OIDC
1. Create configuration file
The default data directory is
/data/hap/script/volume/sso/sso.json, with the following contents:
Note: If 404 still appears after mounting, you can copy the content to json.cn to verify whether the json format is legal
{
"mode": "common-oidc",
"name": "oidc",
"oidc": {
"oidcUrl": "",
"clientId": "",
"clientSecret": "",
"redirectUrl": "",
"responseTypes": "code",
"scope": "openid email",
"params": {
"UserId": "sub",
"Name": "name",
"Email": "email",
"Mobile": "phone_number"
},
"autoRegister": true,
"projectId": ""
}
}
Some parameters and explanations
| Parameters | Type | Required | Meaning |
|---|---|---|---|
| oidc.oidcUrl | String | Yes | Configure the oidc service discovery address; the return format can be set as follows: Configuration parameter example |
| oidc.clientId | String | Yes | Client Id distributed to the application |
| oidc.clientSecret | String | Yes | The client secret distributed to the application |
| oidc.redirectUrl | String | Yes | Callback address; set to {server}/orgsso/oidc-redirect |
| oidc.responseTypes | String | Yes | Support authorization code mode; configured as code |
| oidc.scope | String | No | Get the user information scope; it can be filled in as any combination of openid, email, profile...; for example, set to openid email; The default is openid |
| oidc.params | Object | Yes | Returns user information field mapping rules, key is a fixed field and value is configured according to actual user information; Parameter configuration method |
| oidc.params.UserId | String | Yes | User unique identifier |
| oidc.params.Name | String | No | Name, if the user already exists, it will be overwritten |
| oidc.params.Email | String | No | Email; this field must be set to search or register by email; Either email or mobile phone number must be set; if a third-party relationship has been bound, Users can be found through relationships, and the email or mobile phone does not need to be set |
| oidc.params.Mobile | String | No | Mobile phone number; this field must be set to search or register by mobile phone number; |
| oidc.params.Positions | Array | No | Position; automatically updates the user's position, there is no automatic creation |
| oidc.params.Departments | Array | No | Department; automatically update the user's department, there is no automatic creation |
| autoRegister | Boolean | No | Whether to automatically create an account when the account does not exist; the default is true |
| projectId | String | Yes | HAP organization number; Organization Management (upper right corner) > Organization Information (page) > Organization Number ID; (Multi-organization single sign-on does not require configuring this parameter,See step 3); such as 1x-2x-3x-4x-5x |
Interaction diagram
The interface to obtain access token (access_token) needs to meet the following requirements:
-Support POST method calling (request parameters are passed through URL)
- Need to obtain server authorizePath authorization first
- The return value is in JSON format and must meet the following format:
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ..."
}
The interface for obtaining user information needs to meet the following requirements: -Supports GET method calling (refer to userInfoUrl parameter description)
- Need to obtain server authorizePath authorization first
- The return value is in JSON format and must meet the following format:
{
"sub": "248289761001",
"name": "Jane Doe",
"email": "janedoe@example.com",
"phone_number": "123"
}
As shown in the above return value, the configuration of params is:
"params": {
"UserId": "sub",
"Name": "name",
"Email": "email",
"Mobile": "phone_number"
}
{
"issuer": "https://oidc-demo.domain.com/oidc",
"authorization_endpoint": "https://oidc-demo.domain.com/oidc/auth",
"token_endpoint": "https://oidc-demo.domain.com/oidc/token",
"claims_parameter_supported": false,
"claims_supported": [
"sub",
"username"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"end_session_endpoint": "https://oidc-demo.domain.com/oidc/session/end",
"grant_types_supported": [
"authorization_code",
"password",
"refresh_token"
],
"response_types_supported": [
"code"
],
"scopes_supported": [
"openid",
"offline_access",
"username",
"phone",
"email",
"address",
"profile"
],
"userinfo_endpoint": "https://oidc-demo.domain.com/oidc/me",
......
}
2. Mount configuration file
Modify the
docker-compose.yamlcorresponding to the microservice application, the default path is/data/hap/script/docker-compose.yaml, add file mounting involumesand restart the microservice application.
- ./volume/sso/sso.json:/usr/local/MDPrivateDeployment/sso/OptionFile/sso.json
Enable relationship search
If you need to bind a third-party association ID, you need to create the file
extend.json. The default path is/data/hap/script/volume/sso/extend.jsonand the content is as follows
{
"relation": true
}
Add mounting files
- ./volume/sso/extend.json:/usr/local/MDPrivateDeployment/sso/extend.json
After the mounting configuration is completed, the microservice application needs to be restarted.
After the restart is successful, you can access the {server}/orgsso/checkssoconfig interface through GET to check whether the configuration file is successfully mounted.
3. Single sign-on
Single Organization Browser access:
{server}/orgsso/sso?returnUrl={returnUrl}
Multiple Organizations Browser access:
{server}/orgsso/sso?returnUrl={returnUrl}&appKey={appKey}&sign={sign}×tamp={timestamp}&projectId={projectId}
For multi-organization projectId needs to be passed through parameters, and enterprise authorization authentication parameters are also required;
For enterprise authentication and authorization signature algorithm, please refer to: https://www.showdoc.com.cn/mingdao/15539798
{server} is the HAP system address, for example, it can be replaced with: http://192.168.10.20:8880
{returnUrl} is the jump address after successful login, does not need to be filled in; for example, if you need to jump to the application page, it can be replaced with: http://192.168.10.20:8880/app/cf595091-e3ac-4669 -a320-068e55533c33/64477b37df36209b5f36f1cf/64477b4f61655012a90ed994?from=insite
If an SSO Error prompt appears during the access process, you can log in to the HAP system through the administrator account, click the avatar in the upper right corner: System Configuration > Log; search for the service name as sso, and check the specific cause of the error.