Scope
| Scope | 설명 |
| openid | 필수, 클라이언트가 OpenID Connect 요청을 하고 있음을 인증 서버에 알린다 |
| profile | 기본 프로필 클레임에 대한 액세스 요청 |
| 이메일 및 email_verified 클레임에 대한 액세스 요청 | |
| address | 주소 클레임에 대한 액세스 요청 |
| phone | phone_number 및 phone_number_verified 클레임에 대한 액세스 요청 |
Scope 는 위의 스코프 이외에 Custom 으로도 생성할 수 있다.
Request URL
localhost:8080/realms/oauth2/protocol/openid-connect/auth?
response_type=code
&client_id=oauth2-client-app
&scope=openid profile email
&redirect_uri=http://localhost:8081
Response
{
"access_token": "...",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "...",
"token_type": "Bearer",
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqOXYyeTNJN0RzTy02aFhqanFGUi1YSURWd2RvWUwyemRfVjN3c05EREFZIn0.eyJleHAiOjE3MzcwNDA2MzMsImlhdCI6MTczNzA0MDMzMywiYXV0aF90aW1lIjoxNzM3MDQwMzIxLCJqdGkiOiI4NjhiY2IyZC00YTJlLTRkYjQtOWJkMy01YjJjNTZkM2M5YzQiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL29hdXRoMiIsImF1ZCI6Im9hdXRoMi1jbGllbnQtYXBwIiwic3ViIjoiYjdiZjc5OTgtNWM5OC00ODZiLTk3YmItYjgzMDM3NDBkZGI3IiwidHlwIjoiSUQiLCJhenAiOiJvYXV0aDItY2xpZW50LWFwcCIsInNlc3Npb25fc3RhdGUiOiJkMjAwNTY4Ni01ZTJiLTRhMWMtYmUwZi02YTk4NGQxZWM4YWYiLCJhdF9oYXNoIjoiVjN1U1RPSWVEeko0ZWRvYWlWTU5aUSIsImFjciI6IjEiLCJzaWQiOiJkMjAwNTY4Ni01ZTJiLTRhMWMtYmUwZi02YTk4NGQxZWM4YWYiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJjaG9pIHNlaHdhbiIsInByZWZlcnJlZF91c2VybmFtZSI6InVzZXIiLCJnaXZlbl9uYW1lIjoiY2hvaSIsImZhbWlseV9uYW1lIjoic2Vod2FuIiwiZW1haWwiOiJ1c2VyQG5hdmVyLmNvbSJ9.nfs5J4zu7ntb6Hc0nZCswiCuj7h17jwem9OUWwDSsjQoRMKDsgfY52TIfSH4p-_4t2O0gGZno0IeafohJscBbxMiU09mfCZvIyOKWvhCzYs4P0svZeE10B-DPC1X96-U6R9B0TJ_oHdaDkxb2L4pfRiiSje8Xdo6kyvYufKXb595nCxbuIIuVJc8VtWowPzlX5HahIXfdDiZWMrE6PftgvwXB09nwTHgZ5MRJbGv1uRiPdk36XskxNd_00fxUfc_UqW1T6J4NrIXifW1E37STvkZC7kpvglDq1h0NEVbeneKw7JDmoP3In-anDwvDYTqAznDrUZy_2DNBOkVh1MHHw",
"not-before-policy": 0,
"session_state": "d2005686-5e2b-4a1c-be0f-6a984d1ec8af",
"scope": "openid email profile"
}
id_token을 디코딩하면 아래와 같다.
{
"exp": 1737040633,
"iat": 1737040333,
"auth_time": 1737040321,
"jti": "868bcb2d-4a2e-4db4-9bd3-5b2c56d3c9c4",
"iss": "http://localhost:8080/realms/oauth2",
"aud": "oauth2-client-app",
"sub": "b7bf7998-5c98-486b-97bb-b8303740ddb7",
"typ": "ID",
"azp": "oauth2-client-app",
"session_state": "d2005686-5e2b-4a1c-be0f-6a984d1ec8af",
"at_hash": "V3uSTOIeDzJ4edoaiVMNZQ",
"acr": "1",
"sid": "d2005686-5e2b-4a1c-be0f-6a984d1ec8af",
"email_verified": false,
"name": "hong gil dong",
"preferred_username": "user",
"given_name": "hong",
"family_name": "gil dong",
"email": "user@naver.com"
}
Claim의 종류
Standard Claims
- name
- family_name
- given_name
- middle_name
- nickname
- preferred_username
- profile
- picture
- website
- gender
- birthdate
- zoneinfo
- locale
- updated_at
Address Claims
- formatted
- street_address
- locality
- region
- postal_code
- country
위의 Claim은 UserInfo를 구성한다.
References 및 사진 출처
정수원 스프링 시큐리티 OAuth2
'Spring > Oauth2' 카테고리의 다른 글
| ID Token (0) | 2025.01.17 |
|---|---|
| Open ID Connect OIDC (0) | 2025.01.16 |
| Oauth2 PKCE-enhanced Authorization Code Grant (0) | 2025.01.12 |
| Oauth2 Refresh Token Grant (0) | 2025.01.12 |
| Oauth2 Client Credentials Grant (0) | 2025.01.12 |