利用WHMCS内置OpenID Connect接口整合GitLab实现单点登录SSO
前言
就如标题所说,我们打算使用云筏科技的whmcs账单系统对用户做统一管理,让用户在旗下网站实现一账通。
在GitLab整合的时候发现WHMCS7.8版本的OpenID Connect接口中,/oauth/openid-configuration.php的参数是有问题的,由于WHMCS程序本身是加密的,因此不能直接改源代码,比较麻烦,这里记录一下解决过程。
WHMCS前端配置
登录后台后,进入/admin/configopenid.php,输入再次验证密码,看到下面这个场景:
然后点击生成新的密钥信息,输入对应的内容,其中GitLab的回调地址为:/users/auth/openid_connect/callback
记下Client ID和Client Secret,然后保存。
WHMCS后端配置
查看/oauth/openid-configuration.php,可以看到"response_types_supported": null,这个参数,这个在GitLab里会报错,我们也是因为这个问题卡住了花了一整天的时间来弄,也是本文最重要的部分。
{
"issuer": "https:\/\/www.cloudraft.cn",
"authorization_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/authorize.php",
"token_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/token.php",
"userinfo_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/userinfo.php",
"jwks_uri": "https:\/\/www.cloudraft.cn\/oauth\/certs.php",
"response_types_supported": null,
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"claims_supported": [
"iss",
"aud",
"exp",
"sub"
]
}
实际上应该改成:
"response_types_supported": [
"code",
"access_token",
"id_token"
],
因此我们重命名/oauth/openid-configuration.php文件为/oauth/openid-configuration1.php,然后新建/oauth/openid-configuration.php文件,在其中输入一下代码:
<?php
header('Content-Type: application/json');
$json_source = file_get_contents("https://www.cloudraft.cn/oauth/openid-configuration1.php");
$json_array = json_decode($json_source, true);
$json_array['response_types_supported'] = ["code", "access_token", "id_token"];
echo json_encode($json_array, JSON_PRETTY_PRINT);
?>
其实就是用json替换参数,把'response_types_supported'给补上。之后查看https://www.cloudraft.cn/oauth/openid-configuration.php,已经生效了:
{
"issuer": "https:\/\/www.cloudraft.cn",
"authorization_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/authorize.php",
"token_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/token.php",
"userinfo_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/userinfo.php",
"jwks_uri": "https:\/\/www.cloudraft.cn\/oauth\/certs.php",
"response_types_supported": [
"code",
"access_token",
"id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"claims_supported": [
"iss",
"aud",
"exp",
"sub"
]
}
但是操作完这一步后依然会报错:
OpenIDConnect::Discovery::DiscoveryFailed (Response types supported can't be blank and Issuer mismatch):
这是因为WHMCS没有按照OpenID的标准将discovery信息写到/.well-known/openid-configuration中,因此我们还需要新建文件/.well-known/openid-configuration/index.php然后把之前改好的/oauth/openid-configuration.php移动过来,或者做一个别名。
上述做完后,访问/.well-known/openid-configuration应该可以看到如下信息:
{
"issuer": "https:\/\/www.cloudraft.cn",
"authorization_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/authorize.php",
"token_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/token.php",
"userinfo_endpoint": "https:\/\/www.cloudraft.cn\/oauth\/userinfo.php",
"jwks_uri": "https:\/\/www.cloudraft.cn\/oauth\/certs.php",
"response_types_supported": [
"code",
"access_token",
"id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"claims_supported": [
"iss",
"aud",
"exp",
"sub"
]
}
GitLab端配置
在/etc/gitlab/gitlab.rb文件中找到如下区域:
### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
.....
gitlab_rails['omniauth_providers'] = [
.....
这里就是配置gitlab单点登录的信息区域,将之前获取的密钥信息填写进去即可,实例:
gitlab_rails['omniauth_providers'] = [
{
"name" => "openid_connect",
"label" => "https://www.cloudraft.cn",
"args" => {
"name" => "openid_connect",
"scope" => ['openid','profile', 'email'],
"response_type" => 'code',
'issuer' => 'https://www.cloudraft.cn/oauth/openid-configuration.php',
'discovery' => true,
'client_auth_method' => 'query',
'uid_field' => 'preferred_username',
'client_options' => {
'identifier' => '密钥信息',
'secret' => '密钥信息',
'redirect_uri' => 'https://code.cloudraft.cn/users/auth/openid_connect/callback'
}
}
}
Please quote the original link:https://www.liujason.com/article/397.html