OIDC 协议授权码模式与应用对接
时序图
上图为 OIDC 授权码模式认证时序图,描述了一个应用的授权认证及访问过程。
阶段一为单点认证阶段,主要有以下流程:
- 访问应用,应用检测未登录,请求获取授权码端口(接口1)。如果此时无有效的认证信息则会跳转登录页。
- 用户输入用户信息登录成功后会携带授权码
code重定向回应用系统。 - 使用授权码
code调用统一认证的获取访问令牌接口(接口2)获取访问令牌并保存在前端,方便后续接口的调用。 - 使用访问令牌
access_token调用统一认证的获取用户信息接口(接口3)获取用户信息。
阶段二为访问后端接口阶段,主要有以下流程:
- 操作应用调用后端接口前,应用会检查当前的访问令牌
access_token是否已过期,如果过期则调用刷新访问令牌接口(接口4),使用refresh_token刷新访问令牌。 - 调用后端接口时,应用会将访问令牌
access_token放在请求头中,应用后端调用访问令牌校验接口(接口5) 校验访问令牌的有效性。 如果有效则执行相应的业务逻辑并返回业务数据,浏览器进行渲染;如果无效则 http 码为401,并返回相应的错误信息。
准备工作
在数字底座注册应用,注册时需指定应用访问URL,注册后可获取应用的 client_id 和 client_secret 供后面使用
接口
以下是上述过程中会用到的接口:
1.获取授权码
请求地址:http://{IP}:{PORT}/sso/oidc/authorize
请求方法:GET
描述:授权用户启动身份验证流程,浏览器访问该端口
请求参数:
| 参数名 | 描述 |
|---|---|
| response_type | 返回类型为固定值 code。 |
| client_id | 申请的客户端 id。 |
| redirect_uri | 重定向 url,认证通过后会重定向回来并以授权码 code 作为请求参数。 |
| scope | scope 为固定值 openid y9 |
请求示例:
http
GET http://{IP}:{PORT}/sso/oidc/authorize?response_type=code&client_id=clientid_oidc&redirect_uri=http://localhost:7070/demo/org&scope=openid y9响应示例:
http
HTTP/1.1 302 Found
Location: http://localhost:7070/demo/org?code=OC-2-1jIw1DPBDTyAbgYE50Xvh0XakfnQO6zY2.获取访问令牌
接口地址:http://{IP}:{PORT}/sso/oidc/accessToken
请求方法:GET|POST
描述:通过授权码 code 获取访问令牌
请求参数:
| 参数名 | 描述 |
|---|---|
| grant_type | 授权类型为固定值 authorization_code。 |
| client_id | 申请的客户端 id。 |
| client_secret | 申请的客户端密钥。 |
| code | 请求授权返回的授权码 code,一个授权码使用一次后便会失效。 |
| redirect_uri | 重定向 url。 |
响应字段:
| 字段 | 描述 |
|---|---|
| access_token | 访问令牌。 |
| refresh_token | 刷新令牌。 |
| token_type | 令牌类型。 |
| expires_in | 过期时间(秒)。 |
| scope | 权限范围。 |
请求示例:
http
GET http://{IP}:{PORT}/sso/oidc/accessToken?grant_type=authorization_code&client_id=clientid_oidc&client_secret=secret_oidc&code=OC-2-1jIw1DPBDTyAbgYE50Xvh0XakfnQO6zY&redirect_uri=http://localhost:7070/demo/org响应示例:
json
{
"access_token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6ImNhcy11VFRIV01GViIsIm9yZy5hcGVyZW8uY2FzLnNlcnZpY2VzLlJlZ2lzdGVyZWRTZXJ2aWNlIjoiMTAwMyJ9.eyJzdWIiOiJzeXN0ZW1NYW5hZ2VyIiwibG9naW5UeXBlIjoibG9naW5OYW1lIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo3MDU1L3Nzby9vaWRjIiwiZG4iOiJjblx1MDAzZOezu-e7n-euoeeQhuWRmCxvXHUwMDNk6Jma5ouf57uE57uHIiwibWFuYWdlckxldmVsIjoxLCJwYXNzd29yZCI6IiQyYSQxMCR4bzZBL1g3YWVMY0V2WUpSeXUua1VPZDlFSjFvM2M4Wks2Qk5xbmhkYTMwZVJ3bkE3VlRxbSIsImdsb2JhbE1hbmFnZXIiOnRydWUsInRlbmFudE5hbWUiOiJkZWZhdWx0IiwiY2FpZCI6IiIsImxvZ2luTmFtZSI6InN5c3RlbU1hbmFnZXIiLCJwZXJzb25UeXBlIjoiZGVwdFBlcnNvbiIsImV4cCI6MTc0ODUyOTQzMiwiaWF0IjoxNzQ4NTAwNjMyLCJpZE51bSI6IiIsImp0aSI6IkFULTEtUm9NNGVnOWtzUkZnUWNjcVVQOTF1VWNabUNmNlB3MVoiLCJlbWFpbCI6IiIsIm9yaWdpbmFsIjp0cnVlLCJzZXgiOjEsImRlcHRJZCI6IiIsImd1aWRQYXRoIjoiMTY2Mzk4MDU1OTc0MzAwMDU3NiwxNjYzOTgwNTU5ODc3MjE4MzA0IiwibW9iaWxlIjoiIiwicG9zaXRpb25zIjoiIiwicGFyZW50SWQiOiIxNjYzOTgwNTU5NzQzMDAwNTc2IiwiYXVkIjoiY2xpZW50aWRfb2lkYyIsInBvc2l0aW9uSWQiOiIiLCJuYW1lIjoi57O757uf566h55CG5ZGYIiwidGVuYW50SWQiOiIxMTExMTExMS0xMTExLTExMTEtMTExMS0xMTExMTExMTExMTMiLCJhdmF0b3IiOiIiLCJwZXJzb25JZCI6IjE2NjM5ODA1NTk4NzcyMTgzMDQiLCJvcmlnaW5hbElkIjoiIiwidGVuYW50U2hvcnROYW1lIjoiZGVmYXVsdCJ9.MOWwMXZ0S_sVn6tjpy00RuR4_WfDqkXSPLgbQ54n-B367-nAYh7ZIDM2cnDimUke9lCum0jEQQ78lYdDoTl9TyKu9LGUeaLS0YBilSOoedH_8b6YlFJuTZrKRysy6gDCv4UhcZ7OCp8_1MLW_8JtNa9FnRv1yQGi8OxplgbQcTXPcMVJKjEGPFTSecAtY2g3NsJK_E2JakUFCctxIlrqaECWsx2fvR3BA9K3D72v98wV4D75kjeWTNEIsY011w6y655EJi84ApAAgRR0DCZLgIU8FqE6eX2jKIga4OCSZq14Q2uKhBQNx8M93IDREqxEY92oSG0JavxclMigH3qTEw",
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImNhcy11VFRIV01GViJ9.eyJqdGkiOiJUR1QtMS15cTYyeEtiQjZlUmFpTlJkUS1kYlI4Nm5sRU9yb3B6bk1rUWJhN0ZnNHVTeEVHLWwtSGkyRU5Wb2FoNDFxZjdUeGhrLVRvYmlucy1NYWMtU3R1ZGlvIiwic2lkIjoiYTJkZDFkN2JkNWEwMWQ4NDQ2OTNiY2NiNjFkNzA4YWE2MDk2Y2I0MSIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NzA1NS9zc28vb2lkYyIsImF1ZCI6ImNsaWVudGlkX29pZGMiLCJleHAiOjE3NDg1Mjk0MzIsImlhdCI6MTc0ODUwMDYzMiwibmJmIjoxNzQ4NTAwMzMyLCJzdWIiOiJzeXN0ZW1NYW5hZ2VyIiwiYW1yIjpbInk5QXV0aGVudGljYXRpb25IYW5kbGVyIl0sImNsaWVudF9pZCI6ImNsaWVudGlkX29pZGMiLCJhdXRoX3RpbWUiOjE3NDg1MDA1MDcsImF0X2hhc2giOiJDdkNsXzdPVnhfcmJnTXctOHBJb2x3IiwiYXZhdG9yIjoiIiwiY2FpZCI6IiIsImRlcHRJZCI6IiIsImRuIjoiY24957O757uf566h55CG5ZGYLG896Jma5ouf57uE57uHIiwiZW1haWwiOiIiLCJnbG9iYWxNYW5hZ2VyIjp0cnVlLCJndWlkUGF0aCI6IjE2NjM5ODA1NTk3NDMwMDA1NzYsMTY2Mzk4MDU1OTg3NzIxODMwNCIsImlkTnVtIjoiIiwibG9naW5OYW1lIjoic3lzdGVtTWFuYWdlciIsImxvZ2luVHlwZSI6ImxvZ2luTmFtZSIsIm1hbmFnZXJMZXZlbCI6MSwibW9iaWxlIjoiIiwibmFtZSI6Iuezu-e7n-euoeeQhuWRmCIsIm9yaWdpbmFsIjp0cnVlLCJvcmlnaW5hbElkIjoiIiwicGFyZW50SWQiOiIxNjYzOTgwNTU5NzQzMDAwNTc2IiwicGFzc3dvcmQiOiIkMmEkMTAkeG82QS9YN2FlTGNFdllKUnl1LmtVT2Q5RUoxbzNjOFpLNkJOcW5oZGEzMGVSd25BN1ZUcW0iLCJwZXJzb25JZCI6IjE2NjM5ODA1NTk4NzcyMTgzMDQiLCJwZXJzb25UeXBlIjoiZGVwdFBlcnNvbiIsInBvc2l0aW9uSWQiOiIiLCJwb3NpdGlvbnMiOiIiLCJzZXgiOjEsInRlbmFudElkIjoiMTExMTExMTEtMTExMS0xMTExLTExMTEtMTExMTExMTExMTEzIiwidGVuYW50TmFtZSI6ImRlZmF1bHQiLCJ0ZW5hbnRTaG9ydE5hbWUiOiJkZWZhdWx0IiwicHJlZmVycmVkX3VzZXJuYW1lIjoic3lzdGVtTWFuYWdlciJ9.lcd0xxj_UeSKR67uUXpJk-o_rD_-AsYzOp6DRQD8gX-70a_JuQHPm1bSBaaavcvPb1D0cFH6iQZrQHHH5a8jw0YQ0vnp91KwtPl3CQDDimlCh21tKzx94V1eYshjyCryagTL7ginsfUA-xbBa5rLUlNKIr6MsuEXhAluiKEXZVSGRuZfXGEkMVuGeRhU1IAokj1-DYAScAx_J5unURw8GHmswys35isGSpbFWWT9qPQttd-qenvDsazRuKsAcv5jDDPCikWBR41N_pRaAMpe3NUyVXbWaLEEROX6lpYYavJbAMsJFpU8SWdR-FSu5NdmVhgMwuw6ZfaQAbdA9JoXQg",
"refresh_token": "RT-1-7llQtxOCak7GQ-KrLwy1vjSDz4xPqy2M",
"token_type": "Bearer",
"expires_in": 28800,
"scope": "y9 openid"
}注意,此处返回的 access_token 是一个 JWT 格式的访问令牌,包含了用户信息和其他相关数据,可以使用 JWT 库进行解析。
3.获取用户信息
如果返回的 access_token 是 JWT 格式的访问令牌,可以使用 JWT 库直接解析获取用户信息;当然也调用下方的接口获取用户信息。
接口地址:http://{IP}:{PORT}/sso/oidc/profile
请求方法:GET|POST
描述:获取认证过的用户信息
请求参数:
| 参数名 | 描述 |
|---|---|
| access_token | 访问令牌 |
部分响应字段:
| 字段 | 描述 |
|---|---|
| dn | 由name组成的父子关系列表(倒序),之间用逗号分隔 |
| managerLevel | 管理员类型 |
| password | 密码 |
| globalManager | 是否为管理员 |
| tenantName | 租户名 |
| caid | caid |
| loginName | 登录名 |
| personType | 人员类型 |
| IDNum | 身份证号 |
| 邮箱 | |
| original | 是否为原始账号(针对多岗) |
| sex | 性别 |
| guidPath | 由ID组成的父子关系列表(正序),之间用逗号分隔 |
| mobile | 电话号码 |
| positions | 岗位列表,用逗号分隔 |
| parentId | 人员父节点 id |
| positionId | 当前岗位 id |
| name | 姓名 |
| tenantId | 租户 id |
| avator | 头像 url |
| personId | 人员 id |
| originalId | 原始账号 id |
| tenantShortName | 租户登录名 |
请求示例:
http
GET http://{IP}:{PORT}/sso/oidc/profile?access_token=eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6ImNhcy11VFRIV01GViIsIm9yZy5hcGVyZW8uY2FzLnNlcnZpY2VzLlJlZ2lzdGVyZWRTZXJ2aWNlIjoiMTAwMyJ9.eyJzdWIiOiJzeXN0ZW1NYW5hZ2VyIiwibG9naW5UeXBlIjoibG9naW5OYW1lIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo3MDU1L3Nzby9vaWRjIiwiZG4iOiJjblx1MDAzZOezu-e7n-euoeeQhuWRmCxvXHUwMDNk6Jma5ouf57uE57uHIiwibWFuYWdlckxldmVsIjoxLCJwYXNzd29yZCI6IiQyYSQxMCR4bzZBL1g3YWVMY0V2WUpSeXUua1VPZDlFSjFvM2M4Wks2Qk5xbmhkYTMwZVJ3bkE3VlRxbSIsImdsb2JhbE1hbmFnZXIiOnRydWUsInRlbmFudE5hbWUiOiJkZWZhdWx0IiwiY2FpZCI6IiIsImxvZ2luTmFtZSI6InN5c3RlbU1hbmFnZXIiLCJwZXJzb25UeXBlIjoiZGVwdFBlcnNvbiIsImV4cCI6MTc0ODUyOTQzMiwiaWF0IjoxNzQ4NTAwNjMyLCJpZE51bSI6IiIsImp0aSI6IkFULTEtUm9NNGVnOWtzUkZnUWNjcVVQOTF1VWNabUNmNlB3MVoiLCJlbWFpbCI6IiIsIm9yaWdpbmFsIjp0cnVlLCJzZXgiOjEsImRlcHRJZCI6IiIsImd1aWRQYXRoIjoiMTY2Mzk4MDU1OTc0MzAwMDU3NiwxNjYzOTgwNTU5ODc3MjE4MzA0IiwibW9iaWxlIjoiIiwicG9zaXRpb25zIjoiIiwicGFyZW50SWQiOiIxNjYzOTgwNTU5NzQzMDAwNTc2IiwiYXVkIjoiY2xpZW50aWRfb2lkYyIsInBvc2l0aW9uSWQiOiIiLCJuYW1lIjoi57O757uf566h55CG5ZGYIiwidGVuYW50SWQiOiIxMTExMTExMS0xMTExLTExMTEtMTExMS0xMTExMTExMTExMTMiLCJhdmF0b3IiOiIiLCJwZXJzb25JZCI6IjE2NjM5ODA1NTk4NzcyMTgzMDQiLCJvcmlnaW5hbElkIjoiIiwidGVuYW50U2hvcnROYW1lIjoiZGVmYXVsdCJ9.MOWwMXZ0S_sVn6tjpy00RuR4_WfDqkXSPLgbQ54n-B367-nAYh7ZIDM2cnDimUke9lCum0jEQQ78lYdDoTl9TyKu9LGUeaLS0YBilSOoedH_8b6YlFJuTZrKRysy6gDCv4UhcZ7OCp8_1MLW_8JtNa9FnRv1yQGi8OxplgbQcTXPcMVJKjEGPFTSecAtY2g3NsJK_E2JakUFCctxIlrqaECWsx2fvR3BA9K3D72v98wV4D75kjeWTNEIsY011w6y655EJi84ApAAgRR0DCZLgIU8FqE6eX2jKIga4OCSZq14Q2uKhBQNx8M93IDREqxEY92oSG0JavxclMigH3qTEw响应示例:
json
{
"loginType": "loginName",
"dn": "cn=系统管理员,o=虚拟组织",
"managerLevel": 1,
"password": "$2a$10$xo6A/X7aeLcEvYJRyu.kUOd9EJ1o3c8ZK6BNqnhda30eRwnA7VTqm",
"globalManager": true,
"tenantName": "default",
"caid": "",
"loginName": "systemManager",
"personType": "deptPerson",
"idNum": "",
"email": "",
"original": true,
"sex": 1,
"deptId": "",
"guidPath": "1663980559743000576,1663980559877218304",
"mobile": "",
"positions": "",
"parentId": "1663980559743000576",
"positionId": "",
"name": "系统管理员",
"tenantId": "11111111-1111-1111-1111-111111111113",
"avator": "",
"personId": "1663980559877218304",
"originalId": "",
"tenantShortName": "default",
"sub": "systemManager",
"service": "http://localhost:7070/demo/org",
"auth_time": 1748500507,
"id": "systemManager",
"client_id": "clientid_oidc"
}4.刷新访问令牌
接口地址:http://{IP}:{PORT}/sso/oidc/accessToken
请求方法:GET|POST
描述:当访问令牌过期了可通过 refresh_token 去获取新的访问令牌
请求参数:
| 参数名 | 描述 |
|---|---|
| grant_type | 授权类型为固定值 refresh_token。 |
| client_id | 申请的客户端 id。 |
| client_secret | 申请的客户端密钥。 |
| refresh_token | 刷新令牌。 |
请求示例:
http
GET http://{IP}:{PORT}/sso/oidc/accessToken?grant_type=refresh_token&client_id=clientid_oidc&client_secret=secret_oidc&refresh_token=RT-2-g-wAcxjz6HOHs7O8YeGn1qElkZYDtM4S响应示例:
json
{
"access_token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6ImNhcy11VFRIV01GViIsIm9yZy5hcGVyZW8uY2FzLnNlcnZpY2VzLlJlZ2lzdGVyZWRTZXJ2aWNlIjoiMTAwMyJ9.eyJzdWIiOiJzeXN0ZW1NYW5hZ2VyIiwibG9naW5UeXBlIjoibG9naW5OYW1lIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo3MDU1L3NzbyIsImRuIjoiY25cdTAwM2Tns7vnu5_nrqHnkIblkZgsb1x1MDAzZOiZmuaLn-e7hOe7hyIsIm1hbmFnZXJMZXZlbCI6MSwicGFzc3dvcmQiOiIkMmEkMTAkeG82QS9YN2FlTGNFdllKUnl1LmtVT2Q5RUoxbzNjOFpLNkJOcW5oZGEzMGVSd25BN1ZUcW0iLCJnbG9iYWxNYW5hZ2VyIjp0cnVlLCJ0ZW5hbnROYW1lIjoiZGVmYXVsdCIsImNhaWQiOiIiLCJsb2dpbk5hbWUiOiJzeXN0ZW1NYW5hZ2VyIiwicGVyc29uVHlwZSI6ImRlcHRQZXJzb24iLCJleHAiOjE3NDg1MzA5NzAsImlhdCI6MTc0ODUwMjE3MCwiaWROdW0iOiIiLCJqdGkiOiJBVC0yLXQ0ejRBdnFlQk9rRlo1SjlLcGNPYzM2ZGQ2TXlQWFpOIiwiZW1haWwiOiIiLCJvcmlnaW5hbCI6dHJ1ZSwic2V4IjoxLCJkZXB0SWQiOiIiLCJndWlkUGF0aCI6IjE2NjM5ODA1NTk3NDMwMDA1NzYsMTY2Mzk4MDU1OTg3NzIxODMwNCIsIm1vYmlsZSI6IiIsInBvc2l0aW9ucyI6IiIsInBhcmVudElkIjoiMTY2Mzk4MDU1OTc0MzAwMDU3NiIsImF1ZCI6ImNsaWVudGlkX29pZGMiLCJwb3NpdGlvbklkIjoiIiwibmFtZSI6Iuezu-e7n-euoeeQhuWRmCIsInRlbmFudElkIjoiMTExMTExMTEtMTExMS0xMTExLTExMTEtMTExMTExMTExMTEzIiwiYXZhdG9yIjoiIiwicGVyc29uSWQiOiIxNjYzOTgwNTU5ODc3MjE4MzA0Iiwib3JpZ2luYWxJZCI6IiIsInRlbmFudFNob3J0TmFtZSI6ImRlZmF1bHQifQ.cDV1oeyV9FjIwgdpim0dhBdBRT9ILzPevyIzs7qq5L48kH6k72VbUpffBpNkZSqppEBZipy8cCNW8LJ-llQw5ofSN_EQz_0oVH1f-pInIo5L5fBoXJfvyen-cmxGKk9FWI8B7Q8VvsMAwhGhuKCJsvrpfVl3CajGWpek3AvLrK2BMyN-YnN11kzmE6P1dvQC9-KRfA3usiIIX1XqQCPXeRr7UYh3xGhP0yjlf7WeHhGxWqoGekIQTdguQR8Tb0SR9WKvFbZnyIzyuJqi-lUoYBP9gZbBpX5TWvn1BBG7C_Ryf0498Sl63GR_cYJTbOQNvrE9chtBm_ZIJ3fu1JbkPw",
"refresh_token": "RT-2-R3T5rmPPPu1BSOWAqJLMjSHX-XXKyqHb",
"token_type": "Bearer",
"expires_in": 28800,
"scope": "y9 openid"
}5.访问令牌校验
接口地址:http://{IP}:{PORT}/sso/oidc/introspect
请求方法:GET|POST
描述:查询访问令牌 access_token 的状态,其中应用的凭证 client_id 和 client_secret 需以 Basic Auth 的形式提供
请求参数:
| 参数名 | 描述 |
|---|---|
| token | 访问令牌 access_token。 |
请求头:
| 参数名 | 描述 |
|---|---|
| Authorization | 应用的凭证,参数值为 Basic {Auth} 其中 {Auth} 为经过 base64 编码的 client_id + ":" + client_secret,即 base64_encode({client_id}:{client_secret})。 |
请求示例:
http
GET http://{IP}:{PORT}/sso/oidc/introspect
Authorization: Basic Y2xpZW50aWRfb2lkYzpzZWNyZXRfb2lkYw==
Content-Type: application/x-www-form-urlencoded
token=eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6ImNhcy11VFRIV01GViIsIm9yZy5hcGVyZW8uY2FzLnNlcnZpY2VzLlJlZ2lzdGVyZWRTZXJ2aWNlIjoiMTAwMyJ9.eyJzdWIiOiJzeXN0ZW1NYW5hZ2VyIiwibG9naW5UeXBlIjoibG9naW5OYW1lIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo3MDU1L3NzbyIsImRuIjoiY25cdTAwM2Tns7vnu5_nrqHnkIblkZgsb1x1MDAzZOiZmuaLn-e7hOe7hyIsIm1hbmFnZXJMZXZlbCI6MSwicGFzc3dvcmQiOiIkMmEkMTAkeG82QS9YN2FlTGNFdllKUnl1LmtVT2Q5RUoxbzNjOFpLNkJOcW5oZGEzMGVSd25BN1ZUcW0iLCJnbG9iYWxNYW5hZ2VyIjp0cnVlLCJ0ZW5hbnROYW1lIjoiZGVmYXVsdCIsImNhaWQiOiIiLCJsb2dpbk5hbWUiOiJzeXN0ZW1NYW5hZ2VyIiwicGVyc29uVHlwZSI6ImRlcHRQZXJzb24iLCJleHAiOjE3NDg1MzA5NzAsImlhdCI6MTc0ODUwMjE3MCwiaWROdW0iOiIiLCJqdGkiOiJBVC0yLXQ0ejRBdnFlQk9rRlo1SjlLcGNPYzM2ZGQ2TXlQWFpOIiwiZW1haWwiOiIiLCJvcmlnaW5hbCI6dHJ1ZSwic2V4IjoxLCJkZXB0SWQiOiIiLCJndWlkUGF0aCI6IjE2NjM5ODA1NTk3NDMwMDA1NzYsMTY2Mzk4MDU1OTg3NzIxODMwNCIsIm1vYmlsZSI6IiIsInBvc2l0aW9ucyI6IiIsInBhcmVudElkIjoiMTY2Mzk4MDU1OTc0MzAwMDU3NiIsImF1ZCI6ImNsaWVudGlkX29pZGMiLCJwb3NpdGlvbklkIjoiIiwibmFtZSI6Iuezu-e7n-euoeeQhuWRmCIsInRlbmFudElkIjoiMTExMTExMTEtMTExMS0xMTExLTExMTEtMTExMTExMTExMTEzIiwiYXZhdG9yIjoiIiwicGVyc29uSWQiOiIxNjYzOTgwNTU5ODc3MjE4MzA0Iiwib3JpZ2luYWxJZCI6IiIsInRlbmFudFNob3J0TmFtZSI6ImRlZmF1bHQifQ.cDV1oeyV9FjIwgdpim0dhBdBRT9ILzPevyIzs7qq5L48kH6k72VbUpffBpNkZSqppEBZipy8cCNW8LJ-llQw5ofSN_EQz_0oVH1f-pInIo5L5fBoXJfvyen-cmxGKk9FWI8B7Q8VvsMAwhGhuKCJsvrpfVl3CajGWpek3AvLrK2BMyN-YnN11kzmE6P1dvQC9-KRfA3usiIIX1XqQCPXeRr7UYh3xGhP0yjlf7WeHhGxWqoGekIQTdguQR8Tb0SR9WKvFbZnyIzyuJqi-lUoYBP9gZbBpX5TWvn1BBG7C_Ryf0498Sl63GR_cYJTbOQNvrE9chtBm_ZIJ3fu1JbkPw响应示例:
json
{
"token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6ImNhcy11VFRIV01GViIsIm9yZy5hcGVyZW8uY2FzLnNlcnZpY2VzLlJlZ2lzdGVyZWRTZXJ2aWNlIjoiMTAwMyJ9.eyJzdWIiOiJzeXN0ZW1NYW5hZ2VyIiwibG9naW5UeXBlIjoibG9naW5OYW1lIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo3MDU1L3NzbyIsImRuIjoiY25cdTAwM2Tns7vnu5_nrqHnkIblkZgsb1x1MDAzZOiZmuaLn-e7hOe7hyIsIm1hbmFnZXJMZXZlbCI6MSwicGFzc3dvcmQiOiIkMmEkMTAkeG82QS9YN2FlTGNFdllKUnl1LmtVT2Q5RUoxbzNjOFpLNkJOcW5oZGEzMGVSd25BN1ZUcW0iLCJnbG9iYWxNYW5hZ2VyIjp0cnVlLCJ0ZW5hbnROYW1lIjoiZGVmYXVsdCIsImNhaWQiOiIiLCJsb2dpbk5hbWUiOiJzeXN0ZW1NYW5hZ2VyIiwicGVyc29uVHlwZSI6ImRlcHRQZXJzb24iLCJleHAiOjE3NDg1MzA5NzAsImlhdCI6MTc0ODUwMjE3MCwiaWROdW0iOiIiLCJqdGkiOiJBVC0yLXQ0ejRBdnFlQk9rRlo1SjlLcGNPYzM2ZGQ2TXlQWFpOIiwiZW1haWwiOiIiLCJvcmlnaW5hbCI6dHJ1ZSwic2V4IjoxLCJkZXB0SWQiOiIiLCJndWlkUGF0aCI6IjE2NjM5ODA1NTk3NDMwMDA1NzYsMTY2Mzk4MDU1OTg3NzIxODMwNCIsIm1vYmlsZSI6IiIsInBvc2l0aW9ucyI6IiIsInBhcmVudElkIjoiMTY2Mzk4MDU1OTc0MzAwMDU3NiIsImF1ZCI6ImNsaWVudGlkX29pZGMiLCJwb3NpdGlvbklkIjoiIiwibmFtZSI6Iuezu-e7n-euoeeQhuWRmCIsInRlbmFudElkIjoiMTExMTExMTEtMTExMS0xMTExLTExMTEtMTExMTExMTExMTEzIiwiYXZhdG9yIjoiIiwicGVyc29uSWQiOiIxNjYzOTgwNTU5ODc3MjE4MzA0Iiwib3JpZ2luYWxJZCI6IiIsInRlbmFudFNob3J0TmFtZSI6ImRlZmF1bHQifQ.cDV1oeyV9FjIwgdpim0dhBdBRT9ILzPevyIzs7qq5L48kH6k72VbUpffBpNkZSqppEBZipy8cCNW8LJ-llQw5ofSN_EQz_0oVH1f-pInIo5L5fBoXJfvyen-cmxGKk9FWI8B7Q8VvsMAwhGhuKCJsvrpfVl3CajGWpek3AvLrK2BMyN-YnN11kzmE6P1dvQC9-KRfA3usiIIX1XqQCPXeRr7UYh3xGhP0yjlf7WeHhGxWqoGekIQTdguQR8Tb0SR9WKvFbZnyIzyuJqi-lUoYBP9gZbBpX5TWvn1BBG7C_Ryf0498Sl63GR_cYJTbOQNvrE9chtBm_ZIJ3fu1JbkPw",
"active": true,
"sub": "systemManager",
"scope": "y9 openid",
"iat": 1748502170,
"exp": 1748530970,
"realmName": "y9AuthenticationHandler",
"uniqueSecurityName": "systemManager",
"tokenType": "Bearer",
"aud": "clientid_oidc",
"iss": "http://localhost:7055/sso/oidc",
"attr": "{\"oauthClientId\":\"clientid_oidc\",\"loginType\":\"loginName\",\"dn\":\"cn=系统管理员,o=虚拟组织\",\"managerLevel\":1,\"password\":\"$2a$10$xo6A/X7aeLcEvYJRyu.kUOd9EJ1o3c8ZK6BNqnhda30eRwnA7VTqm\",\"globalManager\":true,\"tenantName\":\"default\",\"caid\":\"\",\"loginName\":\"systemManager\",\"personType\":\"deptPerson\",\"idNum\":\"\",\"email\":\"\",\"original\":true,\"sex\":1,\"deptId\":\"\",\"guidPath\":\"1663980559743000576,1663980559877218304\",\"mobile\":\"\",\"positions\":\"\",\"parentId\":\"1663980559743000576\",\"positionId\":\"\",\"name\":\"系统管理员\",\"tenantId\":\"11111111-1111-1111-1111-111111111113\",\"avator\":\"\",\"personId\":\"1663980559877218304\",\"originalId\":\"\",\"tenantShortName\":\"default\"}",
"client_id": "clientid_oidc",
"grant_type": "refresh_token"
}返回的 json 数据中,active 字段表示访问令牌是否有效。