/bin/composer require simplesamlphp/simplesamlphp-module-oidc
2.2.3 部署配置文件
cp -a /var/www/simplesamlphp/modules/oidc/config-templates/module_oidc.php /var/www/simplesamlphp/config/
2.2.4 配置数据库
mysql -uroot -p
创建数据库
CREATE DATABASE `simplesamlphp`;
创建用户并授予权限
CREATE USER 'simplesamlphp'@'localhost' IDENTIFIED BY 'simplesamlphppwd'; GRANT ALL PRIVILEGES ON `simplesamlphp`.* TO 'simplesamlphp'@'localhost'; CREATE USER 'simplesamlphp'@'127.0.0.1' IDENTIFIED BY 'simplesamlphppwd'; GRANT ALL PRIVILEGES ON `simplesamlphp`.* TO 'simplesamlphp'@'127.0.0.1';
测试应用登录权限,
mysql -usimplesamlphp -psimplesamlphppwd
数据库创建后,我们通过修改如下配置连接数据库,
vim /var/www/simplesamlphp/config/config.php
加入如下配置,
'database.dsn' => 'mysql:host=127.0.0.1;dbname=simplesamlphp;charset=utf8', 'database.username' => 'simplesamlphp', 'database.password' => 'simplesamlphppwd',
2.2.5 创建RSA密钥对
cd /var/www/simplesamlphp/ openssl genrsa -out cert/oidc_module.key 3072
以上创建私钥,如果需要为私钥提供密码,请使用如下命令(可选),
openssl genrsa -passout pass:myPassPhrase -out cert/oidc_module.key 3072
从私钥总提供公钥,
openssl rsa -in cert/oidc_module.key -pubout -out cert/oidc_module.crt
如果提取公钥需要提供私钥密码,请使用如下命令(可选),
openssl rsa -in cert/oidc_module.key -passin pass:myPassPhrase -pubout -out cert/oidc_module.crt
然后,你需要执行以下命令设置证书的权限,
chown apache:apache /var/www/simplesamlphp/cert/oidc_module.* chmod 660 /var/www/simplesamlphp/cert/oidc_module.*
2.2.6 启用模块
vim /var/www/simplesamlphp/config/config.php
加入如下配置,
'module.enable' => [ #... 'oidc' => true ],
2.2.7 执行脚本创建数据库
cd /var/www/simplesamlphp sudo -u apache /usr/bin/php modules/oidc/bin/install.php
如果见到如下错误,
Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 221 Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 231 Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 241 Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 251 Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 264 Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 271 Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 284 Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 319 Deprecated: Using ${var} in strings is deprecated, use {$var} instead in /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php on line 332
可通过如下命令解决,
cp /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php.save sed -i 's~${~{$~g' /var/www/simplesamlphp/modules/oidc/src/Services/DatabaseMigration.php
如果遇到如下错误,
SimpleSAML\Error\Error: UNHANDLEDEXCEPTION Backtrace: 2 src/SimpleSAML/Error/ExceptionHandler.php:35 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler) 1 vendor/symfony/error-handler/ErrorHandler.php:541 (Symfony\Component\ErrorHandler\ErrorHandler::handleException) 0 [builtin] (N/A) Caused by: Symfony\Component\ErrorHandler\Error\ClassNotFoundError: Attempted to load class "AttributeRouteControllerLoader" from namespace "Symfony\Bundle\FrameworkBundle\Routing". Did you forget a "use" statement for another namespace? Backtrace: 10 /var/cache/simplesamlphp/oidc/ContainerXFxMGQo/SimpleSAML_KernelProdContainer.php:176 (ContainerXFxMGQo\SimpleSAML_KernelProdContainer::getRouting_LoaderService) 9 /var/cache/simplesamlphp/oidc/ContainerXFxMGQo/SimpleSAML_KernelProdContainer.php:159 (ContainerXFxMGQo\SimpleSAML_KernelProdContainer::getRouterService) 8 /var/cache/simplesamlphp/oidc/ContainerXFxMGQo/SimpleSAML_KernelProdContainer.php:251 (ContainerXFxMGQo\SimpleSAML_KernelProdContainer::getRouterListenerService) 7 /var/cache/simplesamlphp/oidc/ContainerXFxMGQo/getHttpKernelService.php:22 (ContainerXFxMGQo\getHttpKernelService::do) 6 /var/cache/simplesamlphp/oidc/ContainerXFxMGQo/SimpleSAML_KernelProdContainer.php:101 (ContainerXFxMGQo\SimpleSAML_KernelProdContainer::load) 5 vendor/symfony/dependency-injection/Container.php:215 (Symfony\Component\DependencyInjection\Container::make) 4 vendor/symfony/dependency-injection/Container.php:197 (Symfony\Component\DependencyInjection\Container::get) 3 vendor/symfony/http-kernel/Kernel.php:213 (Symfony\Component\HttpKernel\Kernel::getHttpKernel) 2 vendor/symfony/http-kernel/Kernel.php:202 (Symfony\Component\HttpKernel\Kernel::handle) 1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process) 0 public/module.php:17 (N/A)
你需要使用如下命令解决,
rm -rf /var/cache/simplesamlphp/oidc/*
如果遇到如下错误,
Deprecated: Method ReflectionParameter::getClass() is deprecated in /var/www/simplesamlphp/modules/oidc/src/Services/RoutingService.php on line 147 Deprecated: Method ReflectionParameter::getClass() is deprecated in /var/www/simplesamlphp/modules/oidc/src/Services/RoutingService.php on line 147 Deprecated: Method ReflectionParameter::getClass() is deprecated in /var/www/simplesamlphp/modules/oidc/src/Services/RoutingService.php on line 147
可通过如下命令解决,
vim /var/www/simplesamlphp/modules/oidc/src/Services/RoutingService.php
修改如下代码,
if (null !== $constructor) { foreach ($constructor->getParameters() as $parameter) { //$reflectionClass = $parameter->getClass(); $reflectionClass = $parameter->getType(); #... } }
如果见到如下错误,
SimpleSAML\Error\Error: UNHANDLEDEXCEPTION Backtrace: 1 src/SimpleSAML/Error/ExceptionHandler.php:32 (SimpleSAML\Error\ExceptionHandler::customExceptionHandler) 0 [builtin] (N/A) Caused by: RuntimeException: Unable to create the "cache" directory (/var/cache/simplesamlphp/oidc). Backtrace: 5 vendor/symfony/http-kernel/Kernel.php:594 (Symfony\Component\HttpKernel\Kernel::buildContainer) 4 vendor/symfony/http-kernel/Kernel.php:505 (Symfony\Component\HttpKernel\Kernel::initializeContainer) 3 vendor/symfony/http-kernel/Kernel.php:759 (Symfony\Component\HttpKernel\Kernel::preBoot) 2 vendor/symfony/http-kernel/Kernel.php:185 (Symfony\Component\HttpKernel\Kernel::handle) 1 src/SimpleSAML/Module.php:234 (SimpleSAML\Module::process) 0 public/module.php:17 (N/A)
可通过如下命令解决,
mkdir -p /var/cache/simplesamlphp/oidc chown apache:apache /var/cache/simplesamlphp/oidc chmod 775 /var/cache/simplesamlphp/oidc
2.3 配置OIDC发现
2.3.1 获取端点信息
curl https://auth.cmdschool.org/simplesaml/module.php/oidc/openid-configuration.php | jq
加入如下配置,
{ "issuer": "https://auth.cmdschool.org", "authorization_endpoint": "https://auth.cmdschool.org/simplesaml/module.php/oidc/authorize.php", "token_endpoint": "https://auth.cmdschool.org/simplesaml/module.php/oidc/token.php", "userinfo_endpoint": "https://auth.cmdschool.org/simplesaml/module.php/oidc/userinfo.php", "end_session_endpoint": "https://auth.cmdschool.org/simplesaml/module.php/oidc/logout.php", "jwks_uri": "https://auth.cmdschool.org/simplesaml/module.php/oidc/jwks.php", "scopes_supported": [ "openid", "offline_access", "profile", "email", "address", "phone" ], "response_types_supported": [ "code", "token", "id_token", "id_token token" ], "subject_types_supported": [ "public" ], "id_token_signing_alg_values_supported": [ "RS256" ], "code_challenge_methods_supported": [ "plain", "S256" ], "token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic" ], "request_parameter_supported": false, "grant_types_supported": [ "authorization_code", "refresh_token" ], "claims_parameter_supported": true, "backchannel_logout_supported": true, "backchannel_logout_session_supported": true }
– 属性“Issuer”声明认证提供商的身份标识符,范例为“https://auth.cmdschool.org”
– 属性“uthorization Endpoint”声明用于进行OIDC授权的端点,范例为“https://auth.cmdschool.org/simplesaml/module.php/oidc/authorize.php”
– 属性“Token Endpoint”声明获取访问令牌的端点,范例为“https://auth.cmdschool.org/simplesaml/module.php/oidc/token.php”
– 属性“UserInfo Endpoint”声明获取用户信息的端点,范例为“https://auth.cmdschool.org/simplesaml/module.php/oidc/userinfo.php”
– 属性“JWKS URI”声明获取JSON Web Key Set (JWKS)的端点,JWKS包含了用于验证 ID 令牌签名的公钥,范例为“https://auth.cmdschool.org/simplesaml/module.php/oidc/jwks.php”
– 属性“Supported Scopes”声明该提供商支持的范围包括“openid”、“offline_access”、“profile”、“email”、“address”和“phone”
– 属性“Supported Response Types”声明该提供商支持“code”、“token”、“id_token”和“id_token token”的响应类型。
– 属性“Supported Subject Types”声明该提供商支持public主体类型。
– 属性“Supported ID Token Signing Algorithms”声明该提供商支持RS256签名算法。
– 属性“Supported Code Challenge Methods”声明该提供商支持“plain”和“S256”代码挑战方法。
– 属性“Supported Token Endpoint Auth Methods”声明该提供商支持“client_secret_post”和“client_secret_basic” 客户端认证方法。
– 属性“Supported Grant Types”声明:该提供商支持“authorization_code”和“refresh_token”授权类型。
2.3.2 配置OIDC自动发现
vim /etc/nginx/conf.d/auth.cmdschool.org_443.conf
加入如下配置,
server { listen 0.0.0.0:443 ssl; server_name auth.cmdschool.org; #... location = /.well-known/openid-configuration { rewrite ^(.*)$ /simplesaml/module.php/oidc/openid-configuration.php break; proxy_pass https://auth.cmdschool.org; } }
配置修改后,你需要测试配置并重载服务使配置生效,
nginx -t systemctl reload nginx
参阅文档
================
官方GitHub
——————–
https://github.com/simplesamlphp/simplesamlphp-module-oidc
软件下载
——————–
https://github.com/simplesamlphp/simplesamlphp-module-oidc/releases
错误处理
————–
https://github.com/simplesamlphp/simplesamlphp-module-oidc/commit/91c431cde2233008f8ccdc96ff0845c3749e199b
没有评论