• Welcome to LiuJason's Blog!

利用WHMCS内置OpenID Connect接口整合GitLab实现单点登录SSO

Linux笔记 Jason 5 years ago (2019-11-25) 1607 Views 0 Comments QR code of this page
文章目录[隐藏]

前言

就如标题所说,我们打算使用云筏科技的whmcs账单系统对用户做统一管理,让用户在旗下网站实现一账通。
在GitLab整合的时候发现WHMCS7.8版本的OpenID Connect接口中,/oauth/openid-configuration.php的参数是有问题的,由于WHMCS程序本身是加密的,因此不能直接改源代码,比较麻烦,这里记录一下解决过程。

WHMCS前端配置

登录后台后,进入/admin/configopenid.php,输入再次验证密码,看到下面这个场景:

然后点击生成新的密钥信息,输入对应的内容,其中GitLab的回调地址为:/users/auth/openid_connect/callback

记下Client ID和Client Secret,然后保存。

WHMCS后端配置

查看/oauth/openid-configuration.php,可以看到"response_types_supported": null,这个参数,这个在GitLab里会报错,我们也是因为这个问题卡住了花了一整天的时间来弄,也是本文最重要的部分。

{
    "issuer": "https:\/\/www.cloudraft.cn",
    "authorization_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/authorize.php",
    "token_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/token.php",
    "userinfo_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/userinfo.php",
    "jwks_uri": "https:\/\/www.cloudraft.cn\/oauth\/certs.php",
    "response_types_supported": null,
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "scopes_supported": [
        "openid",
        "email",
        "profile"
    ],
    "claims_supported": [
        "iss",
        "aud",
        "exp",
        "sub"
    ]
}

实际上应该改成:

"response_types_supported": [
        "code",
        "access_token",
        "id_token"
    ],

因此我们重命名/oauth/openid-configuration.php文件为/oauth/openid-configuration1.php,然后新建/oauth/openid-configuration.php文件,在其中输入一下代码:

<?php
header('Content-Type: application/json');
$json_source = file_get_contents("https://www.cloudraft.cn/oauth/openid-configuration1.php");
$json_array = json_decode($json_source, true);
$json_array['response_types_supported'] = ["code", "access_token", "id_token"];
echo json_encode($json_array, JSON_PRETTY_PRINT);
?>

其实就是用json替换参数,把'response_types_supported'给补上。之后查看https://www.cloudraft.cn/oauth/openid-configuration.php,已经生效了:

{
    "issuer": "https:\/\/www.cloudraft.cn",
    "authorization_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/authorize.php",
    "token_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/token.php",
    "userinfo_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/userinfo.php",
    "jwks_uri": "https:\/\/www.cloudraft.cn\/oauth\/certs.php",
    "response_types_supported": [
        "code",
        "access_token",
        "id_token"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "scopes_supported": [
        "openid",
        "email",
        "profile"
    ],
    "claims_supported": [
        "iss",
        "aud",
        "exp",
        "sub"
    ]
}

但是操作完这一步后依然会报错:

OpenIDConnect::Discovery::DiscoveryFailed (Response types supported can't be blank and Issuer mismatch):

这是因为WHMCS没有按照OpenID的标准将discovery信息写到/.well-known/openid-configuration中,因此我们还需要新建文件/.well-known/openid-configuration/index.php然后把之前改好的/oauth/openid-configuration.php移动过来,或者做一个别名。
上述做完后,访问/.well-known/openid-configuration应该可以看到如下信息:

{
    "issuer": "https:\/\/www.cloudraft.cn",
    "authorization_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/authorize.php",
    "token_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/token.php",
    "userinfo_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/userinfo.php",
    "jwks_uri": "https:\/\/www.cloudraft.cn\/oauth\/certs.php",
    "response_types_supported": [
        "code",
        "access_token",
        "id_token"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "scopes_supported": [
        "openid",
        "email",
        "profile"
    ],
    "claims_supported": [
        "iss",
        "aud",
        "exp",
        "sub"
    ]
}

GitLab端配置

/etc/gitlab/gitlab.rb文件中找到如下区域:

### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
.....
gitlab_rails['omniauth_providers'] = [
.....

这里就是配置gitlab单点登录的信息区域,将之前获取的密钥信息填写进去即可,实例:

gitlab_rails['omniauth_providers'] = [
  {
    "name" => "openid_connect",
    "label" => "https://www.cloudraft.cn",
    "args" => { 
        "name" => "openid_connect",
        "scope" => ['openid','profile', 'email'],
        "response_type" => 'code',
        'issuer' => 'https://www.cloudraft.cn/oauth/openid-configuration.php',
        'discovery' => true,
        'client_auth_method' => 'query',
        'uid_field' => 'preferred_username',
        'client_options' => {
        'identifier' => '密钥信息',
        'secret' => '密钥信息',
        'redirect_uri' => 'https://code.cloudraft.cn/users/auth/openid_connect/callback'
       }
    }
  }


This article is under CC BY-NC-SA 4.0 license.
Please quote the original link:https://www.liujason.com/article/397.html
Like (0)
发表我的评论
取消评论

表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址