OpenID Connect，如果尚未登录，则无需登录表单即可重定向? [英] OpenID Connect, redirect without login form if not already logged in?

问题描述

在OpenID Connect中，如果用户已连接到身份提供者(假设他们已经授权了我的客户端应用程序)，我希望我的用户自动连接到我的客户端.

In OpenID Connect, I would like my users to be automatically connected to my client if they are connected to the identity provider (given that they already authorized my client app).

这是我想要的工作流程:

Here is the workflow I want :

• USER到达CLIENT主页
• USER被重定向到IdP(授权请求)
  • 如果他已登录IdP，则将其重定向到CLIENT，并且OIDC工作流程开始，然后他已登录CLIENT
  • 如果他未登录IdP或未授权CLIENT访问其身份，则不会向USER显示IdP的登录表单，并且将其重定向到CLIENT主页，而未登录

  这就像CAS中的网关"模式.我使用的是Authorization Code Flow，并且我不想将Javascript与Implicit Flow一起使用来动态地通过JS登录.

  It would be like "Gateway" mode in CAS. I use Authorization Code Flow and I don't want to use Javascript with Implicit Flow to login through JS dynamically.

  您知道是否有可能?我在规格中找不到它.

  Do you know if it is possible ? I can not find it in the spec.

  谢谢:)

  推荐答案

  您正在考虑IDP之上的SSO行为.这通常在OpenID Connect规范之外，并且通常绑定到您正在使用的特定身份提供者(例如:Azure，PING或WSO2).但是有一些参数可以调整此行为，例如提示和 login_hint 是可选的.

  You are considering SSO behaviour on-top of IDP. This is usually outside OpenID Connect specification and usually bound to specific identity provider you are using (ex:- Azure, PING or WSO2). But there are some parameters to tweak the this behaviour such as prompt and login_hint which are optional.

  从OpenID Connect 身份验证请求部分

  From OpenID Connect authentication request section

  提示

  以空格分隔的，区分大小写的ASCII字符串值列表，指定授权服务器是否提示最终用户输入重新认证和同意.

  Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent.

  有效值包括登录，无，同意和 select_account .您可以使用它们来强制强制登录或允许选择帐户.

  Valid values are login, none, consent and select_account. You can use them to enforce force login or to allow a select account.

  login_hint

  提示有关登录的授权服务器最终用户可能用于登录的标识符(如有必要)

  Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary)

  一个很好的例子是通过将login_hint传递给身份提供者来启用SSO行为.如果身份提供者可以根据(例如)公司LDAP验证身份并检测登录状态，则可以提供免费的凭据登录体验.同时，即使身份提供者举行了登录会话，您也可以使用 prompt = login 强制登录.

  One good example is enabling SSO behaviour by passing login_hint to identity provider. If identity provider can verify identity against (for example) a corporate LDAP and detect logged in state, you can give credential free login experience. At the same time, you may use prompt=login to enforce a login, even when identity provider hold a logged in session.

  这篇关于OpenID Connect，如果尚未登录，则无需登录表单即可重定向?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！