keycloakのServer Metadataの変遷 returned
はじめに
日立製作所の乗松隆志と申します。2019年に引き続き、keycloakのServer Metadataの変遷について記します。
Notes: 本投稿の内容は、公開情報を元に独自に解釈したものです。
Server Metadata
Server Metadataとして記載されるクレームは、RFCなど標準仕様で規定のあるものと、製品独自のものがあると考えます。
標準仕様で規定のあるものについて、大きくは2つに分けられると考えます。
- OAuth 2.0の認可サーバーとしてのServer Metadata
- OpenID ConnectのOpenID ProviderとしてのServer Metadata
keycloakのServer Metadataは、.well-known url(.well-known/openid-configuration)から取得します。
Server Metadataには、その製品がサポートしている機能などが記載されますが、それが全てではないことにご注意ください。
9.0.0
2020/2/17にリリースされました。
{
"issuer":"http://localhost:8080/auth/realms/master",
"authorization_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/auth",
"token_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token",
"token_introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect",
"userinfo_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo",
"end_session_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/logout",
"jwks_uri":"http://localhost:8080/auth/realms/master/protocol/openid-connect/certs",
"check_session_iframe":"http://localhost:8080/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],
"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],
"subject_types_supported":["public","pairwise"],
"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],
"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],
"id_token_encryption_enc_values_supported":["A128GCM","A128CBC-HS256"],
"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],
"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],
"response_modes_supported":["query","fragment","form_post"],
"registration_endpoint":"http://localhost:8080/auth/realms/master/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],
"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],
"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],
"claim_types_supported":["normal"],
"claims_parameter_supported":false,
"scopes_supported":["openid","address","email","microprofile-jwt","offline_access","phone","profile","roles","web-origins"],
"request_parameter_supported":true,
"request_uri_parameter_supported":true,
"code_challenge_methods_supported":["plain","S256"],
"tls_client_certificate_bound_access_tokens":true,
"introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect"
}
8.0.0と変わらず、29クレームあります。
以下2クレームで、値の追加がありました。
# | クレーム名 | 参照元 | 説明 |
---|---|---|---|
1 | "request_object_signing_alg_values_supported" | 参照文献[3] | リクエストオブジェクトに対するJWSによる署名アルゴリズムについて、 keycloakがサポートしているもののリストです。 新たにHMAC系のアルゴリズムである”HS256”、”HS384”、”HS512”がサポートされるようになりました。 |
2 | "token_endpoint_auth_signing_alg_values_supported" | 参照文献[2] | keycloakトークンエンドポイントがサポートするクライアントの認証方式のうち、 JWTへのJWSによる署名を使用する方式である"private_key_jwt"および"client_secret_jwt"について、認可サーバーがサポートする署名アルゴリズムのリストです。 "client_secret_jwt"方式について、新たにHMAC系のアルゴリズムである"HS256"、"HS384"、"HS512"がサポートされるようになりました。 |
8.0.0からの変更点をかいつまんで言うと、以下のようになります。
- [OIDC] リクエストオブジェクトに施される署名の署名アルゴリズムとして、新たに”HS256”、”HS384”、”HS512”がサポートされました。
- [OAuth 2.0] keycloakトークンエンドポイントがサポートするクライアントの認証方式のうち、JWTへのJWSによる署名を使用する方式である"client_secret_jwt"について、新たに”HS256”、”HS384”、”HS512”"がサポートされました。
10.0.0
2020/4/29にリリースされました。
{
"issuer":"http://localhost:8080/auth/realms/master",
"authorization_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/auth",
"token_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token",
"token_introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect",
"userinfo_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo",
"end_session_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/logout",
"jwks_uri":"http://localhost:8080/auth/realms/master/protocol/openid-connect/certs",
"check_session_iframe":"http://localhost:8080/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],
"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],
"subject_types_supported":["public","pairwise"],
"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],
"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],
"id_token_encryption_enc_values_supported":["A128GCM","A128CBC-HS256"],
"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],
"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],
"response_modes_supported":["query","fragment","form_post"],
"registration_endpoint":"http://localhost:8080/auth/realms/master/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],
"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],
"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],
"claim_types_supported":["normal"],
"claims_parameter_supported":false,
"scopes_supported":["openid","address","email","microprofile-jwt","offline_access","phone","profile","roles","web-origins"],
"request_parameter_supported":true,
"request_uri_parameter_supported":true,
"code_challenge_methods_supported":["plain","S256"],
"tls_client_certificate_bound_access_tokens":true,
"introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect"
}
9.0.0から変化はありません。
11.0.0
2020/7/22にリリースされました。
{
"issuer":"http://localhost:8080/auth/realms/master",
"authorization_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/auth",
"token_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token",
"introspection_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/token/introspect",
"userinfo_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/userinfo",
"end_session_endpoint":"http://localhost:8080/auth/realms/master/protocol/openid-connect/logout",
"jwks_uri":"http://localhost:8080/auth/realms/master/protocol/openid-connect/certs",
"check_session_iframe":"http://localhost:8080/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],
"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],
"subject_types_supported":["public","pairwise"],
"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],
"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA1_5"],
"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],
"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],
"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],
"response_modes_supported":["query","fragment","form_post"],
"registration_endpoint":"http://localhost:8080/auth/realms/master/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],
"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],
"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],
"claim_types_supported":["normal"],
"claims_parameter_supported":false,
"scopes_supported":["openid","address","email","microprofile-jwt","offline_access","phone","profile","roles","web-origins"],
"request_parameter_supported":true,
"request_uri_parameter_supported":true,
"code_challenge_methods_supported":["plain","S256"],
"tls_client_certificate_bound_access_tokens":true
}
10.0.0から1つクレームが減り、28クレームとなりました。
削除されたのは、token_introspection_endpointクレームです。これはトークンイントロスペクションのエンドポイントを表すものとして初期のころから設けられていましたが、標準仕様に沿っていませんでした。標準仕様では、"introspection_endpoint"が正しいクレーム名となります(参照文献[2])。こちらも既にサポートされていましたが、紛らわしいため標準仕様に沿っていない前者を削除したものを思われます。
以下1クレームで、値の追加がありました。
# | クレーム名 | 参照元 | 説明 |
---|---|---|---|
1 | "id_token_encryption_enc_values_supported" | 参照文献[3] | keycloakがサポートしている、IDトークンに対するJWEによるContent Encryption用アルゴリズムのリストです。従来の"A128GCM"と"A128CBC-HS256"に加えて、新たに"A192GCM","A256GCM","A192CBC-HS384","A256CBC-HS512"がサポートされるようになりました。 |
10.0.0からの変更点をかいつまんで言うと、以下のようになります。
- [OIDC] IDトークンに対するJWEによる暗号化アルゴリズムとして、新たに"A192GCM","A256GCM","A192CBC-HS384","A256CBC-HS512"がサポートされました。
参照文献
[1] OAuth Parameters
IANAのRegistryに登録済みの、OAuth 2.0に関する各種パラメータの一覧です。
[2] OAuth 2.0 Authorization Server Metadata
OAuth 2.0の認可サーバーのメタデータの定義です。
[3] OpenID Connect Discovery 1.0 - 3. OpenID Provider Metadata
OpenID Providerのメタデータの定義です。