在部署相關章節中，你會看到如何使用 Traefik 與 Let's Encrypt 免費設定 HTTPS。
///

## OpenID Connect { #openid-connect }

OpenID Connect 是基於 **OAuth2** 的另一套規範。

它只是擴充了 OAuth2，釐清了 OAuth2 中相對模糊的部份，以提升互通性。

例如，Google 登入使用的是 OpenID Connect（其底層使用 OAuth2）。

但 Facebook 登入不支援 OpenID Connect，它有自己風格的 OAuth2。

### OpenID（不是「OpenID Connect」） { #openid-not-openid-connect }

過去也有一個「OpenID」規範。它試圖解決與 **OpenID Connect** 相同的問題，但不是建立在 OAuth2 之上。

因此，它是一套完全額外、獨立的系統。

from flask import Flask, request

boto3.set_stream_logger('boto3.resources', logging.DEBUG)

authorize_url = "http://localhost:8080/auth/realms/minio/protocol/openid-connect/auth"
token_url = "http://localhost:8080/auth/realms/minio/protocol/openid-connect/token"

# callback url specified when the application was defined
callback_uri = "http://localhost:8000/oauth2/callback"

# keycloak id and secret
client_id = 'account'

    public String ldapInitialContextFactory;

    /** OpenID Connect client ID. */
    @Size(max = 1000)
    public String oicClientId;

    /** OpenID Connect client secret. */
    @Size(max = 1000)
    public String oicClientSecret;

    /** OpenID Connect authorization server URL. */
    @Size(max = 1000)
    public String oicAuthServerUrl;

    /** OpenID Connect token server URL. */
    @Size(max = 1000)

 *       typically implemented by opening a reader using one of the methods in the first category,
 *       doing something and finally closing the reader that was opened.
 * </ul>
 *
 * <p>Several methods in this class, such as {@link #readLines()}, break the contents of the source
 * into lines. Like {@link BufferedReader}, these methods break lines on any of {@code \n}, {@code

    // x509_extensions=x509_extensions
    // [distinguished_name]
    // [req_extensions]
    // [x509_extensions]
    // subjectAltName=DNS:localhost.localdomain,DNS:localhost,IP:127.0.0.1
    //
    // $ openssl req -x509 -nodes -days 36500 -subj '/CN=localhost' -config ./cert.cnf \
    //     -newkey rsa:512 -out cert.pem
    val certificate =
      certificate(
        """
        -----BEGIN CERTIFICATE-----

		}

		if l.AddressSpace > 0 {
			m.Set(processVirtualMemoryMaxBytes, float64(l.AddressSpace))
		}
	}

	openFDs, err := p.FileDescriptorsLen()
	if err != nil {
		metricsLogIf(ctx, err)
	} else if openFDs > 0 {
		m.Set(processFileDescriptorOpenTotal, float64(openFDs))
	}
}

// loadProcessMetrics - `MetricsLoaderFn` for process metrics

export MINIO_IDENTITY_OPENID_CLIENT_ID="843351d4-1080-11ea-aa20-271ecba3924a"
minio server /mnt/data
```

#### Casdoor

```
export MINIO_ROOT_USER=minio
export MINIO_ROOT_PASSWORD=minio123
export MINIO_IDENTITY_OPENID_CONFIG_URL=http://CASDOOR_ENDPOINT/.well-known/openid-configuration

   `keytool -importkeystore -srckeystore test-node.jks -srcstorepass keypass -destkeystore test-node.p12 -deststoretype PKCS12 -deststorepass keypass`
8. Export the node's private key
   `openssl pkcs12 -in test-node.p12 -passin pass:keypass -nocerts -passout pass:test-node-key-password -out test-node.key`
9. Convert the client's keystore to PKCS#12 temporarily so that we can export the private key (as keytool doesn't allow this)

		chmod +x kes
fi

if ! openssl version &>/dev/null; then
	apt install openssl || sudo apt install opensssl
fi

# Start KES Server
(./kes server --dev 2>&1 >kes-server.log) &
kes_pid=$!
sleep 5s
API_KEY=$(grep "API Key" <kes-server.log | awk -F" " '{print $3}')
(openssl s_client -connect 127.0.0.1:7373 2>/dev/null 1>public.crt)

export CI=true

from fastapi.security.open_id_connect_url import OpenIdConnect
from fastapi.testclient import TestClient
from inline_snapshot import snapshot
from pydantic import BaseModel

app = FastAPI()

oid = OpenIdConnect(openIdConnectUrl="/openid", auto_error=False)


class User(BaseModel):
    username: str


def get_current_user(oauth_header: str | None = Security(oid)):
    if oauth_header is None:
        return None