Know-How
OpenID Connect — autentizace nad OAuth 2.0
OAuth řeší autorizaci, OIDC přidává autentizaci — ID Token s informacemi o uživateli.
ID Token
{
"iss": "https://auth.example.com",
"sub": "user-123",
"aud": "myapp",
"exp": 1706000000,
"email": "[email protected]",
"name": "Jan Novák"
}
Discovery
# GET https://auth.example.com/.well-known/openid-configuration
{
"issuer": "https://auth.example.com",
"authorization_endpoint": "https://auth.example.com/authorize",
"token_endpoint": "https://auth.example.com/token",
"jwks_uri": "https://auth.example.com/.well-known/jwks.json"
}
FastAPI implementace
from authlib.integrations.starlette_client import OAuth
oauth = OAuth()
oauth.register(name='google',
server_metadata_url='https://accounts.google.com/.well-known/openid-configuration',
client_id='your-id', client_secret='your-secret',
client_kwargs={'scope': 'openid email profile'})
Klíčový takeaway
OIDC = OAuth 2.0 + identita. Validujte ID Token (iss, aud, exp, nonce).