背景

前段时间有同学私信我,让我讲下Oauth2授权模式,并且还强调是零基础的那种,我也不太理解这个零基础到底是什么程度,但是我觉得任何阶段的同学看完我这个视频,对OAuth2的理解将会有很大的提升,并且也会熟练的使用SpringSecurity OAuth2,轻松搭建认证服务和资源服务。

大概了解下 SpringSecurity

Spring Security是一套安全框架,可以基于RBAC(基于角色的权限控制)对用户的访问权限进行控制,核心思想是通过一套filterChanin进行拦截和过滤

再来了解OAuth2

Oauth2是一个关于授权的官方标准,核心思路是通过各种认证手段(需要用户自己选择实现)进行认证用户身份,并颁发token,使得第三方应用可以使用该令牌在限定时间和限定范围内访问指定资源

再来了解SpringSecurity Oauth2

Spring Security OAuth2建立在Spring Security的基础之上,实现了OAuth2的规范 概念部分铺垫完成了,现在我们讲下OAuth2的四种授权模式

四种授权模式

为什么提供四种呢?四种授权模式代表OAuth授权第三方的不同互信程度

授权码模式(最安全,也最常用)

通过授权码获取token

场景

当用户使用B网站的账号(如微信)授权登录A网站

步骤

  • 跳转到B网站授权页面,输入B网站用户名和密码
  • B网站认证服务验证通过,回调网站A提供的回调地址,并带上认证code

  • A网站收到回调之后,提取code,再调用B网站获取token的接口,并带上A网站在B网站上面注册的client_id和client_secert

    别说话,看图

    SpringSecurity OAuth2 四种授权模式(理论 实战) - 图1SpringSecurity OAuth2 四种授权模式(理论 实战) - 图2

    简化模式(有中间人攻击的风险)

    简化模式在授权码模式的基础上减去了获取授权码的步骤,B网站认证通过之后,直接返回token 回调给A网站,所以又称为(授权码)“隐藏式”(implicit)

    步骤

  • 跳转到B网站授权页面,输入B网站用户名和密码

  • B网站认证服务验证通过,回调网站A提供的回调地址,并带上token信息

    看图

    SpringSecurity OAuth2 四种授权模式(理论 实战) - 图3

    密码模式(除非没得选才用,毕竟涉及到用户隐私)

    A网站要求用户直接输入用户名和密码,A网站自己拿着用户的密码和账号去B网站进行认证,直接获取token

    步骤

  • A网站要求用户输入账号和密码

  • A网站携带账号和密码去B网站认证
  • B网站认证通过,直接返回token给A网站

    看图

    SpringSecurity OAuth2 四种授权模式(理论 实战) - 图4

    客户端模式

    客户端模式其实和用户就没关系了,其实也可以说它不属于Oauth了,因为是用网站A自己的身份信息去B网站认证获取token,A网站上的所有用户去访问B网站的资源,都是用的A网站自己的客户端信息。

    场景

    这个一般用于微服务之间进行认证,如服务A想访问服务B,那么服务B需要校验服务A有没有权限访问自己,所以就需要校验服务B的token,这时就可以采用客户端模式,后面讲资源服务去认证中check_toekn的时候,用的就是这种方式。

    看图

    SpringSecurity OAuth2 四种授权模式(理论 实战) - 图5
    现在四种授权模式讲完了,大家是不是有个疑问:前面三种授权方式,拿到token之后,是怎么和用户进行绑定的呢?接下来看下实战过程中,是怎么用SpringSecurity Oauth2 实现四种授权方式。

    准备好电脑,开干

    创建认证服务

    创建ClientDetailsServiceImpl

    根据clientID获取客户端信息,security会去调用多次,所以一般加上缓存 ```java package com.lglbc.oauth2.config.details.client;

import com.lglbc.oauth2.entity.OauthClient; import com.lglbc.oauth2.enums.PasswordEncoderTypeEnum; import com.lglbc.oauth2.service.OauthClientService; import lombok.RequiredArgsConstructor; import org.springframework.security.oauth2.provider.ClientDetails; import org.springframework.security.oauth2.provider.ClientDetailsService; import org.springframework.security.oauth2.provider.NoSuchClientException; import org.springframework.security.oauth2.provider.client.BaseClientDetails; import org.springframework.stereotype.Service;

import java.util.Objects;

/**

  • @author: 乐哥聊编程(全平台同号) */ @Service @RequiredArgsConstructor public class ClientDetailsServiceImpl implements ClientDetailsService { private final OauthClientService oauthClientService;

    @Override public ClientDetails loadClientByClientId(String clientId) {

    1.  // 获取client信息
    2.  OauthClient oauthClient = oauthClientService.lambdaQuery().eq(OauthClient::getClientId, clientId).one();
    3.  if (Objects.nonNull(oauthClient)) {
    4.      BaseClientDetails clientDetails = new BaseClientDetails(
    5.              oauthClient.getClientId(),
    6.              oauthClient.getResourceIds(),
    7.              oauthClient.getScope(),
    8.              oauthClient.getAuthorizedGrantTypes(),
    9.              oauthClient.getAuthorities(),
    10.              oauthClient.getWebServerRedirectUri());
    11.      clientDetails.setClientSecret(PasswordEncoderTypeEnum.NOOP.getPrefix() + oauthClient.getClientSecret());
    12.      clientDetails.setAccessTokenValiditySeconds(oauthClient.getAccessTokenValidity());
    13.      clientDetails.setRefreshTokenValiditySeconds(oauthClient.getRefreshTokenValidity());
    14.      return clientDetails;
    15.  } else {
    16.      throw new NoSuchClientException("没找到客户端信息");
    17.  }

    } } ```

创建自定义的userDetails(自定义用户自己的信息)

  1. package com.lglbc.oauth2.config.details.user;
  3. import lombok.AllArgsConstructor;
  4. import lombok.Builder;
  5. import lombok.Data;
  6. import lombok.NoArgsConstructor;
  7. import org.springframework.security.core.GrantedAuthority;
  8. import org.springframework.security.core.authority.SimpleGrantedAuthority;
  9. import org.springframework.security.core.userdetails.UserDetails;
  11. import java.util.Collection;
  13. /**
  14.  * @author: 乐哥聊编程(全平台同号)
  15.  */
  16. @Data
  17. @Builder
  18. @AllArgsConstructor
  19. @NoArgsConstructor
  20. public class SysUserDetails implements UserDetails {
  22.     /**
  23.      * 扩展字段
  24.      */
  25.     private Long userId;
  27.     /**
  28.      * 默认字段
  29.      */
  30.     private String username;
  31.     private String password;
  32.     private Boolean enabled;
  33.     private Collection<SimpleGrantedAuthority> authorities;
  36.     @Override
  37.     public Collection<? extends GrantedAuthority> getAuthorities() {
  38.         return this.authorities;
  39.     }
  41.     @Override
  42.     public String getPassword() {
  43.         return this.password;
  44.     }
  46.     @Override
  47.     public String getUsername() {
  48.         return this.username;
  49.     }
  51.     @Override
  52.     public boolean isAccountNonExpired() {
  53.         return true;
  54.     }
  56.     @Override
  57.     public boolean isAccountNonLocked() {
  58.         return true;
  59.     }
  61.     @Override
  62.     public boolean isCredentialsNonExpired() {
  63.         return true;
  64.     }
  66.     @Override
  67.     public boolean isEnabled() {
  68.         return this.enabled;
  69.     }
  70. }

创建根据用户账号获取信息的detailService

  1. package com.lglbc.oauth2.config.details.user;
  3. import com.lglbc.oauth2.entity.Role;
  4. import com.lglbc.oauth2.entity.User;
  5. import com.lglbc.oauth2.enums.PasswordEncoderTypeEnum;
  6. import com.lglbc.oauth2.mapper.UserRoleMapper;
  7. import com.lglbc.oauth2.service.RoleService;
  8. import com.lglbc.oauth2.service.UserService;
  9. import com.xiaoleilu.hutool.collection.CollectionUtil;
  10. import org.springframework.beans.factory.annotation.Autowired;
  11. import org.springframework.security.core.GrantedAuthority;
  12. import org.springframework.security.core.authority.SimpleGrantedAuthority;
  13. import org.springframework.security.core.userdetails.UserDetails;
  14. import org.springframework.security.core.userdetails.UserDetailsService;
  15. import org.springframework.security.core.userdetails.UsernameNotFoundException;
  16. import org.springframework.security.oauth2.provider.endpoint.TokenEndpoint;
  17. import org.springframework.stereotype.Service;
  19. import java.util.*;
  20. import java.util.stream.Collectors;
  23. @Service
  24. public class SysUserDetailServiceImpl implements UserDetailsService {
  25.     @Autowired
  26.     private UserService userServiceImpl;
  27.     @Autowired
  28.     private RoleService roleServiceImpl;
  29.     @Autowired
  30.     private UserRoleMapper userRoleMapper;
  32.     @Override
  33.     public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException {
  34.         Map<String, Object> map = new HashMap<>();
  35.         map.put("username", name);
  36.         User user = userServiceImpl.lambdaQuery().eq(User::getUsername, name).one();
  37.         if (user == null) {
  38.             throw new UsernameNotFoundException("此用户不存在");
  39.         }
  41.         Collection<SimpleGrantedAuthority> grantedAuthorities = new ArrayList<>();
  42.         List<String> roleIds = userRoleMapper.getRoleIdByUserId(user.getId());
  43.         if (CollectionUtil.isNotEmpty(roleIds)){
  44.             List<Role> roles = roleServiceImpl.lambdaQuery().in(Role::getId, roleIds).list();
  45.             List<String> roleCodes = roles.stream().map(Role::getCode).collect(Collectors.toList());
  46.             for (String roleCOde : roleCodes) {
  47.                 SimpleGrantedAuthority grantedAuthority = new SimpleGrantedAuthority("ROLE_"+roleCOde);
  48.                 grantedAuthorities.add(grantedAuthority);
  49.             }
  50.         }
  52.         return new SysUserDetails(user.getId(), user.getUsername(),PasswordEncoderTypeEnum.BCRYPT.getPrefix() + user.getPassword(),true, grantedAuthorities);
  53.     }
  56. }

创建认证服务配置

  1. package com.lglbc.oauth2.config;
  3. import com.lglbc.oauth2.config.details.client.ClientDetailsServiceImpl;
  4. import com.lglbc.oauth2.config.details.user.SysUserDetails;
  5. import com.xiaoleilu.hutool.collection.CollectionUtil;
  6. import lombok.RequiredArgsConstructor;
  7. import lombok.SneakyThrows;
  8. import org.springframework.context.annotation.Bean;
  9. import org.springframework.context.annotation.Configuration;
  10. import org.springframework.core.io.ClassPathResource;
  11. import org.springframework.data.redis.connection.RedisConnectionFactory;
  12. import org.springframework.security.authentication.AuthenticationManager;
  13. import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
  14. import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
  15. import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
  16. import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
  17. import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
  18. import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
  19. import org.springframework.security.oauth2.provider.CompositeTokenGranter;
  20. import org.springframework.security.oauth2.provider.TokenGranter;
  21. import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
  22. import org.springframework.security.oauth2.provider.token.TokenEnhancer;
  23. import org.springframework.security.oauth2.provider.token.TokenEnhancerChain;
  24. import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
  25. import org.springframework.security.oauth2.provider.token.store.KeyStoreKeyFactory;
  26. import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore;
  28. import java.security.KeyPair;
  29. import java.util.*;
  31. /**
  32.  * @author: 乐哥聊编程(全平台同号)
  33.  */
  34. @Configuration
  35. @EnableAuthorizationServer
  36. @RequiredArgsConstructor
  37. public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
  39.     private final AuthenticationManager authenticationManager;
  40.     private final ClientDetailsServiceImpl clientDetailsService;
  41.     // 该对象用来将令牌信息存储到Redis中
  42.     private final RedisConnectionFactory redisConnectionFactory;
  44.     /**
  45.      * OAuth2客户端
  46.      */
  47.     @Override
  48.     @SneakyThrows
  49.     public void configure(ClientDetailsServiceConfigurer clients) {
  50.         clients.withClientDetails(clientDetailsService);
  51.     }
  54.     /**
  55.      * 配置授权(authorization)以及令牌(token)的访问端点和令牌服务(token services)
  56.      */
  57.     @Override
  58.     public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
  59.         // Token增强
  60.         TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
  61.         List<TokenEnhancer> tokenEnhancers = new ArrayList<>();
  62.         tokenEnhancers.add(tokenEnhancer());
  63.         tokenEnhancers.add(jwtAccessTokenConverter());
  64.         tokenEnhancerChain.setTokenEnhancers(tokenEnhancers);
  66.         // 获取原有默认授权模式(授权码模式、密码模式、客户端模式、简化模式)的授权者
  67.         List<TokenGranter> granterList = new ArrayList<>(Arrays.asList(endpoints.getTokenGranter()));
  69.         CompositeTokenGranter compositeTokenGranter = new CompositeTokenGranter(granterList);
  70.         endpoints
  71.                 .authenticationManager(authenticationManager)
  72.                 .accessTokenConverter(jwtAccessTokenConverter())
  73.                 .tokenEnhancer(tokenEnhancerChain)
  74.                 .tokenGranter(compositeTokenGranter)
  75.                 .tokenServices(tokenServices(endpoints))
  76.         ;
  77.     }
  79.     @Override
  80.     public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
  81.         security.checkTokenAccess("permitAll()");
  82.     }
  84.     public DefaultTokenServices tokenServices(AuthorizationServerEndpointsConfigurer endpoints) {
  85.         TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
  86.         List<TokenEnhancer> tokenEnhancers = new ArrayList<>();
  87.         tokenEnhancers.add(tokenEnhancer());
  88.         tokenEnhancers.add(jwtAccessTokenConverter());
  89.         tokenEnhancerChain.setTokenEnhancers(tokenEnhancers);
  90.         DefaultTokenServices tokenServices = new DefaultTokenServices();
  91.         tokenServices.setTokenStore(endpoints.getTokenStore());
  92.         tokenServices.setSupportRefreshToken(true);
  93.         tokenServices.setReuseRefreshToken(true);
  94.         tokenServices.setClientDetailsService(clientDetailsService);
  95.         tokenServices.setTokenEnhancer(tokenEnhancerChain);
  96.         return tokenServices;
  97.     }
  99.     /**
  100.      * JWT内容增强
  101.      */
  102.     @Bean
  103.     public TokenEnhancer tokenEnhancer() {
  104.         return (accessToken, authentication) -> {
  105.             Map<String, Object> additionalInfo = CollectionUtil.newHashMap();
  106.             if (Objects.nonNull(authentication.getUserAuthentication())) {
  107.                 Object principal = authentication.getUserAuthentication().getPrincipal();
  108.                 if (principal instanceof SysUserDetails) {
  109.                     SysUserDetails sysUserDetails = (SysUserDetails) principal;
  110.                     additionalInfo.put("userId", sysUserDetails.getUserId());
  111.                     additionalInfo.put("username", sysUserDetails.getUsername());
  112.                     ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
  113.                 }
  114.             }
  115.             return accessToken;
  116.         };
  117.     }
  119.     /**
  120.      * 使用非对称加密算法对token签名
  121.      */
  122.     @Bean
  123.     public JwtAccessTokenConverter jwtAccessTokenConverter() {
  124.         JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
  125.         converter.setKeyPair(keyPair());
  126.         return converter;
  127.     }
  129.     /**
  130.      * 密钥库中获取密钥对(公钥+私钥)
  131.      */
  132.     @Bean
  133.     public KeyPair keyPair() {
  134.         KeyStoreKeyFactory factory = new KeyStoreKeyFactory(new ClassPathResource("jwt.jks"), "123456".toCharArray());
  135.         KeyPair keyPair = factory.getKeyPair("jwt", "123456".toCharArray());
  136.         return keyPair;
  137.     }
  139. }

创建安全配置

  1. package com.lglbc.oauth2.config;
  3. import com.lglbc.oauth2.common.result.R;
  4. import com.lglbc.oauth2.common.result.ResultCode;
  5. import com.xiaoleilu.hutool.json.JSONUtil;
  6. import lombok.RequiredArgsConstructor;
  7. import lombok.extern.slf4j.Slf4j;
  8. import org.springframework.context.annotation.Bean;
  9. import org.springframework.context.annotation.Configuration;
  10. import org.springframework.http.HttpHeaders;
  11. import org.springframework.http.HttpStatus;
  12. import org.springframework.http.MediaType;
  13. import org.springframework.security.authentication.AuthenticationManager;
  14. import org.springframework.security.authentication.InsufficientAuthenticationException;
  15. import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
  16. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
  17. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  18. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  19. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  20. import org.springframework.security.core.userdetails.UserDetailsService;
  21. import org.springframework.security.crypto.factory.PasswordEncoderFactories;
  22. import org.springframework.security.crypto.password.PasswordEncoder;
  23. import org.springframework.security.web.AuthenticationEntryPoint;
  25. /**
  26.  * @author: 乐哥聊编程(全平台同号)
  27.  */
  28. @Configuration
  29. @EnableWebSecurity
  30. @Slf4j
  31. @RequiredArgsConstructor
  32. public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  34.     private final UserDetailsService sysUserDetailsService;
  35.     private final String realName = ".";
  37.     @Override
  38.     protected void configure(HttpSecurity http) throws Exception {
  39.         http
  40.                 .authorizeRequests().antMatchers("/oauth/**", "/test/**", "/login").permitAll()
  41.                 .anyRequest().authenticated()
  42.                 .and()
  43.                 .httpBasic().and()
  44.                 .csrf().disable()
  45.                 .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint());
  46.     }
  48.     /**
  49.      * 认证管理对象
  50.      *
  51.      * @return
  52.      * @throws Exception
  53.      */
  54.     @Bean
  55.     public AuthenticationManager authenticationManagerBean() throws Exception {
  56.         return super.authenticationManagerBean();
  57.     }
  59.     /**
  60.      * 添加自定义认证器
  61.      *
  62.      * @param auth
  63.      */
  64.     @Override
  65.     public void configure(AuthenticationManagerBuilder auth) throws Exception {
  66.         auth.authenticationProvider(daoAuthenticationProvider());
  67.     }
  69.     /**
  70.      * 设置默认的用户名密码认证授权提供者
  71.      *
  72.      * @return
  73.      */
  74.     @Bean
  75.     public DaoAuthenticationProvider daoAuthenticationProvider() {
  76.         DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
  77.         provider.setUserDetailsService(sysUserDetailsService);
  78.         provider.setPasswordEncoder(passwordEncoder());
  79.         provider.setHideUserNotFoundExceptions(false); // 是否隐藏用户不存在异常,默认:true-隐藏;false-抛出异常;
  80.         return provider;
  81.     }
  83.     @Bean
  84.     public PasswordEncoder passwordEncoder() {
  85.         return PasswordEncoderFactories.createDelegatingPasswordEncoder();
  86.     }
  88.     /**
  89.      * 自定义认证异常响应数据
  90.      */
  91.     @Bean
  92.     public AuthenticationEntryPoint authenticationEntryPoint() {
  93.         return (request, response, e) -> {
  94.             if (e.getMessage().equals("User must be authenticated with Spring Security before authorization can be completed.")) {
  95.                 response.addHeader("WWW-Authenticate", "Basic realm= " + realName);
  96.                 response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
  97.             } else {
  98.                 response.setStatus(HttpStatus.OK.value());
  99.                 response.setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_UTF8_VALUE);
  100.                 response.setHeader("Access-Control-Allow-Origin", "*");
  101.                 response.setHeader("Cache-Control", "no-cache");
  102.                 R result = R.failed(ResultCode.CLIENT_AUTHENTICATION_FAILED);
  103.                 response.getWriter().print(JSONUtil.toJsonStr(result));
  104.                 response.getWriter().flush();
  105.             }
  106.         };
  107.     }
  108. }

重写token enpoint

  1. package com.lglbc.oauth2;
  3. import com.lglbc.oauth2.common.result.R;
  4. import com.nimbusds.jose.jwk.JWKSet;
  5. import com.nimbusds.jose.jwk.RSAKey;
  6. import lombok.AllArgsConstructor;
  7. import lombok.extern.slf4j.Slf4j;
  8. import org.springframework.security.oauth2.common.OAuth2AccessToken;
  9. import org.springframework.security.oauth2.provider.endpoint.TokenEndpoint;
  10. import org.springframework.web.HttpRequestMethodNotSupportedException;
  11. import org.springframework.web.bind.annotation.*;
  13. import java.security.KeyPair;
  14. import java.security.Principal;
  15. import java.security.interfaces.RSAPublicKey;
  16. import java.util.Map;
  18. /**
  19.  * @author: 乐哥聊编程(全平台同号)
  20.  */
  21. @RestController
  22. @RequestMapping("/oauth")
  23. @AllArgsConstructor
  24. @Slf4j
  25. public class AuthController {
  27.     private KeyPair keyPair;
  28.     private final TokenEndpoint tokenEndpoint;
  30.     @PostMapping("/token")
  31.     public Object postAccessToken(
  32.             Principal principal,
  33.             @RequestParam Map<String, String> parameters
  34.     ) throws HttpRequestMethodNotSupportedException {
  35.         OAuth2AccessToken accessToken = tokenEndpoint.postAccessToken(principal, parameters).getBody();
  36.         return R.ok(accessToken);
  37.     }
  39.     @GetMapping("/public-key")
  40.     public Map<String, Object> getPublicKey() {
  41.         RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
  42.         RSAKey key = new RSAKey.Builder(publicKey).build();
  43.         return new JWKSet(key).toJSONObject();
  44.     }
  45. }

演示四种授权模式

授权码模式

获取授权码

SpringSecurity OAuth2 四种授权模式(理论 实战) - 图6

  • 输入用户名和密码

SpringSecurity OAuth2 四种授权模式(理论 实战) - 图7
在这里插入图片描述

  • 点击授权,获取授权码

SpringSecurity OAuth2 四种授权模式(理论 实战) - 图8

获取token

  1. curl --location --request POST --X POST 'http://localhost:8080/oauth/token?code=k9jcxv&grant_type=authorization_code' \
  2. --header 'User-Agent: Apipost client Runtime/+https://www.apipost.cn/' \
  3. --header 'Authorization: Basic YWRtaW46YW1z'

SpringSecurity OAuth2 四种授权模式(理论 实战) - 图9

刷新token

  1. curl --location --request POST --X POST 'http://localhost:8080/oauth/token?refresh_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhbXMiLCJzY29wZSI6WyJ3cml0ZSJdLCJhdGkiOiI4NjZmYWY2MC05MTE1LTQ0NGMtOWNkNi05MjRmYTRlZjQ4YjUiLCJleHAiOjE2NTQ1MzExMzcsInVzZXJJZCI6NCwiYXV0aG9yaXRpZXMiOlsiUk9MRV9BRE1JTiIsIlJPTEVfVVNFUiJdLCJqdGkiOiIyNDg1M2NiNi02ZGM1LTRlMDQtYjAxOC0wMGE0MGMxNGMyNjAiLCJjbGllbnRfaWQiOiJhZG1pbiIsInVzZXJuYW1lIjoiYW1zIn0.BX87xbC1SEVgXsQ6qdI1_RLVOY1ffqoKDvd-Fnu5FfJor6CR-3NtUjMBIQig_jAnJwptG8ZIs1q715GAQTtgoRVUMsnXBv8RKmlDvxjclUYIWrRXy1d9Rj84WC4niDU8rOzazr4L1-chkwod3rAEDAZSiBcd4XZ1S2cfG7WBSH1TcivNtY0pk_ePS08ItN_2wYm57-7_JD8XCRecpn6nF6ax20ysimqPftAKIiVzvhhN4O_TsHd3-lB7ZYTsT-SlzjBu43gm5eGFWhsOBK7NgxObwoeXaoARrzW3GaUw8DsLTKsDofyIIFGnKee9sooAwejPrsxtVRJlfj8gIc5EdA&grant_type=refresh_token' \
  2. --header 'User-Agent: Apipost client Runtime/+https://www.apipost.cn/' \
  3. --header 'Authorization: Basic YWRtaW46YW1z'

简单模式

SpringSecurity OAuth2 四种授权模式(理论 实战) - 图10

  • 输入用户名和密码(用户信息,不是客户端)

SpringSecurity OAuth2 四种授权模式(理论 实战) - 图11

  • 点击授权,直接获取token

SpringSecurity OAuth2 四种授权模式(理论 实战) - 图12

用户名密码模式

  1. curl --location --request POST --X POST 'http://localhost:8080/oauth/token?grant_type=password&username=ams&password=ams' \
  2. --header 'User-Agent: Apipost client Runtime/+https://www.apipost.cn/' \
  3. --header 'Authorization: Basic YWRtaW46YW1z'

SpringSecurity OAuth2 四种授权模式(理论 实战) - 图13

客户端模式

  1. curl --location --request POST --X POST 'http://127.0.0.1:8080/oauth/token?grant_type=client_credentials' \
  2. --header 'User-Agent: Apipost client Runtime/+https://www.apipost.cn/' \
  3. --header 'Authorization: Basic YWRtaW46YW1z'

SpringSecurity OAuth2 四种授权模式(理论 实战) - 图14

创建资源服务

资源服务配置

  1. package com.lglbc.oauth2.config;
  3. import com.fasterxml.jackson.databind.ObjectMapper;
  4. import com.lglbc.oauth2.common.KeyPairUtil;
  5. import org.springframework.context.annotation.Bean;
  6. import org.springframework.context.annotation.Configuration;
  7. import org.springframework.core.io.ClassPathResource;
  8. import org.springframework.core.io.Resource;
  9. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  10. import org.springframework.security.config.http.SessionCreationPolicy;
  11. import org.springframework.security.config.web.server.ServerHttpSecurity;
  12. import org.springframework.security.crypto.codec.Base64;
  13. import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
  14. import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
  15. import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
  16. import org.springframework.security.oauth2.provider.token.TokenStore;
  17. import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
  18. import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
  19. import org.springframework.security.oauth2.provider.token.store.KeyStoreKeyFactory;
  20. import org.springframework.security.web.server.SecurityWebFilterChain;
  21. import org.springframework.web.client.RestTemplate;
  23. import java.io.BufferedReader;
  24. import java.io.IOException;
  25. import java.io.InputStreamReader;
  26. import java.security.KeyPair;
  27. import java.security.interfaces.RSAPublicKey;
  28. import java.util.Map;
  29. import java.util.stream.Collectors;
  31. @Configuration
  32. public class Oauth2ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
  34.     private static final String CHECK_TOKEN_URL = "http://localhost:8080/oauth/check_token";
  35.     // 也可以使用认证服务去校验
  36. //    @Override
  37. //    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
  38. //        RemoteTokenServices tokenService = new RemoteTokenServices();
  39. //        tokenService.setCheckTokenEndpointUrl(CHECK_TOKEN_URL);
  40. //        tokenService.setClientId("resource");
  41. //        tokenService.setClientSecret("resource");
  42. //        resources.tokenServices(tokenService);
  43. //    }
  44.     @Bean
  45.     public TokenStore tokenStore() {
  46.         return new JwtTokenStore(jwtAccessTokenConverter());
  47.     }
  49.     @Bean
  50.     public JwtAccessTokenConverter jwtAccessTokenConverter() {
  51.         JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
  52.         //设置用于解码的非对称加密的公钥
  53.         converter.setVerifierKey(KeyPairUtil.getPubKey());
  54.         return converter;
  55.     }
  56.     @Override
  57.     public void configure(HttpSecurity http) throws Exception {
  58.         http.authorizeRequests()
  59.                 // 任何请求都必须具有all这个域的授权
  60.                 .antMatchers("/test/read").access("#oauth2.hasScope('read') || #oauth2.hasScope('write')")
  61.                 .antMatchers("/test/write").access("#oauth2.hasScope('write')")
  62.                 .and()
  63.                 .csrf().disable()
  64.                 .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
  65.     }
  66. }

创建安全配置,添加拦截

  1. package com.lglbc.oauth2.config;
  3. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  4. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  5. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  7. @EnableWebSecurity
  8. public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
  10.     @Override
  11.     protected void configure(HttpSecurity http) throws Exception {
  12.         http.authorizeRequests().antMatchers("/test/**").authenticated();
  13.         // 禁用CSRF
  14.         http.csrf().disable();
  15.     }
  16. }

演示资源服务

定义两个接口

  • /read:需要有admin角色 并且有对目前服务的读权限
    1.   @RequestMapping("/read")
    2.   @PreAuthorize("hasAuthority('ROLE_ADMIN')")
    3.   public String read(){
    4.       System.out.println("read");
    5.       return "read";
    6.   }
  • /write:需要有admin角色 并且有对目前服务的读写权限
    1.   @RequestMapping("/write")
    2. //    @Secured({"ROLE_ADMIN"})
    3.   @PreAuthorize("hasAuthority('ROLE_ADMIN')")
    4.   public String write() throws ParseException {
    5.       return UserContextUtil.getUserId()+""+UserContextUtil.getUserName();
    6.   }

常见问题

角色权限注解问题

  • 不加ROLE_前缀,只能使用此注解

@PreAuthorize(“hasAuthority(‘ADMIN2’)”)

  • 加ROLE_前缀,可以使用如下注解:

@PreAuthorize(“hasRole(‘ADMIN’)”) //允许
@PreAuthorize(“hasRole(‘ROLE_ADMIN’)”) //允许
@PreAuthorize(“hasAuthority(‘ROLE_ADMIN’)”) //允许

客户端密钥问题

  • 如果密钥没有加密,在构建clientDetail的时候一定要加上{noop}前缀
  • 否则加上 {bcrypt}前缀

持续整理…

获取用户信息

源码部分SpringSecurity OAuth2 四种授权模式(理论 实战) - 图15
由于在资源服务中,我们没有重写userDetailService,所以我们是获取不到用户的信息(我们也没必要写),但是我们可以自己解析token,拿到用户信息

  1. package com.lglbc.oauth2.config;
  3. import com.lglbc.oauth2.common.UserContextUtil;
  4. import com.nimbusds.jose.JWSObject;
  5. import org.apache.commons.lang3.StringUtils;
  6. import org.springframework.web.servlet.HandlerInterceptor;
  8. import javax.servlet.http.HttpServletRequest;
  9. import javax.servlet.http.HttpServletResponse;
  10. import java.util.Map;
  12. public class UserInterceptor implements HandlerInterceptor {
  13.     @Override
  14.     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
  15.         String authorization = request.getHeader("Authorization");
  16.         if (StringUtils.isBlank(authorization)) {
  17.             return true;
  18.         }
  19.         String token = StringUtils.substringAfter(authorization, "Bearer ");
  20.         if (StringUtils.isBlank(token)) {
  21.             return true;
  22.         }
  23.         try {
  24.             Map<String, Object> stringObjectMap = JWSObject.parse(token).getPayload().toJSONObject();
  25.             UserContextUtil.setUser(stringObjectMap);
  26.         } catch (Exception e) {
  28.         }
  29.         return true;
  30.     }
  32.     @Override
  33.     public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
  34.         UserContextUtil.removeUser();
  35.     }
  36. }