dongqian5639 2018-06-09 00:17
浏览 43

OpenConnect with Apigility用JWT回答

How do I implement OpenConnect with Apigility to be answered with a JWT type response?

The problem is that is pretty simple to add just OAuth2, just following Apigility's documentation (or this one that's really great), but when it comes to get that JWT like the example bellow is not that easy to find documentation.

{
  "id": "394a71988caa6cc30601e43f5b6569d52cd7f6df",
  "jti": "394a71988caa6cc30601e43f5b6569d52cd7f6df",
  "iss": "issuer_id",
  "aud": "client_id",
  "sub": "user_id",
  "exp": 1483711650,
  "iat": 1483708050,
  "token_type": "bearer",
  "scope": "onescope twoscope"
}

So, this is more of an Q&A, since I haven't found it anywhere and took me almost 2 weeks to gather all the info myself, thought it would be useful to someone else.

Note that JWT comes in 3 parts:

HEADER.PAYLOAD.SIGNATURE

The first 2 come in Base64, in which you can just use, the last one is a key generated for validation. (see this for more details).

The solution will be bellow.

  • 写回答

1条回答 默认 最新

  • duanbiaojin8860 2018-06-09 00:17
    关注

    If you want to add OpenConnect to the supported OAuth2 built-in Apigility so you'd get a JWT as answer, that's what you should do:

    First, add these lines to /config/autoload/global.php

        'zf-oauth2' => [
        'allow_implicit'  => true,
        'access_lifetime' => 28800,
        'enforce_state'   => true,
        'options' => [
            'use_jwt_access_tokens'             => true,
            'store_encrypted_token_string'      => true,
            'use_openid_connect'                => true,
            'issuer'                            => 'issueroftoken.com',
            'id_lifetime'                       => 28800,
            'www_realm'                         => 'Service',
            'token_param_name'                  => 'access_token',
            'token_bearer_header_name'          => 'Bearer',
            'require_exact_redirect_uri'        => true,
            'allow_credentials_in_request_body' => true,
            'allow_public_clients'              => true,
            'always_issue_new_refresh_token'    => true,
            'unset_refresh_token_after_use'     => true,
        ],
    ],

    The lines that matter there are use_jwt_access_tokens and use_openid_connect which must be set to true and issuer that must be filled (I added my website's address). The rest can be removed if you don't want to change their defaults.

    Then you'd need to create this table (found this info here):

    CREATE TABLE oauth_public_keys (
  client_id            VARCHAR(80),
  public_key           VARCHAR(2000),
  private_key          VARCHAR(2000),
  encryption_algorithm VARCHAR(100) DEFAULT 'RS256'
)

    This table will be used to store the one key for each client, that you should generate by running the command (found this one here):

    # private key
$ openssl genrsa -out privkey.pem 2048

# public key
$ openssl rsa -in privkey.pem -pubout -out pubkey.pem

    Then you should take the content of those files and fill public_key and private_key along with the client_id.

    My access tokens were being generated at oauth_access_tokens because I am using implicit type grant (no client_secret on oauth_clients and the allow_implicit flag on global.php), so I needed to increase the access_token field, you may need to check how many chars the field(s) you're using have:

    ALTER TABLE `oauth_access_tokens` CHANGE `access_token` `access_token` VARCHAR(2000) NOT NULL;

    That should be it! You should now be getting a JWT as an answer from Apigility!

    Hope this helps.

    评论

报告相同问题?

悬赏问题

  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥16 mybatis的代理对象无法通过@Autowired装填
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂
  • ¥15 wordpress 产品图片 GIF 没法显示
  • ¥15 求三国群英传pl国战时间的修改方法
  • ¥15 matlab代码代写,需写出详细代码,代价私
  • ¥15 ROS系统搭建请教(跨境电商用途)
  • ¥15 AIC3204的示例代码有吗,想用AIC3204测量血氧,找不到相关的代码。