perf: 优化 OIDC 支持选择认证方式

2022-04-29 12:54:15 +08:00 · 2022-04-29 12:54:15 +08:00 · 00ed7bb025
parent b1aadf1ee9
commit 00ed7bb025
8 changed files with 191 additions and 169 deletions
--- a/apps/authentication/backends/oidc/backends.py
+++ b/apps/authentication/backends/oidc/backends.py
@ -103,9 +103,8 @@ class OIDCAuthCodeBackend(OIDCBaseBackend):
        # Prepares the token payload that will be used to request an authentication token to the
        # token endpoint of the OIDC provider.
        logger.debug(log_prompt.format('Prepares token payload'))
-
+        """ 
-        """ The reason for need not client_id and client_secret in token_payload.
+        The reason for need not client_id and client_secret in token_payload.
        OIDC protocol indicate client's token_endpoint_auth_method only accept one type in
            - client_secret_basic
            - client_secret_post
@ -113,25 +112,35 @@ class OIDCAuthCodeBackend(OIDCBaseBackend):
            - private_key_jwt
            - none
        If the client offer more than one auth method type to OIDC, OIDC will auth client failed.
-        OIDC default use client_secret_basic, this type only need in headers add Authorization=Basic xxx.
+        OIDC default use client_secret_basic, 
        this type only need in headers add Authorization=Basic xxx.
        More info see: https://github.com/jumpserver/jumpserver/issues/8165
-
+        More info see: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
        """
        token_payload = {
            # 'client_id': settings.AUTH_OPENID_CLIENT_ID,
            # 'client_secret': settings.AUTH_OPENID_CLIENT_SECRET,
            'grant_type': 'authorization_code',
            'code': code,
            'redirect_uri': build_absolute_uri(
                request, path=reverse(settings.AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME)
            )
        }
-
+        if settings.AUTH_OPENID_CLIENT_AUTH_METHOD == 'client_secret_post':
-        # Prepares the token headers that will be used to request an authentication token to the
+            token_payload.update({
-        # token endpoint of the OIDC provider.
+                'client_id': settings.AUTH_OPENID_CLIENT_ID,
-        logger.debug(log_prompt.format('Prepares token headers'))
+                'client_secret': settings.AUTH_OPENID_CLIENT_SECRET,
-        basic_token = "{}:{}".format(settings.AUTH_OPENID_CLIENT_ID, settings.AUTH_OPENID_CLIENT_SECRET)
+            })
-        headers = {"Authorization": "Basic {}".format(base64.b64encode(basic_token.encode()).decode())}
+            headers = None
        else:
            # Prepares the token headers that will be used to request an authentication token to the
            # token endpoint of the OIDC provider.
            logger.debug(log_prompt.format('Prepares token headers'))
            basic_token = "{}:{}".format(
                settings.AUTH_OPENID_CLIENT_ID, settings.AUTH_OPENID_CLIENT_SECRET
            )
            headers = {
                "Authorization": "Basic {}".format(base64.b64encode(basic_token.encode()).decode())
            }
        # Calls the token endpoint.
        logger.debug(log_prompt.format('Call the token endpoint'))
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@ -187,6 +187,8 @@ class Config(dict):
        'BASE_SITE_URL': None,
        'AUTH_OPENID_CLIENT_ID': 'client-id',
        'AUTH_OPENID_CLIENT_SECRET': 'client-secret',
        # https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
        'AUTH_OPENID_CLIENT_AUTH_METHOD': 'client_secret_basic',
        'AUTH_OPENID_SHARE_SESSION': True,
        'AUTH_OPENID_IGNORE_SSL_VERIFICATION': True,
--- a/apps/jumpserver/settings/auth.py
+++ b/apps/jumpserver/settings/auth.py
@ -55,6 +55,7 @@ AUTH_OPENID = CONFIG.AUTH_OPENID
 BASE_SITE_URL = CONFIG.BASE_SITE_URL
 AUTH_OPENID_CLIENT_ID = CONFIG.AUTH_OPENID_CLIENT_ID
 AUTH_OPENID_CLIENT_SECRET = CONFIG.AUTH_OPENID_CLIENT_SECRET
 AUTH_OPENID_CLIENT_AUTH_METHOD = CONFIG.AUTH_OPENID_CLIENT_AUTH_METHOD
 AUTH_OPENID_PROVIDER_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_ENDPOINT
 AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT
 AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:8f5891533a7cdfa3938ef057364f22b1df73685d423f9fa55bc46cd17439e56e
+oid sha256:e70a491494af861945bde8a0b03c9b6e78dde7016446236ead362362b76b09a8
-size 125915
+size 125713
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-20 16:35+0800\n"
+"POT-Creation-Date: 2022-04-29 12:49+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -88,7 +88,7 @@ msgstr "ログイン確認"
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:60 audits/models.py:85 audits/serializers.py:100
 #: authentication/models.py:51 orgs/models.py:214 perms/models/base.py:84
-#: rbac/builtin.py:110 rbac/models/rolebinding.py:40
+#: rbac/builtin.py:118 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
@ -1360,7 +1360,7 @@ msgstr "監査"
 #: audits/models.py:27 audits/models.py:57
 #: authentication/templates/authentication/_access_key_modal.html:65
-#: rbac/tree.py:168
+#: rbac/tree.py:228
 msgid "Delete"
 msgstr "削除"
@ -1413,11 +1413,11 @@ msgstr "ファイル転送ログ"
 #: audits/models.py:55
 #: authentication/templates/authentication/_access_key_modal.html:22
-#: rbac/tree.py:165
+#: rbac/tree.py:225
 msgid "Create"
 msgstr "作成"
-#: audits/models.py:56 rbac/tree.py:167 templates/_csv_import_export.html:18
+#: audits/models.py:56 rbac/tree.py:227 templates/_csv_import_export.html:18
 #: templates/_csv_update_modal.html:6
 msgid "Update"
 msgstr "更新"
@ -2181,7 +2181,7 @@ msgstr "コードエラー"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:299 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:301 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: users/templates/users/_msg_account_expire_reminder.html:4
@ -2642,11 +2642,11 @@ msgstr "特殊文字を含むべきではない"
 msgid "The mobile phone number format is incorrect"
 msgstr "携帯電話番号の形式が正しくありません"
-#: jumpserver/conf.py:298
+#: jumpserver/conf.py:300
 msgid "Create account successfully"
 msgstr "アカウントを正常に作成"
-#: jumpserver/conf.py:300
+#: jumpserver/conf.py:302
 msgid "Your account has been created successfully"
 msgstr "アカウントが正常に作成されました"
@ -2901,12 +2901,12 @@ msgstr ""
 msgid "The organization have resource ({}) cannot be deleted"
 msgstr "組織のリソース ({}) は削除できません"
-#: orgs/apps.py:7 rbac/tree.py:114
+#: orgs/apps.py:7 rbac/tree.py:115
 msgid "App organizations"
 msgstr "アプリ組織"
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
-#: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:47
+#: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
 #: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:59
 #: tickets/serializers/ticket/ticket.py:77
 msgid "Organization"
@ -2920,7 +2920,7 @@ msgstr "グローバル組織"
 msgid "Can view root org"
 msgstr "グローバル組織を表示できます"
-#: orgs/models.py:216 rbac/models/role.py:46 rbac/models/rolebinding.py:43
+#: orgs/models.py:216 rbac/models/role.py:46 rbac/models/rolebinding.py:44
 #: users/models/user.py:671
 msgid "Role"
 msgstr "ロール"
@ -3133,27 +3133,27 @@ msgstr "{} 少なくとも1つのシステムロール"
 msgid "RBAC"
 msgstr "RBAC"
-#: rbac/builtin.py:101
+#: rbac/builtin.py:109
 msgid "SystemAdmin"
 msgstr "システム管理者"
-#: rbac/builtin.py:104
+#: rbac/builtin.py:112
 msgid "SystemAuditor"
 msgstr "システム監査人"
-#: rbac/builtin.py:107
+#: rbac/builtin.py:115
 msgid "SystemComponent"
 msgstr "システムコンポーネント"
-#: rbac/builtin.py:113
+#: rbac/builtin.py:121
 msgid "OrgAdmin"
 msgstr "組織管理者"
-#: rbac/builtin.py:116
+#: rbac/builtin.py:124
 msgid "OrgAuditor"
 msgstr "監査員を組織する"
-#: rbac/builtin.py:119
+#: rbac/builtin.py:127
 msgid "OrgUser"
 msgstr "組織ユーザー"
@ -3185,7 +3185,7 @@ msgstr "ファイルマネージャを表示できます"
 msgid "Permission"
 msgstr "権限"
-#: rbac/models/role.py:31 rbac/models/rolebinding.py:37
+#: rbac/models/role.py:31 rbac/models/rolebinding.py:38
 msgid "Scope"
 msgstr "スコープ"
@ -3205,22 +3205,22 @@ msgstr "システムの役割"
 msgid "Organization role"
 msgstr "組織の役割"
-#: rbac/models/rolebinding.py:52
+#: rbac/models/rolebinding.py:53
 msgid "Role binding"
 msgstr "ロールバインディング"
-#: rbac/models/rolebinding.py:151
+#: rbac/models/rolebinding.py:159
 msgid ""
 "User last role in org, can not be delete, you can remove user from org "
 "instead"
 msgstr ""
 "ユーザーの最後のロールは削除できません。ユーザーを組織から削除できます。"
-#: rbac/models/rolebinding.py:158
+#: rbac/models/rolebinding.py:166
 msgid "Organization role binding"
 msgstr "組織の役割バインディング"
-#: rbac/models/rolebinding.py:173
+#: rbac/models/rolebinding.py:181
 msgid "System role binding"
 msgstr "システムロールバインディング"
@ -3244,91 +3244,91 @@ msgstr "ロール表示"
 msgid "Has bound this role"
 msgstr "この役割をバインドしました"
-#: rbac/tree.py:19 rbac/tree.py:20
+#: rbac/tree.py:20 rbac/tree.py:21
 msgid "All permissions"
 msgstr "すべての権限"
-#: rbac/tree.py:26
+#: rbac/tree.py:27
 msgid "Console view"
 msgstr "コンソールビュー"
-#: rbac/tree.py:27
+#: rbac/tree.py:28
 msgid "Workbench view"
 msgstr "ワークスペースビュー"
-#: rbac/tree.py:28
+#: rbac/tree.py:29
 msgid "Audit view"
 msgstr "監査ビュー"
-#: rbac/tree.py:29 settings/models.py:140
+#: rbac/tree.py:30 settings/models.py:140
 msgid "System setting"
 msgstr "システム設定"
-#: rbac/tree.py:30
+#: rbac/tree.py:31
 msgid "Other"
 msgstr "その他"
-#: rbac/tree.py:38
+#: rbac/tree.py:39
 msgid "Accounts"
 msgstr "アカウント"
-#: rbac/tree.py:42
+#: rbac/tree.py:43
 msgid "Session audits"
 msgstr "セッション監査"
-#: rbac/tree.py:52
+#: rbac/tree.py:53
 msgid "Cloud import"
 msgstr "クラウドインポート"
-#: rbac/tree.py:53
+#: rbac/tree.py:54
 msgid "Backup account"
 msgstr "バックアップアカウント"
-#: rbac/tree.py:54
+#: rbac/tree.py:55
 msgid "Gather account"
 msgstr "アカウントを集める"
-#: rbac/tree.py:55
+#: rbac/tree.py:56
 msgid "App change auth"
 msgstr "応用改密"
-#: rbac/tree.py:56
+#: rbac/tree.py:57
 msgid "Asset change auth"
 msgstr "資産の改ざん"
-#: rbac/tree.py:57
+#: rbac/tree.py:58
 msgid "Terminal setting"
 msgstr "ターミナル設定"
-#: rbac/tree.py:58
+#: rbac/tree.py:59
 msgid "My assets"
 msgstr "私の資産"
-#: rbac/tree.py:59
+#: rbac/tree.py:60
 msgid "My apps"
 msgstr "マイアプリ"
-#: rbac/tree.py:115
+#: rbac/tree.py:116
 msgid "Ticket comment"
 msgstr "チケットコメント"
-#: rbac/tree.py:116 tickets/models/ticket.py:163
+#: rbac/tree.py:117 tickets/models/ticket.py:163
 msgid "Ticket"
 msgstr "チケット"
-#: rbac/tree.py:117
+#: rbac/tree.py:118
 msgid "Common setting"
 msgstr "共通設定"
-#: rbac/tree.py:118
+#: rbac/tree.py:119
 msgid "View permission tree"
 msgstr "権限ツリーの表示"
-#: rbac/tree.py:119
+#: rbac/tree.py:120
 msgid "Execute batch command"
 msgstr "バッチ実行コマンド"
-#: rbac/tree.py:166
+#: rbac/tree.py:226
 msgid "View"
 msgstr "表示"
@ -3454,7 +3454,7 @@ msgstr "ログインリダイレクトの有効化msg"
 msgid "Enable CAS Auth"
 msgstr "CAS 認証の有効化"
-#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:32
+#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:40
 msgid "Server url"
 msgstr "サービス側アドレス"
@ -3556,79 +3556,83 @@ msgstr "クライアントID"
 msgid "Client Secret"
 msgstr "クライアント秘密"
-#: settings/serializers/auth/oidc.py:20
+#: settings/serializers/auth/oidc.py:26
 msgid "Client authentication method"
 msgstr "クライアント認証方式"
 #: settings/serializers/auth/oidc.py:28
 msgid "Share session"
 msgstr "セッションの共有"
-#: settings/serializers/auth/oidc.py:22
+#: settings/serializers/auth/oidc.py:30
 msgid "Ignore ssl verification"
 msgstr "Ssl検証を無視する"
-#: settings/serializers/auth/oidc.py:29
+#: settings/serializers/auth/oidc.py:37
 msgid "Use Keycloak"
 msgstr "Keycloakを使用する"
-#: settings/serializers/auth/oidc.py:35
+#: settings/serializers/auth/oidc.py:43
 msgid "Realm name"
 msgstr "レルム名"
-#: settings/serializers/auth/oidc.py:41
+#: settings/serializers/auth/oidc.py:49
 msgid "Enable OPENID Auth"
 msgstr "OIDC認証の有効化"
-#: settings/serializers/auth/oidc.py:43
+#: settings/serializers/auth/oidc.py:51
 msgid "Provider endpoint"
 msgstr "プロバイダーエンドポイント"
-#: settings/serializers/auth/oidc.py:46
+#: settings/serializers/auth/oidc.py:54
 msgid "Provider auth endpoint"
 msgstr "認証エンドポイントアドレス"
-#: settings/serializers/auth/oidc.py:49
+#: settings/serializers/auth/oidc.py:57
 msgid "Provider token endpoint"
 msgstr "プロバイダートークンエンドポイント"
-#: settings/serializers/auth/oidc.py:52
+#: settings/serializers/auth/oidc.py:60
 msgid "Provider jwks endpoint"
 msgstr "プロバイダーjwksエンドポイント"
-#: settings/serializers/auth/oidc.py:55
+#: settings/serializers/auth/oidc.py:63
 msgid "Provider userinfo endpoint"
 msgstr "プロバイダーuserinfoエンドポイント"
-#: settings/serializers/auth/oidc.py:58
+#: settings/serializers/auth/oidc.py:66
 msgid "Provider end session endpoint"
 msgstr "プロバイダーのセッション終了エンドポイント"
-#: settings/serializers/auth/oidc.py:61
+#: settings/serializers/auth/oidc.py:69
 msgid "Provider sign alg"
 msgstr "プロビダーサインalg"
-#: settings/serializers/auth/oidc.py:64
+#: settings/serializers/auth/oidc.py:72
 msgid "Provider sign key"
 msgstr "プロバイダ署名キー"
-#: settings/serializers/auth/oidc.py:66
+#: settings/serializers/auth/oidc.py:74
 msgid "Scopes"
 msgstr "スコープ"
-#: settings/serializers/auth/oidc.py:68
+#: settings/serializers/auth/oidc.py:76
 msgid "Id token max age"
 msgstr "IDトークンの最大年齢"
-#: settings/serializers/auth/oidc.py:71
+#: settings/serializers/auth/oidc.py:79
 msgid "Id token include claims"
 msgstr "IDトークンにはクレームが含まれます"
-#: settings/serializers/auth/oidc.py:73
+#: settings/serializers/auth/oidc.py:81
 msgid "Use state"
 msgstr "使用状態"
-#: settings/serializers/auth/oidc.py:74
+#: settings/serializers/auth/oidc.py:82
 msgid "Use nonce"
 msgstr "Nonceを使用"
-#: settings/serializers/auth/oidc.py:76 settings/serializers/auth/saml2.py:33
+#: settings/serializers/auth/oidc.py:84 settings/serializers/auth/saml2.py:33
 msgid "Always update user"
 msgstr "常にユーザーを更新"
@ -4513,9 +4517,7 @@ msgstr "ホームページ"
 msgid "Cancel"
 msgstr "キャンセル"
-#: templates/resource_download.html:18 templates/resource_download.html:24
+#: templates/resource_download.html:18 templates/resource_download.html:30
 #: templates/resource_download.html:25 templates/resource_download.html:30
 #: templates/resource_download.html:40
 msgid "Client"
 msgstr "クライアント"
@ -4544,19 +4546,11 @@ msgstr ""
 "MacOSは、Windowsに付属のRDPアセットを接続するためにクライアントをダウンロード"
 "する必要があります"
-#: templates/resource_download.html:42
+#: templates/resource_download.html:41
 msgid ""
 "Windows needs to download the client to connect SSH assets, and the MacOS "
 "system uses its own terminal"
 msgstr ""
 "WindowsはクライアントをダウンロードしてSSH資産に接続する必要があり、macOSシス"
 "テムは独自のTerminalを採用している。"
 #: templates/resource_download.html:53
 msgid "Windows Remote application publisher tools"
 msgstr "Windowsリモートアプリケーション発行者ツール"
-#: templates/resource_download.html:54
+#: templates/resource_download.html:42
 msgid ""
 "Jmservisor is the program used to pull up remote applications in Windows "
 "Remote Application publisher"
@ -6732,3 +6726,10 @@ msgstr "究極のエディション"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "コミュニティ版"
 #~ msgid ""
 #~ "Windows needs to download the client to connect SSH assets, and the MacOS "
 #~ "system uses its own terminal"
 #~ msgstr ""
 #~ "WindowsはクライアントをダウンロードしてSSH資産に接続する必要があり、macOS"
 #~ "システムは独自のTerminalを採用している。"
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c6cf24f38fd82ad87d6062c4b36a771cb9fdeb76975b8b60f335a5a4fd9fd30c
+oid sha256:95e9f6addbdb6811647fd2bb5ae64bfc2572a80702c371eab0a1bb041a1e8476
-size 104169
+size 104032
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-20 16:35+0800\n"
+"POT-Creation-Date: 2022-04-29 12:49+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@ -87,7 +87,7 @@ msgstr "登录复核"
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:60 audits/models.py:85 audits/serializers.py:100
 #: authentication/models.py:51 orgs/models.py:214 perms/models/base.py:84
-#: rbac/builtin.py:110 rbac/models/rolebinding.py:40
+#: rbac/builtin.py:118 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
@ -1348,7 +1348,7 @@ msgstr "日志审计"
 #: audits/models.py:27 audits/models.py:57
 #: authentication/templates/authentication/_access_key_modal.html:65
-#: rbac/tree.py:168
+#: rbac/tree.py:228
 msgid "Delete"
 msgstr "删除"
@ -1401,11 +1401,11 @@ msgstr "文件管理"
 #: audits/models.py:55
 #: authentication/templates/authentication/_access_key_modal.html:22
-#: rbac/tree.py:165
+#: rbac/tree.py:225
 msgid "Create"
 msgstr "创建"
-#: audits/models.py:56 rbac/tree.py:167 templates/_csv_import_export.html:18
+#: audits/models.py:56 rbac/tree.py:227 templates/_csv_import_export.html:18
 #: templates/_csv_update_modal.html:6
 msgid "Update"
 msgstr "更新"
@ -2160,7 +2160,7 @@ msgstr "代码错误"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:299 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:301 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: users/templates/users/_msg_account_expire_reminder.html:4
@ -2612,11 +2612,11 @@ msgstr "不能包含特殊字符"
 msgid "The mobile phone number format is incorrect"
 msgstr "手机号格式不正确"
-#: jumpserver/conf.py:298
+#: jumpserver/conf.py:300
 msgid "Create account successfully"
 msgstr "创建账号成功"
-#: jumpserver/conf.py:300
+#: jumpserver/conf.py:302
 msgid "Your account has been created successfully"
 msgstr "你的账号已创建成功"
@ -2865,12 +2865,12 @@ msgstr "LDAP 同步设置组织为当前组织，请切换其他组织后再进
 msgid "The organization have resource ({}) cannot be deleted"
 msgstr "组织存在资源 ({}) 不能被删除"
-#: orgs/apps.py:7 rbac/tree.py:114
+#: orgs/apps.py:7 rbac/tree.py:115
 msgid "App organizations"
 msgstr "组织管理"
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
-#: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:47
+#: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
 #: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:59
 #: tickets/serializers/ticket/ticket.py:77
 msgid "Organization"
@ -2884,7 +2884,7 @@ msgstr "全局组织"
 msgid "Can view root org"
 msgstr "可以查看全局组织"
-#: orgs/models.py:216 rbac/models/role.py:46 rbac/models/rolebinding.py:43
+#: orgs/models.py:216 rbac/models/role.py:46 rbac/models/rolebinding.py:44
 #: users/models/user.py:671
 msgid "Role"
 msgstr "角色"
@ -3095,27 +3095,27 @@ msgstr "{} 至少有一个系统角色"
 msgid "RBAC"
 msgstr "RBAC"
-#: rbac/builtin.py:101
+#: rbac/builtin.py:109
 msgid "SystemAdmin"
 msgstr "系统管理员"
-#: rbac/builtin.py:104
+#: rbac/builtin.py:112
 msgid "SystemAuditor"
 msgstr "系统审计员"
-#: rbac/builtin.py:107
+#: rbac/builtin.py:115
 msgid "SystemComponent"
 msgstr "系统组件"
-#: rbac/builtin.py:113
+#: rbac/builtin.py:121
 msgid "OrgAdmin"
 msgstr "组织管理员"
-#: rbac/builtin.py:116
+#: rbac/builtin.py:124
 msgid "OrgAuditor"
 msgstr "组织审计员"
-#: rbac/builtin.py:119
+#: rbac/builtin.py:127
 msgid "OrgUser"
 msgstr "组织用户"
@ -3147,7 +3147,7 @@ msgstr "文件管理"
 msgid "Permission"
 msgstr "权限"
-#: rbac/models/role.py:31 rbac/models/rolebinding.py:37
+#: rbac/models/role.py:31 rbac/models/rolebinding.py:38
 msgid "Scope"
 msgstr "范围"
@ -3167,21 +3167,21 @@ msgstr "系统角色"
 msgid "Organization role"
 msgstr "组织角色"
-#: rbac/models/rolebinding.py:52
+#: rbac/models/rolebinding.py:53
 msgid "Role binding"
 msgstr "角色绑定"
-#: rbac/models/rolebinding.py:151
+#: rbac/models/rolebinding.py:159
 msgid ""
 "User last role in org, can not be delete, you can remove user from org "
 "instead"
 msgstr "用户最后一个角色，不能删除，你可以将用户从组织移除"
-#: rbac/models/rolebinding.py:158
+#: rbac/models/rolebinding.py:166
 msgid "Organization role binding"
 msgstr "组织角色绑定"
-#: rbac/models/rolebinding.py:173
+#: rbac/models/rolebinding.py:181
 msgid "System role binding"
 msgstr "系统角色绑定"
@ -3205,91 +3205,91 @@ msgstr "角色显示"
 msgid "Has bound this role"
 msgstr "已经绑定"
-#: rbac/tree.py:19 rbac/tree.py:20
+#: rbac/tree.py:20 rbac/tree.py:21
 msgid "All permissions"
 msgstr "所有权限"
-#: rbac/tree.py:26
+#: rbac/tree.py:27
 msgid "Console view"
 msgstr "控制台"
-#: rbac/tree.py:27
+#: rbac/tree.py:28
 msgid "Workbench view"
 msgstr "工作台"
-#: rbac/tree.py:28
+#: rbac/tree.py:29
 msgid "Audit view"
 msgstr "审计台"
-#: rbac/tree.py:29 settings/models.py:140
+#: rbac/tree.py:30 settings/models.py:140
 msgid "System setting"
 msgstr "系统设置"
-#: rbac/tree.py:30
+#: rbac/tree.py:31
 msgid "Other"
 msgstr "其它"
-#: rbac/tree.py:38
+#: rbac/tree.py:39
 msgid "Accounts"
 msgstr "账号管理"
-#: rbac/tree.py:42
+#: rbac/tree.py:43
 msgid "Session audits"
 msgstr "会话审计"
-#: rbac/tree.py:52
+#: rbac/tree.py:53
 msgid "Cloud import"
 msgstr "云同步"
-#: rbac/tree.py:53
+#: rbac/tree.py:54
 msgid "Backup account"
 msgstr "备份账号"
-#: rbac/tree.py:54
+#: rbac/tree.py:55
 msgid "Gather account"
 msgstr "收集账号"
-#: rbac/tree.py:55
+#: rbac/tree.py:56
 msgid "App change auth"
 msgstr "应用改密"
-#: rbac/tree.py:56
+#: rbac/tree.py:57
 msgid "Asset change auth"
 msgstr "资产改密"
-#: rbac/tree.py:57
+#: rbac/tree.py:58
 msgid "Terminal setting"
 msgstr "终端设置"
-#: rbac/tree.py:58
+#: rbac/tree.py:59
 msgid "My assets"
 msgstr "我的资产"
-#: rbac/tree.py:59
+#: rbac/tree.py:60
 msgid "My apps"
 msgstr "我的应用"
-#: rbac/tree.py:115
+#: rbac/tree.py:116
 msgid "Ticket comment"
 msgstr "工单评论"
-#: rbac/tree.py:116 tickets/models/ticket.py:163
+#: rbac/tree.py:117 tickets/models/ticket.py:163
 msgid "Ticket"
 msgstr "工单管理"
-#: rbac/tree.py:117
+#: rbac/tree.py:118
 msgid "Common setting"
 msgstr "一般设置"
-#: rbac/tree.py:118
+#: rbac/tree.py:119
 msgid "View permission tree"
 msgstr "查看授权树"
-#: rbac/tree.py:119
+#: rbac/tree.py:120
 msgid "Execute batch command"
 msgstr "执行批量命令"
-#: rbac/tree.py:166
+#: rbac/tree.py:226
 msgid "View"
 msgstr "查看"
@ -3415,7 +3415,7 @@ msgstr "启用登录跳转提示"
 msgid "Enable CAS Auth"
 msgstr "启用 CAS 认证"
-#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:32
+#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:40
 msgid "Server url"
 msgstr "服务端地址"
@ -3517,79 +3517,83 @@ msgstr "客户端 ID"
 msgid "Client Secret"
 msgstr "客户端密钥"
-#: settings/serializers/auth/oidc.py:20
+#: settings/serializers/auth/oidc.py:26
 msgid "Client authentication method"
 msgstr "客户端认证方式"
 #: settings/serializers/auth/oidc.py:28
 msgid "Share session"
 msgstr "共享会话"
-#: settings/serializers/auth/oidc.py:22
+#: settings/serializers/auth/oidc.py:30
 msgid "Ignore ssl verification"
 msgstr "忽略 SSL 证书验证"
-#: settings/serializers/auth/oidc.py:29
+#: settings/serializers/auth/oidc.py:37
 msgid "Use Keycloak"
 msgstr "使用 Keycloak"
-#: settings/serializers/auth/oidc.py:35
+#: settings/serializers/auth/oidc.py:43
 msgid "Realm name"
 msgstr "域"
-#: settings/serializers/auth/oidc.py:41
+#: settings/serializers/auth/oidc.py:49
 msgid "Enable OPENID Auth"
 msgstr "启用 OIDC 认证"
-#: settings/serializers/auth/oidc.py:43
+#: settings/serializers/auth/oidc.py:51
 msgid "Provider endpoint"
 msgstr "端点地址"
-#: settings/serializers/auth/oidc.py:46
+#: settings/serializers/auth/oidc.py:54
 msgid "Provider auth endpoint"
 msgstr "授权端点地址"
-#: settings/serializers/auth/oidc.py:49
+#: settings/serializers/auth/oidc.py:57
 msgid "Provider token endpoint"
 msgstr "token 端点地址"
-#: settings/serializers/auth/oidc.py:52
+#: settings/serializers/auth/oidc.py:60
 msgid "Provider jwks endpoint"
 msgstr "jwks 端点地址"
-#: settings/serializers/auth/oidc.py:55
+#: settings/serializers/auth/oidc.py:63
 msgid "Provider userinfo endpoint"
 msgstr "用户信息端点地址"
-#: settings/serializers/auth/oidc.py:58
+#: settings/serializers/auth/oidc.py:66
 msgid "Provider end session endpoint"
 msgstr "注销会话端点地址"
-#: settings/serializers/auth/oidc.py:61
+#: settings/serializers/auth/oidc.py:69
 msgid "Provider sign alg"
 msgstr "签名算法"
-#: settings/serializers/auth/oidc.py:64
+#: settings/serializers/auth/oidc.py:72
 msgid "Provider sign key"
 msgstr "签名 Key"
-#: settings/serializers/auth/oidc.py:66
+#: settings/serializers/auth/oidc.py:74
 msgid "Scopes"
 msgstr "连接范围"
-#: settings/serializers/auth/oidc.py:68
+#: settings/serializers/auth/oidc.py:76
 msgid "Id token max age"
 msgstr "令牌有效时间"
-#: settings/serializers/auth/oidc.py:71
+#: settings/serializers/auth/oidc.py:79
 msgid "Id token include claims"
 msgstr "声明"
-#: settings/serializers/auth/oidc.py:73
+#: settings/serializers/auth/oidc.py:81
 msgid "Use state"
 msgstr "使用状态"
-#: settings/serializers/auth/oidc.py:74
+#: settings/serializers/auth/oidc.py:82
 msgid "Use nonce"
 msgstr "临时使用"
-#: settings/serializers/auth/oidc.py:76 settings/serializers/auth/saml2.py:33
+#: settings/serializers/auth/oidc.py:84 settings/serializers/auth/saml2.py:33
 msgid "Always update user"
 msgstr "总是更新用户信息"
@ -4446,9 +4450,7 @@ msgstr "首页"
 msgid "Cancel"
 msgstr "取消"
-#: templates/resource_download.html:18 templates/resource_download.html:24
+#: templates/resource_download.html:18 templates/resource_download.html:30
 #: templates/resource_download.html:25 templates/resource_download.html:30
 #: templates/resource_download.html:40
 msgid "Client"
 msgstr "客户端"
@ -4474,17 +4476,11 @@ msgid ""
 "Windows"
 msgstr "macOS 需要下载客户端来连接 RDP 资产，Windows 系统默认安装了该程序"
-#: templates/resource_download.html:42
+#: templates/resource_download.html:41
 msgid ""
 "Windows needs to download the client to connect SSH assets, and the MacOS "
 "system uses its own terminal"
 msgstr "Windows 需要下载客户端来连接SSH资产，macOS系统采用自带的Terminal"
 #: templates/resource_download.html:53
 msgid "Windows Remote application publisher tools"
 msgstr "Windows 远程应用发布服务器工具"
-#: templates/resource_download.html:54
+#: templates/resource_download.html:42
 msgid ""
 "Jmservisor is the program used to pull up remote applications in Windows "
 "Remote Application publisher"
@ -6640,3 +6636,8 @@ msgstr "旗舰版"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "社区版"
 #~ msgid ""
 #~ "Windows needs to download the client to connect SSH assets, and the MacOS "
 #~ "system uses its own terminal"
 #~ msgstr "Windows 需要下载客户端来连接SSH资产，macOS系统采用自带的Terminal"
--- a/apps/settings/serializers/auth/oidc.py
+++ b/apps/settings/serializers/auth/oidc.py
@ -17,6 +17,14 @@ class CommonSettingSerializer(serializers.Serializer):
    AUTH_OPENID_CLIENT_SECRET = serializers.CharField(
        required=False, max_length=1024,  write_only=True, label=_('Client Secret')
    )
    AUTH_OPENID_CLIENT_AUTH_METHOD = serializers.ChoiceField(
        default='client_secret_basic',
        choices=(
            ('client_secret_basic', 'Client Secret Basic'),
            ('client_secret_post', 'Client Secret Post')
        ),
        label=_('Client authentication method')
    )
    AUTH_OPENID_SHARE_SESSION = serializers.BooleanField(required=False, label=_('Share session'))
    AUTH_OPENID_IGNORE_SSL_VERIFICATION = serializers.BooleanField(
        required=False, label=_('Ignore ssl verification')