OAuth 是一個開放標準,允許使用者讓第三方應用訪問該使用者在某一網站上儲存的私密的資源(如照片,視訊,聯絡人列表),而不需要將使用者名稱和密碼提供給第三方應用。OAuth允許使用者提供一個令牌,而不是使用者名稱和密碼來訪問他們存放在特定服務提供者的資料。每一個令牌授權一個特定的網站在特定的時段內訪問特定的資源。這樣,OAuth讓使用者可以授權第三方網站訪問他們儲存在另外服務提供者的某些特定資訊。更多
OAuth2請參考理解OAuth 2.0
專案準備
-
新增依賴
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth2</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> </dependency> 複製程式碼 -
配置認證伺服器
@Configuration @EnableAuthorizationServer//是的,沒做,就這麼一個註解 public class MerryyouAuthorizationServerConfig { } 複製程式碼 -
配置資源伺服器
@Configuration @EnableResourceServer//咦,沒錯還是一個註解 public class MerryyouResourceServerConfig { } 複製程式碼 -
配置
application.yml客戶端資訊(不配置的話,控制檯會預設列印clientid和clietSecret)security: oauth2: client: client-id: merryyou client-secret: merryyou 複製程式碼 -
定義
MyUserDetailsService@Component public class MyUserDetailsService implements UserDetailsService { @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { return new User(username, "123456", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER")); } } 複製程式碼 -
新增測試類
SecurityOauth2Test(使用者名稱密碼模式)@RunWith(SpringRunner.class) @SpringBootTest @Slf4j public class SecurityOauth2Test { //埠 final static long PORT = 9090; //clientId final static String CLIENT_ID = "merryyou"; //clientSecret final static String CLIENT_SECRET = "merryyou"; //使用者名稱 final static String USERNAME = "admin"; //密碼 final static String PASSWORD = "123456"; //獲取accessToken得URI final static String TOKEN_REQUEST_URI = "http://localhost:"+PORT+"/oauth/token?grant_type=password&username=" + USERNAME + "&password=" + PASSWORD+"&scope=all"; //獲取使用者資訊得URL final static String USER_INFO_URI = "http://localhost:"+PORT+"/user"; @Test public void getUserInfo() throws Exception{ RestTemplate rest = new RestTemplate(); HttpHeaders headers = new HttpHeaders(); headers.add( "authorization", "Bearer " + getAccessToken() ); HttpEntity<String> entity = new HttpEntity<String>(null, headers); // pay attention, if using get with headers, should use exchange instead of getForEntity / getForObject ResponseEntity<String> result = rest.exchange( USER_INFO_URI, HttpMethod.GET, entity, String.class, new Object[]{ null } ); log.info("使用者資訊返回的結果={}",JsonUtil.toJson(result)); } /** * 獲取accessToken * @return */ private String getAccessToken(){ RestTemplate rest = new RestTemplate(); HttpHeaders headers = new HttpHeaders(); headers.setContentType( MediaType.TEXT_PLAIN ); headers.add("authorization", getBasicAuthHeader()); HttpEntity<String> entity = new HttpEntity<String>(null, headers); ResponseEntity<OAuth2AccessToken> resp = rest.postForEntity( TOKEN_REQUEST_URI, entity, OAuth2AccessToken.class); if( !resp.getStatusCode().equals( HttpStatus.OK )){ throw new RuntimeException( resp.toString() ); } OAuth2AccessToken t = resp.getBody(); log.info("accessToken={}",JsonUtil.toJson(t)); log.info("the response, access_token: " + t.getValue() +"; token_type: " + t.getTokenType() +"; " + "refresh_token: " + t.getRefreshToken() +"; expiration: " + t.getExpiresIn() +", expired when:" + t.getExpiration() ); return t.getValue(); } /** * 構建header * @return */ private String getBasicAuthHeader(){ String auth = CLIENT_ID + ":" + CLIENT_SECRET; byte[] encodedAuth = Base64.encodeBase64(auth.getBytes()); String authHeader = "Basic " + new String(encodedAuth); return authHeader; } } 複製程式碼
授權碼模式效果如下:
測試類列印accessToken資訊
2018-01-20 18:16:49.900 INFO 16136 --- [ main] cn.merryyou.security.SecurityOauth2Test : accessToken={
"value": "8e5ea72c-d153-48f5-8ee7-9b5616fc43dc",
"expiration": "Jan 21, 2018 6:10:25 AM",
"tokenType": "bearer",
"refreshToken": {
"value": "7adfefec-c80c-4ff4-913c-4f161c47fbf1"
},
"scope": [
"all"
],
"additionalInformation": {}
}
複製程式碼spring security oauth2 登入核心原始碼
TokenEndpoint
//#1.處理/oauth/token請求
@RequestMapping(value = "/oauth/token", method=RequestMethod.POST)
public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam
Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
if (!(principal instanceof Authentication)) {
throw new InsufficientAuthenticationException(
"There is no client authentication. Try adding an appropriate authentication filter.");
}
//獲取clientId
String clientId = getClientId(principal);
//獲取第三方應用的詳細配置資訊
ClientDetails authenticatedClient = getClientDetailsService().loadClientByClientId(clientId);
//使用第三方應用資訊建立TokenRequest
TokenRequest tokenRequest = getOAuth2RequestFactory().createTokenRequest(parameters, authenticatedClient);
//有沒有傳clientId
if (clientId != null && !clientId.equals("")) {
// Only validate the client details if a client authenticated during this
// request.
//與配置裡面的是否匹配
if (!clientId.equals(tokenRequest.getClientId())) {
// double check to make sure that the client ID in the token request is the same as that in the
// authenticated client
throw new InvalidClientException("Given client ID does not match authenticated client");
}
}
if (authenticatedClient != null) {
//檢查scope
oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient);
}
//grant_type是否存在值,對應四種授權模式和重新整理token
if (!StringUtils.hasText(tokenRequest.getGrantType())) {
throw new InvalidRequestException("Missing grant type");
}
//是否簡化模式
if (tokenRequest.getGrantType().equals("implicit")) {
throw new InvalidGrantException("Implicit grant type not supported from token endpoint");
}
//是否是授權碼模式
if (isAuthCodeRequest(parameters)) {
// The scope was requested or determined during the authorization step
if (!tokenRequest.getScope().isEmpty()) {
logger.debug("Clearing scope of incoming token request");
//如果是授權碼模式scope設定為空,根據獲取code時的scope設定
tokenRequest.setScope(Collections.<String> emptySet());
}
}
//是否重新整理令牌
if (isRefreshTokenRequest(parameters)) {
// A refresh token has its own default scopes, so we should ignore any added by the factory here.
//設定scope
tokenRequest.setScope(OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.SCOPE)));
}
//獲取OAuth2AccessToken
OAuth2AccessToken token = getTokenGranter().grant(tokenRequest.getGrantType(), tokenRequest);
if (token == null) {
throw new UnsupportedGrantTypeException("Unsupported grant type: " + tokenRequest.getGrantType());
}
return getResponse(token);
}
複製程式碼ClientDetails
TokenRequest
CompositeTokenGranter#grant
//四種授權模式+重新整理令牌的模式根據grant_type判斷
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
for (TokenGranter granter : tokenGranters) {
OAuth2AccessToken grant = granter.grant(grantType, tokenRequest);
if (grant!=null) {
return grant;
}
}
return null;
}
複製程式碼tokenGranters
AbstractTokenGranter#grant
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
//判斷當前的授權型別和傳入的是否匹配
if (!this.grantType.equals(grantType)) {
return null;
}
//獲取clientId
String clientId = tokenRequest.getClientId();
ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
//校驗
validateGrantType(grantType, client);
logger.debug("Getting access token for: " + clientId);
//產生令牌
return getAccessToken(client, tokenRequest);
}
複製程式碼AbstractTokenGranter#getAccessToken
protected OAuth2AccessToken getAccessToken(ClientDetails client, TokenRequest tokenRequest) {
return tokenServices.createAccessToken(getOAuth2Authentication(client, tokenRequest));
}
複製程式碼DefaultTokenServices#createAccessToken
public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException {
//從tokenStore獲取OAuth2AccessToken (如果令牌存在,不同的授權模式下將返回同一個令牌)
OAuth2AccessToken existingAccessToken = tokenStore.getAccessToken(authentication);
OAuth2RefreshToken refreshToken = null;
//判斷是否過期
if (existingAccessToken != null) {
if (existingAccessToken.isExpired()) {
if (existingAccessToken.getRefreshToken() != null) {
//刪除過期的令牌
refreshToken = existingAccessToken.getRefreshToken();
// The token store could remove the refresh token when the
// access token is removed, but we want to
// be sure...
tokenStore.removeRefreshToken(refreshToken);
}
tokenStore.removeAccessToken(existingAccessToken);
}
else {
//如果令牌存在則從新儲存一下
// Re-store the access token in case the authentication has changed
tokenStore.storeAccessToken(existingAccessToken, authentication);
//儲存完直接返回
return existingAccessToken;
}
}
// Only create a new refresh token if there wasn't an existing one
// associated with an expired access token.
// Clients might be holding existing refresh tokens, so we re-use it in
// the case that the old access token
// expired.
//判斷重新整理令牌不存在
if (refreshToken == null) {
//建立重新整理令牌
refreshToken = createRefreshToken(authentication);
}
// But the refresh token itself might need to be re-issued if it has
// expired.
else if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
//過期
ExpiringOAuth2RefreshToken expiring = (ExpiringOAuth2RefreshToken) refreshToken;
if (System.currentTimeMillis() > expiring.getExpiration().getTime()) {
refreshToken = createRefreshToken(authentication);
}
}
//根據重新整理令牌建立OAuth2AccessToken
OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
tokenStore.storeAccessToken(accessToken, authentication);
// In case it was modified
refreshToken = accessToken.getRefreshToken();
if (refreshToken != null) {
tokenStore.storeRefreshToken(refreshToken, authentication);
}
//返回OAuth2AccessToken
return accessToken;
}
複製程式碼程式碼下載
從我的 github 中下載,github.com/longfeizhen…