本文简单的介绍Spring Boot与OAuth2的集成、OAuth client、OAuth authorization server、OAuth resource server的示例。

👉单点登录Github(客户端)

👐创建项目

略。

示例项目地址

👏项目结构

image.png

👏添加首页

  1. <!doctype html>
  2. <html lang="en">
  3. <head>
  4.     <meta charset="utf-8"/>
  5.     <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
  6.     <title>Demo</title>
  7.     <meta name="description" content=""/>
  8.     <meta name="viewport" content="width=device-width"/>
  9.     <base href="/"/>
  10.     <link rel="stylesheet" type="text/css" href="/webjars/bootstrap/css/bootstrap.min.css"/>
  11.     <script type="text/javascript" src="/webjars/jquery/jquery.min.js"></script>
  12.     <script type="text/javascript" src="/webjars/bootstrap/js/bootstrap.min.js"></script>
  13.     <script src="/webjars/js-cookie/js.cookie.js" type="text/javascript"></script>
  14. </head>
  15. <body>
  16. <h1>Demo</h1>
  17. <div class="container"></div>
  18. </body>
  19. </html>

👏POM

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  3.          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  4.     <modelVersion>4.0.0</modelVersion>
  5.     <parent>
  6.         <artifactId>springboot-demo</artifactId>
  7.         <groupId>com.example</groupId>
  8.         <version>0.0.1-SNAPSHOT</version>
  9.     </parent>
  10.     <artifactId>springboot-oauth-client</artifactId>
  11.     <version>0.0.1-SNAPSHOT</version>
  12.     <name>springboot-oauth-client</name>
  13.     <description>Demo project for Spring Boot and OAuth Client</description>
  15.     <properties>
  16.         <java.version>1.8</java.version>
  17.     </properties>
  19.     <dependencies>
  20.           <!--CSS\JS等资源-->
  21.         <dependency>
  22.             <groupId>org.webjars</groupId>
  23.             <artifactId>jquery</artifactId>
  24.             <version>3.4.1</version>
  25.         </dependency>
  26.         <dependency>
  27.             <groupId>org.webjars</groupId>
  28.             <artifactId>bootstrap</artifactId>
  29.             <version>4.3.1</version>
  30.         </dependency>
  31.         <dependency>
  32.             <groupId>org.webjars</groupId>
  33.             <artifactId>js-cookie</artifactId>
  34.             <version>2.1.0</version>
  35.         </dependency>
  36.         <dependency>
  37.             <groupId>org.webjars</groupId>
  38.             <artifactId>webjars-locator-core</artifactId>
  39.         </dependency>
  40.           <!--客户端-->
  41.         <dependency>
  42.             <groupId>org.springframework.boot</groupId>
  43.             <artifactId>spring-boot-starter-oauth2-client</artifactId>
  44.         </dependency>
  45.         <dependency>
  46.             <groupId>org.springframework.boot</groupId>
  47.             <artifactId>spring-boot-starter-security</artifactId>
  48.         </dependency>
  49.         <dependency>
  50.             <groupId>org.springframework.boot</groupId>
  51.             <artifactId>spring-boot-starter-web</artifactId>
  52.         </dependency>
  54.         <dependency>
  55.             <groupId>org.springframework.boot</groupId>
  56.             <artifactId>spring-boot-starter-test</artifactId>
  57.             <scope>test</scope>
  58.             <exclusions>
  59.                 <exclusion>
  60.                     <groupId>org.junit.vintage</groupId>
  61.                     <artifactId>junit-vintage-engine</artifactId>
  62.                 </exclusion>
  63.             </exclusions>
  64.         </dependency>
  65.         <dependency>
  66.             <groupId>org.springframework.security</groupId>
  67.             <artifactId>spring-security-test</artifactId>
  68.             <scope>test</scope>
  69.         </dependency>
  70.           <!--支持热部署-->
  71.         <dependency>
  72.             <groupId>org.springframework.boot</groupId>
  73.             <artifactId>spring-boot-devtools</artifactId>
  74.             <optional>true</optional>
  75.             <scope>true</scope>
  76.         </dependency>
  77.     </dependencies>
  79.     <build>
  80.         <plugins>
  81.             <plugin>
  82.                 <groupId>org.springframework.boot</groupId>
  83.                 <artifactId>spring-boot-maven-plugin</artifactId>
  84.                 <configuration>
  85.                       <!--Flag to indicate if the run processes should be forked. Disabling forking will
  86. disable some features such as an agent, custom JVM arguments, devtools or
  87. specifying the working directory to use.-->
  88.                       <!--原文,意思就是不加会导致一些特性被关闭,比如devtools-->
  89.                     <fork>true</fork>
  90.                 </configuration>
  91.             </plugin>
  92.         </plugins>
  93.     </build>
  95. </project>

👏配置

  1. server:
  2.   port: 8081
  4. spring:
  5.   security:
  6.     oauth2:
  7.       client:
  8.         registration:
  9.           github:
  10.                         #这是在oauth authorization server注册的id、secret
  11.             clientId: "********"
  12.             clientSecret: "**********"

👏启动类

  1. package com.example.springbootoauth;
  3. import com.fasterxml.jackson.databind.ObjectMapper;
  4. import org.springframework.boot.SpringApplication;
  5. import org.springframework.boot.autoconfigure.SpringBootApplication;
  6. import org.springframework.context.annotation.Bean;
  7. import org.springframework.http.HttpMethod;
  8. import org.springframework.http.HttpStatus;
  9. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  10. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  11. import org.springframework.security.core.annotation.AuthenticationPrincipal;
  12. import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
  13. import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
  14. import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
  15. import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
  16. import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
  17. import org.springframework.security.oauth2.core.OAuth2Error;
  18. import org.springframework.security.oauth2.core.user.OAuth2User;
  19. import org.springframework.security.web.authentication.HttpStatusEntryPoint;
  20. import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
  21. import org.springframework.web.bind.annotation.GetMapping;
  22. import org.springframework.web.bind.annotation.RestController;
  24. import javax.servlet.http.HttpServletRequest;
  25. import java.io.BufferedReader;
  26. import java.io.IOException;
  27. import java.io.InputStream;
  28. import java.io.InputStreamReader;
  29. import java.net.HttpURLConnection;
  30. import java.net.URL;
  31. import java.util.Collections;
  32. import java.util.List;
  33. import java.util.Map;
  35. @SpringBootApplication
  36. public class SpringbootOauthClientApplication extends WebSecurityConfigurerAdapter {
  38.     @Override
  39.     protected void configure (HttpSecurity http) throws Exception {
  40.         // @formatter:off
  41.         // 配置除了"/favicon.ico", "/error", "/webjars/**"这些地址不需经过认证之外其他所有都需认证
  42.         // 配置所有认证失败返回401状态码(默认403状态码)
  43.         // 配置OAuth2.0认证
  44.         http.authorizeRequests(a -> 
  45.                 a.antMatchers("/favicon.ico", "/error", "/webjars/**").permitAll().anyRequest().authenticated()
  46.         ).exceptionHandling(e -> 
  47.                 e.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
  48.         ).oauth2Login();
  49.         // @formatter:on
  50.     }
  52.     public static void main (String[] args) {
  53.         SpringApplication.run(SpringbootOauthClientApplication.class, args);
  54.     }
  55. }

🤙Github OAuth app

我们必须先去Github申请一个新的oauth app用来接入Github,Add a new OAuth app

image.png
Application name 、 Application description按照个人需求填写,Homepage URL按照上面的配置的话应该是localhost:8081
Authorization callback URL按照上面的配置的话应该是localhost:8081/login/oauth2/code/github

callback URL在Spring Boot中的模板是:{baseUrl}/login/oauth2/code/{registrationId}

image.png
注册完毕之后,我们可以看到注册的app的Client ID、Client Secret,这两个要放到配置中去。

🤙启动项目

就这么简单

  1. 创建项目
  2. 加一个简单的首页
  3. POM加一点儿依赖
  4. 简单加两个配置
  5. 稍微配置下启动类

一个OAuth客户端就“能用了”

启动项目,并访问主页locahost:8081,会发现跳转到了Github认证

https://github.com/login/oauth/authorize?response_type=code&client_id=**&scope=read:user&state=pYyqimQWllgp9KbLb0-t_qOk-9ZhyftDvyRB8oDjCx8%3D&redirect_uri=http://localhost:8081/login/oauth2/code/github

github使用的认证模式是code模式,即授权码(authorization-code)模式。rfc6749

image.png
点击Authorize并认证成功之后便会跳转到你的homepage,也就是localhost:8081

只要你仍然在Github保持登录状态,本地app不需要重新认证,即使打开一个新的窗口(无痕、别的浏览器[没有登录github]除外)。

🤙请求链

从启动应用后的第一次访问开始分析

👌Ⅰ访问首页

General:

  1. Request URL: http://localhost:8081/
  2. Request Method: GET
  3. Status Code: 302 
  4. Remote Address: [::1]:8081
  5. Referrer Policy: strict-origin-when-cross-origin

Request:

  1. GET / HTTP/1.1
  2. Host: localhost:8081
  3. Connection: keep-alive
  4. Cache-Control: max-age=0
  5. Upgrade-Insecure-Requests: 1
  6. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
  7. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
  8. Sec-Fetch-Site: none
  9. Sec-Fetch-Mode: navigate
  10. Sec-Fetch-User: ?1
  11. Sec-Fetch-Dest: document
  12. Accept-Encoding: gzip, deflate, br
  13. Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7,zh;q=0.6

Response:

  1. HTTP/1.1 302
  2. Set-Cookie: JSESSIONID=118A9185FDC6BA0D68C20B62583C5BBF; Path=/; HttpOnly
  3. X-Content-Type-Options: nosniff
  4. X-XSS-Protection: 1; mode=block
  5. Cache-Control: no-cache, no-store, max-age=0, must-revalidate
  6. Pragma: no-cache
  7. Expires: 0
  8. X-Frame-Options: DENY
  9. Location: http://localhost:8081/oauth2/authorization/github
  10. Content-Length: 0
  11. Date: Wed, 20 May 2020 10:00:07 GMT
  12. Keep-Alive: timeout=60
  13. Connection: keep-alive

因为没有认证信息,所以服务器返回302,重定向至Location:http://localhost:8081/oauth2/authorization/github
上面地址的模板是:{baseUrl}/oauth2/authorization/{provider}
在这个地址的处理里根据provider的信息正式向provider进行认证

👌Ⅱ重定向

被重定向至:localhost:8081/**oauth2/authorization/github**
_
General:

  1. Request URL: http://localhost:8081/oauth2/authorization/github
  2. Request Method: GET
  3. Status Code: 302 
  4. Remote Address: [::1]:8081
  5. Referrer Policy: strict-origin-when-cross-origin

Request:

  1. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  2. Accept-Encoding: gzip, deflate, br
  3. Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7,zh;q=0.6
  4. Cache-Control: max-age=0
  5. Connection: keep-alive
  6. Cookie: JSESSIONID=118A9185FDC6BA0D68C20B62583C5BBF
  7. Host: localhost:8081
  8. Sec-Fetch-Dest: document
  9. Sec-Fetch-Mode: navigate
  10. Sec-Fetch-Site: none
  11. Sec-Fetch-User: ?1
  12. Upgrade-Insecure-Requests: 1
  13. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36

Response:

  1. Cache-Control: no-cache, no-store, max-age=0, must-revalidate
  2. Connection: keep-alive
  3. Content-Length: 0
  4. Date: Wed, 20 May 2020 10:00:07 GMT
  5. Expires: 0
  6. Keep-Alive: timeout=60
  7. Location: https://github.com/login/oauth/authorize?response_type=code&client_id=********&scope=read:user&state=iTdcnTtCIwpC36VQoWEt_3We2E8DUNdk488QlDdRHa8%3D&redirect_uri=http://localhost:8081/login/oauth2/code/github
  8. Pragma: no-cache
  9. X-Content-Type-Options: nosniff
  10. X-Frame-Options: DENY
  11. X-XSS-Protection: 1; mode=block

Github是知名的provider,所以我们只需要提供client id,client secret即可,其他信息,比如:

等信息已经内置在框架中。 当我们搭建服务器端时,我们作为Provider也需要提供这些信息。

将response_type(授权模式)、client_id(客户端id)、重定向地址等放到地址参数中被重定向至
https://github.com/login/oauth/authorize?response_type=code&client_id=*&scope=read:user&state=iTdcnTtCIwpC36VQoWEt_3We2E8DUNdk488QlDdRHa8%3D&redirect_uri=http://localhost:8081/login/oauth2/code/github获取授权码

👌Ⅲ重定向

被重定向至:https://github.com/login/oauth/authorize?response_type=code&client_id=*&scope=read:user&state=iTdcnTtCIwpC36VQoWEt_3We2E8DUNdk488QlDdRHa8%3D&redirect_uri=http://localhost:8081/login/oauth2/code/github**

General:

  1. Request URL: https://github.com/login/oauth/authorize?response_type=code&client_id=********&scope=read:user&state=iTdcnTtCIwpC36VQoWEt_3We2E8DUNdk488QlDdRHa8%3D&redirect_uri=http://localhost:8081/login/oauth2/code/github
  2. Request Method: GET
  3. Status Code: 302 Found
  4. Remote Address: 140.82.113.3:443
  5. Referrer Policy: strict-origin-when-cross-origin

Request:

  1. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  2. Accept-Encoding: gzip, deflate, br
  3. Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7,zh;q=0.6
  4. Cache-Control: max-age=0
  5. Connection: keep-alive
  6. Cookie: _octo=GH1.1.647508601.1588919991; _ga=GA1.2.1354001975.1588920084; tz=Asia%2FShanghai; _device_id=1a9cd9d4b86d40b8bb966bc1bd48a5c8; has_recent_activity=1; user_session=nohRAJiFcnuRdw2m63bkJf4SEZUHKBQekx-cqAAJ0_6o6IJ2; __Host-user_session_same_site=nohRAJiFcnuRdw2m63bkJf4SEZUHKBQekx-cqAAJ0_6o6IJ2; logged_in=yes; dotcom_user=****; _gh_sess=nxyLIvIbckSbSXcX%2BOQUq3iriiB0KgldKr6XG%2FNuX3Iv1UyTsaDDYXWshvAEobcOZt759Yxwgqi4%2BNgpU8gK8EPk51abjHjAgTCqLpd80bRxIV%2Bic8Ywik25NmiOYbFmyoLP2CC90NPNhG14yVHdHZXUAi9e2IJncrLo9pwIjvLgkB3PH0%2Bns%2Fsg6FmYiMpx7ercCkdy2L04V5ByYLSXBu4MYHXJ1b%2FGYB1b%2F4esQmSK63mHNj4v9JbLtcgcCSKbaVPUmnAdjgpiRCLQXA88b7kqmMHepXhghy8CDbUKY%2BJSXlwjHUcoSTykaXx2E0VICsOSH0qcwH7C2kUSxLvcD8rQGXffUjLiojRtsx4%2BN4HlJBXueuXQ6Rv7yOOn5nccbNF3BLP5YcoVAyu0BBMBnKqNErTsrD82SpYEDcaQ2Rbk65uSuL00BUfZH4ZetwM2wNB4YgUExkQIk5giujaPLLtS2LOSj%2Bj0UYyZj3Jx2v9%2F7U9uYGW2Le3afXncrURtxXbNlJ5WV0Bi7z9lNRcO7vYpGeGA5qzH%2BJzwxVQsqaM2CdGiIK8R8DV%2B0VrfxmtBBzmxXYlOmJJ%2BHCSBMcnMFKNbyGZ3bmHDeKtTRr1yZRphBEoN5jJO1WYvAnPvgQB6jfa5FD712TATuCrAQLtsTmgMuWa8IJX6NVgjvPhyIuJrFGz8ib6gooToJdCqfjNq7SupCIATqKbgQ1uvXhV44%2Fnh2cQF9VlhHFmOuMjTZADPTJmsZI4LYoZqiQ0qUQgVmufWUZwqkZglhguypjtyR42yu%2FFKhA2ZPc5JUqHEqNHH098J52%2BqDHdD1eQYxWvLniaTHq3oC4UjG%2Bwxaei0K86hVpByP%2FVl4z2xABTpFO5Z9MfbOjdUDwu696e4%2FmBDWfHBbzmjUsiZrZuRGc0%2FucpShxJpFzo4xJhpB4e5OhAYhQbgiFhnVkCIitZZenVMFSn5g8odutB4Oe1R30QVD%2BI5%2FHpOhYF0C2sUxlqV7DClLwIgg4WrPPN7dKIvsP%2F%2ByMBqzuO7Zom%2BgLd7Fxei2XFIJgC706jOB0%2FR%2F%2FhF30XFXeyH8WJN4pXiJMzwmx7s0%2F%2F0ljGxaVGA8AvV14vq8rChu2vFlE2IU8xu0fYk7ujSfgcKvU9TwBkh3Rh%2FDYVeDCy7CAqRDfwi9Z7VzlUmtgUa5onahRc1nmFtPTZ3oaQFLlzZOWrQn9Of%2BIHCeyE55ZIF%2FqHmn8sN1g4VvGKmYdWmj%2B7jaZIwjx8yCePz4PQatrNNf332QphRdy9mQfx9teHSuDTsZMlnNr%2FA6cFuqdAUd%2FFlSIEwmq5WRWVKUazcxlwyUrTxRT%2FyRuGnjGnw4CWKDzGd7N%2FqijkspsLLu%2BfyOKu0y1GZIwd%2FTgogWKQJSRXigLd6g1XVmefYQiHqiJKGcFxUDxw79xoSDI5mNKpnOYitHNEzmi6QibhW1weD%2FhNdgPL9ygZ%2F5F%2FWUScWv7OaPzT5xlvihMP1a2hchqot3nYIUJrKWAjO93eerzWp9A6mXnVX1ms4eae%2BixjcF598yLvXsjYqYtGvkP%2B78GemsMs%3D--pQrErwMIAeqxff%2Fa--J9T4jq%2BJRlwpgRxjFXGUKg%3D%3D
  7. Host: github.com
  8. Sec-Fetch-Dest: document
  9. Sec-Fetch-Mode: navigate
  10. Sec-Fetch-Site: none
  11. Sec-Fetch-User: ?1
  12. Upgrade-Insecure-Requests: 1
  13. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36

Response:

  1. Cache-Control: no-cache
  2. Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'self'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker.js
  3. Content-Type: text/html; charset=utf-8
  4. Date: Wed, 20 May 2020 10:00:08 GMT
  5. Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
  6. Location: http://localhost:8081/login/oauth2/code/github?code=6ab6a582334378ef9fe9&state=iTdcnTtCIwpC36VQoWEt_3We2E8DUNdk488QlDdRHa8%3D
  7. Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
  8. Server: GitHub.com
  9. Set-Cookie: user_session=nohRAJiFcnuRdw2m63bkJf4SEZUHKBQekx-cqAAJ0_6o6IJ2; path=/; expires=Wed, 03 Jun 2020 10:00:08 GMT; secure; HttpOnly; SameSite=Lax
  10. Set-Cookie: __Host-user_session_same_site=nohRAJiFcnuRdw2m63bkJf4SEZUHKBQekx-cqAAJ0_6o6IJ2; path=/; expires=Wed, 03 Jun 2020 10:00:08 GMT; secure; HttpOnly; SameSite=Strict
  11. Set-Cookie: has_recent_activity=1; path=/; expires=Wed, 20 May 2020 11:00:08 GMT; secure; HttpOnly; SameSite=Lax
  12. Set-Cookie: _gh_sess=7l6Hza0JKOdzQMjOmOsHXfFHWPslmhVQ6t7ipQ%2BUk1ldTIMrO62DFMbohKaVxqGEQbeECENJBv5LOC0h4uyIu5%2FMg4hqvSHV95kB0IGBXB%2F4lRnXBeLitB%2BURP3kcxaCmQHgd6VuKk8ieZ8Ez3FaqMTo5ChyccBmtIT1bxpj16dkO33tLVglYHkD2BvaIXRxcOfwRqeGXddvEPt7aD9x9RSgholNbsMpNsxdMP%2FIP0S%2FFR1%2Fh4KXqSVdLAXfc6dpF1j7AkP3qxMFLqqvXJpU4JbeZIkJA00PMFuuVY0Dy5wBeV7lZx9OBO7%2FKZT7qxEowRtfS%2FlsX1mQ%2FnZWGJNbWihdASEykuWfzgGRcDGrcyVuOPIDbrUw9XmZcGKWaAFd%2BwQv08f6yIAIkVKPyCqh7bwcN3gFihHxPOoEnqycBQY2%2BKxr4uiegv9FNVzzmRRLgqNf1X%2BPpcj02nWcCebvMPto%2F%2BtOewHplfs4Zn%2Bum9gufgK8U%2BXg28274Mn5%2BcatL5qY8cfOsaeGt3qMhO%2BlY1CrXWqcIagTJY%2B%2BqobhmklA8LsKaHx7EmCgGCMM95GdVidfqOfZxIH1jPTFcyHmTuyvCCQqXpzaE0o%2FtheS19JcvSfDNuoxazwkSRKHubvwU%2FaIDMDGlKCwO3euW%2FDDutUZ4Se%2FnIdm0U2y8ZMeyuWs1T%2FK%2FGOsChvn%2B%2BsdV6DF0GtFeF02hjUgXCu3tepnBZdYhP5qqVXO4Z1gqgvznFiU8SMUVaUi4kfnKqPf%2FkHHYeXSJBACn0x4%2FYehxjPeQodRx%2Fz6HnSL6gmnvZm0lZD8WbwyoAxxkIUHGW3SAF9Sg3q8Pm23wtZdv3ET0lKgB04v8CMKyxGZaFV826fLSJeru4uf3hWVy2N09g6sc8uGxn2y7gb63%2BV3pzs9CCK6uigmoq2wk86lY4%2Bvte9DGriLGGeepU0hjhh9Gwzt%2B7AG1FHne1%2F9DSyFCmCx5FDTtLELfemc9%2BLvS18lvU9nh6Ex3Ei%2FkAfH6cztYg%2BXegSrqpeXO2T1ULp3t6ftkWevzkmcpWj%2FSH5I704u3j2hXZW%2BmoV6NrKKV75aGG1hIP%2FLrdotp0BxBAtZorIh8PEkuYTKBWNy3RywLjMD%2B7%2BMcHhpExSrZhXTCZNwQo3iPgbOfb2TEPkIEbEGTMwEyiIo94GiJhIaNA13NGcvQS%2BR2st9z8rePhslv4VnYk2cvPFhQvv5MdmdgWcnf6G8UYNseAM27DxslJF22f%2ForeHmv0kNnsVLPpDmnbwaeMLGloF5eu65Xvcjjzm3zXxm7MYTAwp9QYQQCweZI8tnFkY7mlxw5lwHs99FU4PN4WX1gx76JHsSqRqNry7xc8ybW5Dl%2FjN8gfMay%2F9WFCjMBCmLGjcWWWlINvSH1ug%2FqaqSOsf2xw8t0Fy%2BHCcGBiS9lH9K7J5azdVfCc%2BZ6MQycavU8%2Fj3fDGNvNWF7XbgHI0ZSrH9LMLQyp7ILlLn0ylbflKYvhnZ93CFkMs8TU6Bc6IAY6DithW1ZQEH1qzfJ8hCsUUBpaCr%2F8OHfaUkX381AkZXQMEV1wI%3D--u3tauRwfmBSRrVZq--uHRBGGLCS0GU1K84C%2BRM0g%3D%3D; path=/; secure; HttpOnly; SameSite=Lax
  13. Status: 302 Found
  14. Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
  15. Transfer-Encoding: chunked
  16. Vary: X-PJAX
  17. Vary: Accept-Encoding, Accept, X-Requested-With
  18. X-Content-Type-Options: nosniff
  19. X-Frame-Options: sameorigin
  20. X-GitHub-Request-Id: 8C0F:221B:136D9:29086:5EC4FFA7
  21. X-XSS-Protection: 1; mode=block

从github.com认证成功获取授权码之后被重定向至客户端

👌Ⅳ重定向


被重定向至:localhost:8081/login/oauth2/code/github

General:

  1. Request URL: http://localhost:8081/login/oauth2/code/github?code=6ab6a582334378ef9fe9&state=iTdcnTtCIwpC36VQoWEt_3We2E8DUNdk488QlDdRHa8%3D
  2. Request Method: GET
  3. Status Code: 302 
  4. Remote Address: [::1]:8081
  5. Referrer Policy: strict-origin-when-cross-origin

Request:

  1. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  2. Accept-Encoding: gzip, deflate, br
  3. Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7,zh;q=0.6
  4. Cache-Control: max-age=0
  5. Connection: keep-alive
  6. Cookie: JSESSIONID=118A9185FDC6BA0D68C20B62583C5BBF
  7. Host: localhost:8081
  8. Sec-Fetch-Dest: document
  9. Sec-Fetch-Mode: navigate
  10. Sec-Fetch-Site: none
  11. Sec-Fetch-User: ?1
  12. Upgrade-Insecure-Requests: 1
  13. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36

Response:

  1. Cache-Control: no-cache, no-store, max-age=0, must-revalidate
  2. Connection: keep-alive
  3. Content-Length: 0
  4. Date: Wed, 20 May 2020 10:00:15 GMT
  5. Expires: 0
  6. Keep-Alive: timeout=60
  7. Location: http://localhost:8081/
  8. Pragma: no-cache
  9. Set-Cookie: JSESSIONID=074B338C2B61B85D31F71F64FC4362FB; Path=/; HttpOnly
  10. X-Content-Type-Options: nosniff
  11. X-Frame-Options: DENY
  12. X-XSS-Protection: 1; mode=block

拿到授权码之后在客户端服务器内部完成向授权服务器Token的请求,成功后发送homepage的重定向响应。

👌Ⅴ重定向至首页

General:

  1. Request URL: http://localhost:8081/
  2. Request Method: GET
  3. Status Code: 200 
  4. Remote Address: [::1]:8081
  5. Referrer Policy: strict-origin-when-cross-origin

Request:

  1. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  2. Accept-Encoding: gzip, deflate, br
  3. Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7,zh;q=0.6
  4. Cache-Control: max-age=0
  5. Connection: keep-alive
  6. Cookie: JSESSIONID=074B338C2B61B85D31F71F64FC4362FB
  7. Host: localhost:8081
  8. Sec-Fetch-Dest: document
  9. Sec-Fetch-Mode: navigate
  10. Sec-Fetch-Site: none
  11. Sec-Fetch-User: ?1
  12. Upgrade-Insecure-Requests: 1
  13. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36

Response:

  1. Accept-Ranges: bytes
  2. Cache-Control: no-cache, no-store, max-age=0, must-revalidate
  3. Connection: keep-alive
  4. Content-Language: en-GB
  5. Content-Length: 609
  6. Content-Type: text/html;charset=UTF-8
  7. Date: Wed, 20 May 2020 10:00:15 GMT
  8. Expires: 0
  9. Keep-Alive: timeout=60
  10. Last-Modified: Wed, 20 May 2020 08:29:31 GMT
  11. Pragma: no-cache
  12. Vary: Origin
  13. Vary: Access-Control-Request-Method
  14. Vary: Access-Control-Request-Headers
  15. X-Content-Type-Options: nosniff
  16. X-Frame-Options: DENY
  17. X-XSS-Protection: 1; mode=block

至此整个认证的流程结束,用户认证信息保存在Spring Security context

👌Ⅵ认证过程请求链

image.png

🤙增加欢迎页、登出

接下来改造应用,使用户可以选择App认证,并且可以登出。

👌主页改造

body内容更改为下面的:

  1. <div class="container unauthenticated">
  2.     With GitHub: <a href="/oauth2/authorization/github">click here</a>
  3. </div>
  4. <!--添加一个google的登录选项-->
  5. <div>
  6.     With Google: <a href="/oauth2/authorization/google">click here</a>
  7. </div>
  8. <div class="container authenticated" style="display:none">
  9.     Logged in as: <span id="user"></span>
  10.       <div>
  11.         <button onClick="logout()" class="btn btn-primary">Logout</button>
  12.       </div>
  13. </div>

添加脚本:

  1. <script type="text/javascript">
  2.   $.ajaxSetup({
  3.         beforeSend: function (xhr, settings) {
  4.             if (settings.type == 'POST' || settings.type == 'PUT'
  5.                 || settings.type == 'DELETE') {
  6.                 if (!(/^http:.*/.test(settings.url) || /^https:.*/
  7.                     .test(settings.url))) {
  8.                     // Only send the token to relative URLs i.e. locally.
  9.                     xhr.setRequestHeader("X-XSRF-TOKEN",
  10.                         Cookies.get('XSRF-TOKEN'));
  11.                 }
  12.             }
  13.         }
  14.     });
  15.     $.get("/user", function (data) {
  16.         $("#user").html(data.name);
  17.         $(".unauthenticated").hide()
  18.         $(".authenticated").show()
  19.     });
  20.     var logout = function () {
  21.         $.post("/logout", function () {
  22.             $("#user").html('');
  23.             $(".unauthenticated").show();
  24.             $(".authenticated").hide();
  25.         })
  26.         return true;
  27.     }
  28. </script>

👌后端改造

增加 /user Endpoint、登出处理、csrf、白名单

  1. package com.example.springbootoauth;
  3. import org.springframework.boot.SpringApplication;
  4. import org.springframework.boot.autoconfigure.SpringBootApplication;
  5. import org.springframework.http.HttpStatus;
  6. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  7. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  8. import org.springframework.security.core.annotation.AuthenticationPrincipal;
  9. import org.springframework.security.oauth2.core.user.OAuth2User;
  10. import org.springframework.security.web.authentication.HttpStatusEntryPoint;
  11. import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
  12. import org.springframework.web.bind.annotation.GetMapping;
  13. import org.springframework.web.bind.annotation.RestController;
  15. import java.util.Collections;
  16. import java.util.Map;
  18. @RestController
  19. @SpringBootApplication
  20. public class SpringbootOauthApplication extends WebSecurityConfigurerAdapter {
  22.     // 用于欢迎页显示用户信息
  23.     @GetMapping("/user")
  24.     public Map<String, Object> user (@AuthenticationPrincipal OAuth2User principal) {
  25.         return Collections.singletonMap("name", principal.getAttribute("name"));
  26.     }
  29.     @Override
  30.     protected void configure (HttpSecurity http) throws Exception {
  31.         // @formatter:off
  33.         // 配置除了"/"(新增的,因为首页需要让用户选择app), "/favicon.ico", "/error", "/webjars/**"这些地址不需经过认证之外其他所有都需认证
  34.         // 配置所有认证失败返回401状态码(默认403状态码)
  35.         // 配置OAuth2.0认证
  36.         http.authorizeRequests(a -> 
  37.                 a.antMatchers("/", "/favicon.ico", "/error", "/webjars/**").permitAll().anyRequest().authenticated()
  38.         ).exceptionHandling(e -> 
  39.                 e.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
  40.         ).oauth2Login();
  42.         // 新增
  43.         http.logout(l 
  44.                 -> l.logoutSuccessUrl("/").permitAll()
  45.         ).csrf(c -> 
  46.                 c.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
  47.         );
  48.         // 结束
  49.         // @formatter:on
  50.     }
  52.     public static void main (String[] args) {
  53.         SpringApplication.run(SpringbootOauthApplication.class, args);
  54.     }
  56. }

👌测试

🖥重启项目,首页成了以下模样
image.png
⌨️点击登录,变成了这样
image.png
⌨️点击登出,又变成了这样
image.png

🤙增加组织认证

Github认证成功之后,查询Github的组织信息,根据组织信息判断是否通过认证。

  1. @Bean
  2. public OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService() {
  3.     DefaultOAuth2UserService delegate = new DefaultOAuth2UserService();
  4.     return request -> {
  5.         OAuth2User user = delegate.loadUser(request);
  6.         if (!"github".equals(request.getClientRegistration().getRegistrationId())) {
  7.             return user;
  8.         }
  10.         OAuth2AuthorizedClient client = new OAuth2AuthorizedClient
  11.             (request.getClientRegistration(), user.getName(), request.getAccessToken());
  12.         // 这个属性是userInfoUri接口返回的信息中有的
  13.         String url = user.getAttribute("organizations_url");
  14.         if (url != null) {
  15.             try {
  16.                 // 请求并读取组织信息并判断
  17.                 URL urlurl = new URL(url);
  18.                 HttpURLConnection httpURLConnection = (HttpURLConnection) urlurl.openConnection();
  19.                 httpURLConnection.setRequestMethod(HttpMethod.GET.name());
  20.                 httpURLConnection.connect();
  21.                 if (httpURLConnection.getResponseCode() == 200) {
  22.                     try (InputStream inputStream = httpURLConnection.getInputStream(); BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream))) {
  23.                         String result;
  24.                         StringBuilder sb = new StringBuilder();
  25.                         while ((result = bufferedReader.readLine()) != null) {
  26.                             sb.append(result);
  27.                         }
  28.                         ObjectMapper objectMapper = new ObjectMapper();
  29.                         List r = objectMapper.readValue(sb.toString(), List.class);
  30.                         if (r.size() != 0) {
  31.                             for (Object o : r) {
  32.                                 if (o.equals("my_team")) {
  33.                                     return user;
  34.                                 }
  35.                             }
  36.                         } 
  37.                     }
  38.                 }
  39.             } catch (IOException e) {
  40.                 return user;
  41.             }
  43.         }
  44.         throw new OAuth2AuthenticationException(new OAuth2Error("invalid_token", "Not in Team", ""));
  45.     };
  46. }

👋🏻未认证用户错误页面

⛔️增加认证失败处理器

  1. http.authorizeRequests(a -> a.antMatchers("/", "/favicon.ico", "/error", "/webjars/**").permitAll().anyRequest().authenticated()).exceptionHandling(e -> e.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))).oauth2Login(o -> o.failureHandler((request, response, exception) -> {
  2.     // 错误信息放session里并且返回重定向
  3.     request.getSession().setAttribute("error.message", exception.getMessage());
  4.     response.sendRedirect("/");
  5. }));

⛔️增加error endpoint

  1. @GetMapping("/error")
  2. public String error(HttpServletRequest request) {
  3.     String message = (String) request.getSession().getAttribute("error.message");
  4.     request.getSession().removeAttribute("error.message");
  5.     return message;
  6. }

⛔️首页增加消息展示区域

  1. <div class="container text-danger error"></div>
  1. $.get("/error", function(data) {
  2.   if (data) {
  3.   $(".error").html(data);
  4.   } else {
  5.   $(".error").html('');
  6.   }
  7. });

⛔️测试

因为前面增加了组织认证,而我的Github并没有组织,逻辑是没有组织就验证不通过,所以我们请求下认证然后验证下认证错误页面
image.png

🥰最终的启动类:

  1. package com.example.springbootoauth;
  3. import com.fasterxml.jackson.databind.ObjectMapper;
  4. import org.springframework.boot.SpringApplication;
  5. import org.springframework.boot.autoconfigure.SpringBootApplication;
  6. import org.springframework.context.annotation.Bean;
  7. import org.springframework.http.HttpMethod;
  8. import org.springframework.http.HttpStatus;
  9. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  10. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  11. import org.springframework.security.core.annotation.AuthenticationPrincipal;
  12. import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
  13. import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
  14. import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
  15. import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
  16. import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
  17. import org.springframework.security.oauth2.core.OAuth2Error;
  18. import org.springframework.security.oauth2.core.user.OAuth2User;
  19. import org.springframework.security.web.authentication.HttpStatusEntryPoint;
  20. import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
  21. import org.springframework.web.bind.annotation.GetMapping;
  22. import org.springframework.web.bind.annotation.RestController;
  24. import javax.servlet.http.HttpServletRequest;
  25. import java.io.BufferedReader;
  26. import java.io.IOException;
  27. import java.io.InputStream;
  28. import java.io.InputStreamReader;
  29. import java.net.HttpURLConnection;
  30. import java.net.URL;
  31. import java.util.Collections;
  32. import java.util.List;
  33. import java.util.Map;
  35. @RestController
  36. @SpringBootApplication
  37. public class SpringbootOauthClientApplication extends WebSecurityConfigurerAdapter {
  39.     @GetMapping("/user")
  40.     public Map<String, Object> user (@AuthenticationPrincipal OAuth2User principal) {
  41.         return Collections.singletonMap("name", principal.getAttribute("name"));
  42.     }
  44.     @GetMapping("/error")
  45.     public String error (HttpServletRequest request) {
  46.         String message = (String) request.getSession().getAttribute("error.message");
  47.         request.getSession().removeAttribute("error.message");
  48.         return message;
  49.     }
  51.     @Override
  52.     protected void configure (HttpSecurity http) throws Exception {
  53.         // @formatter:off
  54.         http.authorizeRequests(a -> a.antMatchers("/", "/favicon.ico", "/error", "/webjars/**").permitAll().anyRequest().authenticated()).exceptionHandling(e -> e.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))).oauth2Login(o -> o.failureHandler((request, response, exception) -> {
  55.             request.getSession().setAttribute("error.message", exception.getMessage());
  56.             response.sendRedirect("/");
  57.         }));
  59.         http.logout(l
  60.                 -> l.logoutSuccessUrl("/").permitAll()
  61.         ).csrf(c ->
  62.                 c.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
  63.         );
  64.         // @formatter:on
  65.     }
  67.     public static void main (String[] args) {
  68.         SpringApplication.run(SpringbootOauthClientApplication.class, args);
  69.     }
  71.     @Bean
  72.     public OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService () {
  73.         DefaultOAuth2UserService delegate = new DefaultOAuth2UserService();
  74.         return request -> {
  75.             OAuth2User user = delegate.loadUser(request);
  76.             if (!"github".equals(request.getClientRegistration().getRegistrationId())) {
  77.                 return user;
  78.             }
  80.             OAuth2AuthorizedClient client = new OAuth2AuthorizedClient(request.getClientRegistration(), user.getName(), request.getAccessToken());
  81.             String url = user.getAttribute("organizations_url");
  82.             if (url != null) {
  83.                 try {
  84.                     URL urlurl = new URL(url);
  85.                     HttpURLConnection httpURLConnection = (HttpURLConnection) urlurl.openConnection();
  86.                     httpURLConnection.setRequestMethod(HttpMethod.GET.name());
  87.                     httpURLConnection.connect();
  88.                     if (httpURLConnection.getResponseCode() == 200) {
  89.                         try (InputStream inputStream = httpURLConnection.getInputStream(); BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(inputStream))) {
  90.                             String result;
  91.                             StringBuilder sb = new StringBuilder();
  92.                             while ((result = bufferedReader.readLine()) != null) {
  93.                                 sb.append(result);
  94.                             }
  95.                             ObjectMapper objectMapper = new ObjectMapper();
  96.                             List r = objectMapper.readValue(sb.toString(), List.class);
  97.                             if (r.size() != 0) {
  98.                                 for (Object o : r) {
  99.                                     if (o.equals("my_team")) {
  100.                                         return user;
  101.                                     }
  102.                                 }
  103.                             }
  104.                         }
  105.                     }
  106.                 } catch (IOException e) {
  107.                     return user;
  108.                 }
  110.             }
  111.             throw new OAuth2AuthenticationException(new OAuth2Error("invalid_token", "Not in Team", ""));
  112.         };
  113.     }
  114. }

🥰最终的首页:

  1. <!doctype html>
  2. <html lang="en">
  3. <head>
  4.     <meta charset="utf-8"/>
  5.     <meta content="IE=edge" http-equiv="X-UA-Compatible"/>
  6.     <title>Demo</title>
  7.     <meta content="" name="description"/>
  8.     <meta content="width=device-width" name="viewport"/>
  9.     <base href="/"/>
  10.     <link href="/webjars/bootstrap/css/bootstrap.min.css" rel="stylesheet" type="text/css"/>
  11.     <script src="/webjars/jquery/jquery.min.js" type="text/javascript"></script>
  12.     <script src="/webjars/bootstrap/js/bootstrap.min.js" type="text/javascript"></script>
  13.     <script src="/webjars/js-cookie/js.cookie.js" type="text/javascript"></script>
  14. </head>
  15. <body>
  16. <h1>Demo</h1>
  17. <div class="container unauthenticated">
  18.     <div>
  19.         With GitHub: <a href="/oauth2/authorization/github">click here</a>
  20.     </div>
  21.     <div>
  22.         With Google: <a href="/oauth2/authorization/google">click here</a>
  23.     </div>
  24. </div>
  25. <div class="container authenticated" style="display:none">
  26.     Logged in as: <span id="user"></span>
  27.     <div>
  28.         <button onClick="logout()" class="btn btn-primary">Logout</button>
  29.     </div>
  30. </div>
  31. <div class="container text-danger error"></div>
  33. </body>
  34. <script type="text/javascript">
  35.     $.ajaxSetup({
  36.         beforeSend: function (xhr, settings) {
  37.             if (settings.type == 'POST' || settings.type == 'PUT'
  38.                 || settings.type == 'DELETE') {
  39.                 if (!(/^http:.*/.test(settings.url) || /^https:.*/
  40.                     .test(settings.url))) {
  41.                     // Only send the token to relative URLs i.e. locally.
  42.                     xhr.setRequestHeader("X-XSRF-TOKEN",
  43.                         Cookies.get('XSRF-TOKEN'));
  44.                 }
  45.             }
  46.         }
  47.     });
  48.     $.get("/user", function (data) {
  49.         $("#user").html(data.name);
  50.         $(".unauthenticated").hide()
  51.         $(".authenticated").show()
  52.     });
  53.     $.get("/error", function (data) {
  54.         if (data) {
  55.             $(".error").html(data);
  56.         } else {
  57.             $(".error").html('');
  58.         }
  59.     });
  60.     var logout = function () {
  61.         $.post("/logout", function () {
  62.             $("#user").html('');
  63.             $(".unauthenticated").show();
  64.             $(".authenticated").hide();
  65.         })
  66.         return true;
  67.     }
  68. </script>
  69. </html>

🥰最终的配置:

  1. server:
  2.   port: 8081
  4. spring:
  5.   security:
  6.     oauth2:
  7.       client:
  8.         registration:
  9.           github:
  10.             clientId: "github-client-id"
  11.             clientSecret: "github-client-secret"
  12.           google:
  13.             client-id: "google-client-id"
  14.             client-secret: "google-client-secret"

😭完

🤕服务端

Spring Security OAuth 2.x被官方弃用(作者认为授权服务应当是一个专业的项目,而不应该做在框架里) Spring Security 5.2.x提供OAuth2的Client、ResourceServer支持,但是不提供AuthorizationServer支持 官方提供了从Spring Security OAuth 2.x迁移至Spring Security 5.2.x的文档,链接 社区与开发人员仍在对线中…..Spring Security OAuth 会在2021年5月正式停止更新及维护 不过目前有AuthorizationServer的社区版项目,链接

上面客户端介绍中使用的是Spring Security 5.x 为了简单,服务端仍然使用Spring Security OAuth 2.x Actually,管他弃不弃用,我们仍然能很开心的使用

😆创建项目

略。

示例项目地址

🥺项目结构

image.png

📚视图

服务端有四个视图:

  • index.jsp 用于登录成功后的登出
  • login.jsp 用于登录
  • access_confirmation.jsp 用于确认授权
  • oauth_error.jsp 用于显示授权错误信息

📖POM

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <project xmlns="http://maven.apache.org/POM/4.0.0"
  3.          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  4.          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  5.     <parent>
  6.         <artifactId>springboot-demo</artifactId>
  7.         <groupId>com.example</groupId>
  8.         <version>0.0.1-SNAPSHOT</version>
  9.     </parent>
  10.     <modelVersion>4.0.0</modelVersion>
  12.     <artifactId>springboot-oauth-server</artifactId>
  14.     <dependencies>
  15.         <dependency>
  16.             <groupId>org.springframework.boot</groupId>
  17.             <artifactId>spring-boot-starter-tomcat</artifactId>
  18.         </dependency>
  19.         <dependency>
  20.             <groupId>org.apache.tomcat.embed</groupId>
  21.             <artifactId>tomcat-embed-jasper</artifactId>
  22.         </dependency>
  23.         <dependency>
  24.             <groupId>javax.servlet</groupId>
  25.             <artifactId>jstl</artifactId>
  26.         </dependency>
  27.         <dependency>
  28.             <groupId>javax.servlet</groupId>
  29.             <artifactId>javax.servlet-api</artifactId>
  30.         </dependency>
  31.         <dependency>
  32.             <groupId>javax.servlet.jsp</groupId>
  33.             <artifactId>javax.servlet.jsp-api</artifactId>
  34.             <version>2.3.1</version>
  35.         </dependency>
  38.         <dependency>
  39.             <groupId>org.webjars</groupId>
  40.             <artifactId>jquery</artifactId>
  41.             <version>3.4.1</version>
  42.         </dependency>
  43.         <dependency>
  44.             <groupId>org.webjars</groupId>
  45.             <artifactId>bootstrap</artifactId>
  46.             <version>4.3.1</version>
  47.         </dependency>
  48.         <dependency>
  49.             <groupId>org.webjars</groupId>
  50.             <artifactId>js-cookie</artifactId>
  51.             <version>2.1.0</version>
  52.         </dependency>
  53.         <dependency>
  54.             <groupId>org.webjars</groupId>
  55.             <artifactId>webjars-locator-core</artifactId>
  56.         </dependency>
  57.         <dependency>
  58.             <groupId>org.springframework.security</groupId>
  59.             <artifactId>spring-security-taglibs</artifactId>
  60.         </dependency>
  61.         <dependency>
  62.             <groupId>org.springframework.security.oauth</groupId>
  63.             <artifactId>spring-security-oauth2</artifactId>
  64.             <version>2.3.6.RELEASE</version>
  65. <!--            <version>[2.3.6.RELEASE,)</version>-->
  66.         </dependency>
  67.         <dependency>
  68.             <groupId>org.springframework.boot</groupId>
  69.             <artifactId>spring-boot-starter-web</artifactId>
  70.         </dependency>
  71.         <dependency>
  72.             <groupId>org.springframework.boot</groupId>
  73.             <artifactId>spring-boot-devtools</artifactId>
  74.             <optional>true</optional>
  75.             <scope>true</scope>
  76.         </dependency>
  77.     </dependencies>
  79.     <build>
  80.         <resources>
  81.             <resource>
  82.                 <directory>src/main/resources</directory>
  83.                 <includes>
  84.                     <include>**/*</include>
  85.                 </includes>
  86.             </resource>
  87.         </resources>
  88.         <plugins>
  89.             <plugin>
  90.                 <groupId>org.springframework.boot</groupId>
  91.                 <artifactId>spring-boot-maven-plugin</artifactId>
  92.                 <configuration>
  93.                     <fork>true</fork>
  94.                 </configuration>
  95.             </plugin>
  96.         </plugins>
  97.     </build>
  98. </project>

🔧配置

  1. server:
  2.   port: 8082
  3. spring:
  4.   mvc:
  5.     view:
  6.       suffix: ".jsp"

👏启动类

  1. package com.example.springbootoauth;
  3. import org.springframework.boot.SpringApplication;
  4. import org.springframework.boot.autoconfigure.SpringBootApplication;
  5. import org.springframework.context.annotation.Bean;
  6. import org.springframework.http.HttpEntity;
  7. import org.springframework.http.HttpStatus;
  8. import org.springframework.http.ResponseEntity;
  9. import org.springframework.security.authentication.AuthenticationManager;
  10. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
  11. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  12. import org.springframework.security.config.annotation.web.builders.WebSecurity;
  13. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
  14. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
  15. import org.springframework.security.core.annotation.AuthenticationPrincipal;
  16. import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
  17. import org.springframework.security.crypto.password.PasswordEncoder;
  18. import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
  19. import org.springframework.web.bind.annotation.GetMapping;
  20. import org.springframework.web.bind.annotation.RestController;
  22. import java.security.Principal;
  23. import java.util.Collections;
  24. import java.util.Map;
  26. @RestController
  27. @SpringBootApplication
  28. @EnableWebSecurity(debug = true)
  29. //@EnableWebMvc
  30. public class SpringbootOauthServerApplication extends WebSecurityConfigurerAdapter {
  32.     // 这是授权服务器的userInfoUri映射,用于成功获取token之后获取用户信息
  33.     // userInfoUri是Provider的一个必须提供的信息
  34.     @GetMapping("/user")
  35.     public HttpEntity<Map<String, String>> user (@AuthenticationPrincipal Principal principal) {
  36.         return new ResponseEntity<>(Collections.singletonMap("name", principal.getName()), HttpStatus.OK);
  37.     }
  39.     @Override
  40.     protected void configure (HttpSecurity http) throws Exception {
  41.         // @formatter:off
  42.         // 除了login.jsp外其他任何请求都需要有USER角色
  43.         // 请求拒绝跳转页面是/login.jsp?authorization_error=true
  44.         // 禁用/oauth/authorize的csrf
  45.         // 登出地址为/logout
  46.         // 登出成功过地址为/login.jsp
  47.         // 登录处理地址是/login
  48.         // 登录失败跳转地址是/login.jsp?authentication_error=true
  49.         // 登录页面为/login.jsp
  50.         // 关闭nosniff header
  51.         http.authorizeRequests()
  52.             .antMatchers("/login.jsp")
  53.             .permitAll()
  54.             .anyRequest()
  55.             .hasRole("USER")
  56.             .and()
  57.             .exceptionHandling()
  58.             .accessDeniedPage("/login.jsp?authorization_error=true")
  59.             .and()
  60.             .csrf()
  61.             .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize"))
  62.             .disable()
  63.             .logout()
  64.             .logoutUrl("/logout")
  65.             .logoutSuccessUrl("/login.jsp")
  66.             .and()
  67.             .formLogin()
  68.             .loginProcessingUrl("/login")
  69.             //                .successForwardUrl("/index.jsp")
  70.             .failureUrl("/login.jsp?authentication_error=true").loginPage("/login.jsp").and()
  71.             // 关闭nosniff
  72.             .headers().contentTypeOptions().disable();
  73.         // @formatter:on
  74.     }
  76.     @Override
  77.     public void configure (WebSecurity web) {
  78.         // 忽略这些资源
  79.         web.ignoring().antMatchers("/webjars/**", "/favicon.ico", "/images/**");
  80.     }
  82.     @Override
  83.     protected void configure (AuthenticationManagerBuilder auth) throws Exception {
  84.         // 添加一些用户测试用,到时可以直接登录
  85.         auth.inMemoryAuthentication()
  86.             .withUser("balala")
  87.             // 密码balabala(BCrypt摘要)
  88.             .password("$2a$10$QOhLotan6kumoHRp8Z2ajOZfBhKgaMvgqeaxrSXxrKN2FgR3hlJ9.")
  89.             .roles("USER")
  90.             .and()
  91.             .withUser("moxianbao")
  92.             // 密码moxianbao
  93.             .password("$2a$10$RpHbnvFdFoUgpK89iVnSzugfqZAfDeKvVKp3LoVBxCj6fuwqtdBlO")
  94.             .roles("USER");
  95.     }
  97.     public static void main (String[] args) {
  98.         SpringApplication.run(SpringbootOauthServerApplication.class, args);
  99.     }
  101.     @Bean
  102.     @Override
  103.     public AuthenticationManager authenticationManagerBean () throws Exception {
  104.         return super.authenticationManagerBean();
  105.     }
  107.     @Bean
  108.     public PasswordEncoder passwordEncoder () {
  109.         return new BCryptPasswordEncoder();
  110.     }
  113. }

😘服务器端配置

  1. package com.example.springbootoauth;
  3. import org.springframework.beans.factory.annotation.Autowired;
  4. import org.springframework.context.annotation.*;
  5. import org.springframework.security.authentication.AuthenticationManager;
  6. import org.springframework.security.crypto.password.PasswordEncoder;
  7. import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
  8. import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
  9. import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
  10. import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
  11. import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
  12. import org.springframework.security.oauth2.provider.ClientDetailsService;
  13. import org.springframework.security.oauth2.provider.approval.ApprovalStore;
  14. import org.springframework.security.oauth2.provider.approval.TokenApprovalStore;
  15. import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory;
  16. import org.springframework.security.oauth2.provider.token.TokenStore;
  17. import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
  19. @Configuration
  20. @EnableAuthorizationServer
  21. public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
  23.     @Autowired
  24.     private AuthenticationManager authenticationManager;
  26.     @Autowired
  27.     private PasswordEncoder passwordEncoder;
  29.     @Autowired
  30.     private UserApprovalHandler userApprovalHandler;
  32.     @Autowired
  33.     private TokenStore tokenStore;
  35.     @Autowired
  36.     private ClientDetailsService clientDetailsService;
  38.     @Override
  39.     public void configure (AuthorizationServerSecurityConfigurer security) throws Exception {
  40.         super.configure(security);
  41.     }
  43.     @Override
  44.     public void configure (ClientDetailsServiceConfigurer clients) throws Exception {
  45.         super.configure(clients);
  46.         // 这里的客户端信息相当于前面客户端在授权服务端申请的OAuth app
  47.         // demo以及encode过的abc相当于 client_id和client_secret
  48.         // redirectUri就是服务器端发完code之后重定向的客户端地址
  49.         // authorizedGrantTypes是支持此客户端的认证类型
  50.         // scopes与资源服务器配置有关,确定了你这个客户端可以访问哪些资源
  51.         // resourceIds与资源服务器配置有关,必须一致
  52.         clients.inMemory()
  53.             .withClient("demo")
  54.             .secret(passwordEncoder
  55.                     .encode("abc"))
  56.             .authorizedGrantTypes("authorization_code", "password")
  57.             .resourceIds("rg_demo")
  58.             .scopes("read")
  59.             .redirectUris("http://localhost:8081/login/oauth2/code/moxianbao");
  60.     }
  62.     @Bean
  63.     TokenStore tokenStore () {
  64.         return new InMemoryTokenStore();
  65.     }
  67.     @Override
  68.     public void configure (AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
  69.         super.configure(endpoints);
  70.         //password grants are switched on by injecting an AuthenticationManager
  71.         endpoints.authenticationManager(authenticationManager).tokenStore(tokenStore()).userApprovalHandler(userApprovalHandler);
  72.         //refresh_token
  73.         //                 .userDetailsService(userDetailsService);
  74.     }
  76.     @Bean
  77.     public ApprovalStore approvalStore () {
  78.         TokenApprovalStore store = new TokenApprovalStore();
  79.         store.setTokenStore(tokenStore);
  80.         return store;
  81.     }
  83.     // 这个bean用来记住approval、以及automatic approval,根据认证的user和client去查找保存的token,从token中查询请求的scope是否授权
  84.     @Bean
  85.     @Lazy
  86.     @Scope(proxyMode = ScopedProxyMode.TARGET_CLASS)
  87.     public UserApprovalHandler userApprovalHandler () throws Exception {
  88.         UserApprovalHandler handler = new UserApprovalHandler();
  89.         handler.setApprovalStore(approvalStore());
  90.         handler.setRequestFactory(new DefaultOAuth2RequestFactory(clientDetailsService));
  91.         handler.setClientDetailsService(clientDetailsService);
  92.         handler.setUseApprovalStore(true);
  93.         return handler;
  94.     }
  95. }

UserApprovalHandler

  1. package com.example.springbootoauth;
  3. import org.springframework.security.core.Authentication;
  4. import org.springframework.security.oauth2.provider.AuthorizationRequest;
  5. import org.springframework.security.oauth2.provider.ClientDetails;
  6. import org.springframework.security.oauth2.provider.ClientDetailsService;
  7. import org.springframework.security.oauth2.provider.ClientRegistrationException;
  8. import org.springframework.security.oauth2.provider.approval.ApprovalStoreUserApprovalHandler;
  10. import java.util.Collection;
  12. public class UserApprovalHandler extends ApprovalStoreUserApprovalHandler {
  14.     private boolean useApprovalStore = true;
  16.     private ClientDetailsService clientDetailsService;
  18.     /**
  19.      * Service to load client details (optional) for auto approval checks.
  20.      *
  21.      * @param clientDetailsService a client details service
  22.      */
  23.     public void setClientDetailsService (ClientDetailsService clientDetailsService) {
  24.         this.clientDetailsService = clientDetailsService;
  25.         super.setClientDetailsService(clientDetailsService);
  26.     }
  28.     /**
  29.      * @param useApprovalStore the useTokenServices to set
  30.      */
  31.     public void setUseApprovalStore (boolean useApprovalStore) {
  32.         this.useApprovalStore = useApprovalStore;
  33.     }
  35.     /**
  36.      * Allows automatic approval for a white list of clients in the implicit grant case.
  37.      *
  38.      * @param authorizationRequest The authorization request.
  39.      * @param userAuthentication   the current user authentication
  40.      * @return An updated request if it has already been approved by the current user.
  41.      */
  42.     @Override
  43.     public AuthorizationRequest checkForPreApproval (AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
  45.         boolean approved = false;
  46.         // If we are allowed to check existing approvals this will short circuit the decision
  47.         if (useApprovalStore) {
  48.             authorizationRequest = super.checkForPreApproval(authorizationRequest, userAuthentication);
  49.             approved = authorizationRequest.isApproved();
  50.         } else {
  51.             if (clientDetailsService != null) {
  52.                 Collection<String> requestedScopes = authorizationRequest.getScope();
  53.                 try {
  54.                     ClientDetails client = clientDetailsService.loadClientByClientId(authorizationRequest.getClientId());
  55.                     for (String scope : requestedScopes) {
  56.                         if (client.isAutoApprove(scope)) {
  57.                             approved = true;
  58.                             break;
  59.                         }
  60.                     }
  61.                 } catch (ClientRegistrationException e) {
  62.                     System.out.println(e.getMessage());
  63.                 }
  64.             }
  65.         }
  66.         authorizationRequest.setApproved(approved);
  68.         return authorizationRequest;
  70.     }
  71. }

AccessConfirmationController

userApprovalPage和errorPage的endpoint:

  1. package com.example.springbootoauth;
  3. import org.springframework.beans.factory.annotation.Autowired;
  4. import org.springframework.security.oauth2.common.util.OAuth2Utils;
  5. import org.springframework.security.oauth2.provider.AuthorizationRequest;
  6. import org.springframework.security.oauth2.provider.ClientDetails;
  7. import org.springframework.security.oauth2.provider.ClientDetailsService;
  8. import org.springframework.security.oauth2.provider.approval.Approval;
  9. import org.springframework.security.oauth2.provider.approval.ApprovalStore;
  10. import org.springframework.stereotype.Controller;
  11. import org.springframework.web.bind.annotation.RequestMapping;
  12. import org.springframework.web.bind.annotation.SessionAttributes;
  13. import org.springframework.web.servlet.ModelAndView;
  15. import java.security.Principal;
  16. import java.util.LinkedHashMap;
  17. import java.util.Map;
  19. @Controller
  20. @SessionAttributes("authorizationRequest")
  21. public class AccessConfirmationController {
  23.     private ClientDetailsService clientDetailsService;
  25.     private ApprovalStore approvalStore;
  27.     @RequestMapping("/oauth/confirm_access")
  28.     public ModelAndView getAccessConfirmation (Map<String, Object> model, Principal principal) {
  29.         AuthorizationRequest clientAuth = (AuthorizationRequest) model.remove("authorizationRequest");
  30.         ClientDetails client = clientDetailsService.loadClientByClientId(clientAuth.getClientId());
  31.         model.put("auth_request", clientAuth);
  32.         model.put("client", client);
  33.         Map<String, String> scopes = new LinkedHashMap<>();
  34.         for (String scope : clientAuth.getScope()) {
  35.             scopes.put(OAuth2Utils.SCOPE_PREFIX + scope, "false");
  36.         }
  37.         for (Approval approval : approvalStore.getApprovals(principal.getName(), client.getClientId())) {
  38.             if (clientAuth.getScope().contains(approval.getScope())) {
  39.                 scopes.put(OAuth2Utils.SCOPE_PREFIX + approval.getScope(), approval.getStatus() == Approval.ApprovalStatus.APPROVED ? "true" : "false");
  40.             }
  41.         }
  42.         model.put("scopes", scopes);
  43.         return new ModelAndView("/access_confirmation", model);
  44.     }
  46.     @RequestMapping("/oauth/error")
  47.     public String handleError (Map<String, Object> model) {
  48.         // We can add more stuff to the model here for JSP rendering. If the client was a machine then
  49.         // the JSON will already have been rendered.
  50.         model.put("message", "There was a problem with the OAuth2 protocol");
  51.         return "/oauth_error";
  52.     }
  54.     @Autowired
  55.     public void setClientDetailsService (ClientDetailsService clientDetailsService) {
  56.         this.clientDetailsService = clientDetailsService;
  57.     }
  59.     @Autowired
  60.     public void setApprovalStore (ApprovalStore approvalStore) {
  61.         this.approvalStore = approvalStore;
  62.     }
  63. }

😙资源服务器配置

  1. package com.example.springbootoauth;
  3. import org.springframework.beans.factory.annotation.Autowired;
  4. import org.springframework.context.annotation.Configuration;
  5. import org.springframework.security.config.annotation.web.builders.HttpSecurity;
  6. import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
  7. import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
  8. import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
  9. import org.springframework.security.oauth2.provider.token.TokenStore;
  11. @Configuration
  12. @EnableResourceServer
  13. public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
  15.     @Autowired
  16.     TokenStore tokenStore;
  18.     @Override
  19.     public void configure (ResourceServerSecurityConfigurer resources) throws Exception {
  20.         super.configure(resources);
  21.         // 资源服务器的id
  22.         // 拥有此resourceId的客户端授权可以访问此资源服务器的资源
  23.         // stateless标识是否只有在token-based认证时才可以使用资源
  24.         resources.resourceId("rg_demo").stateless(false).tokenStore(tokenStore);
  25.         //        .authenticationEntryPoint();
  26.     }
  28.     @Override
  29.     public void configure (HttpSecurity http) throws Exception {
  30.         // security DSL
  31.         // 在启动类有一个/user的endpoint,配置此endpoint只有在has read scope或 has ROLE_USER role时才可以访问
  32.         http.requestMatchers().antMatchers("/user/**").and().authorizeRequests().antMatchers("/user").access("#oauth2.hasScope('read') or #hasRole('ROLE_USER')");
  33.     }
  34. }

你可以提供多个实现此接口的实例(如果实例间有相同的配置,最后一个配置生效,也就是说你可以用@Order),这样就能达到资源分组的目的,比如上面的resourceId是rg_demo,你可以再来一个叫rg_pro,resourceId是客户端必须的配置,可以有多个。

😙方法安全配置

  1. package com.example.springbootoauth;
  3. import org.springframework.context.annotation.Configuration;
  4. import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
  5. import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
  6. import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;
  7. import org.springframework.security.oauth2.provider.expression.OAuth2MethodSecurityExpressionHandler;
  9. @Configuration
  10. @EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
  11. public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
  13.     @Override
  14.     protected MethodSecurityExpressionHandler createExpressionHandler () {
  15.         return new OAuth2MethodSecurityExpressionHandler();
  16.     }
  17. }

我们需要覆盖默认的方法安全表达式处理器,不然没法用oauth2.hasScope SpEl。

😙客户端配置

上面的内容我们已经完成了服务器端以及资源服务器端的简单配置,接下来我们需要更改客户端,增加我们的授权服务器信息

😙增加Provider以及Registration

  1. server:
  2.   port: 8081
  4. spring:
  5.   security:
  6.     oauth2:
  7.       client:
  8.         provider:
  9.           moxianbao:
  10.             #            注意不要在同一host,否则session将被覆盖,无法正常认证
  11.             authorizationUri: "http://10.25.92.50:8082/oauth/authorize"
  12.             tokenUri: "http://10.25.92.50:8082/oauth/token"
  13.             userInfoUri: "http://10.25.92.50:8082/user"
  14.             clientName: "moxianbao"
  15.             userNameAttribute: "name"
  16.         registration:
  17.           github:
  18.             clientId: "github-client-id"
  19.             clientSecret: "github-client-secret"
  20.           google:
  21.             client-id: "google-client-id"
  22.             client-secret: "google-client-secret"
  23.           moxianbao:
  24.             clientId: "demo"
  25.             clientSecret: "abc"
  26.             authorizationGrantType: "authorization_code"
  27.             redirectUri: "{baseUrl}/{action}/oauth2/code/{registrationId}"

一定要注意的是授权服务器与客户端绝对不能在一个host下,否则JSESSIONID会覆盖,不可能认证成功。
这里的moxianbao client provider提供了授权服务器的基本信息,包括认证地址、token地址等。
这里的moxianbao client registration要与我们在授权服务器中内置的那个client信息保持一致。

😙首页增加魔仙堡登录选项

  1. <div>
  2.   With moxianbao: <a href="/oauth2/authorization/moxianbao">click here</a>
  3. </div>

🙃测试

🙃浏览器测试:

客户端首页:
image.png
点击使用moxianbao登录。

服务端登录页面:
image.png
点击Login。

服务端Approval页面:
image.png
选Approve,点Submit。

客户端首页:
image.png
返回客户端,并读取用户信息,授权成功。

🙃Postman测试

image.png

选择TYPE为OAuth2.0,点击Get New Access Token

image.png

填写信息,点击Request Token

因为我们浏览器测试时候已经Approve了,所以这里直接申请成功了(但是JSESSIONID是一样的奥:))

image.png

点击Use Token,然后我们去获取下用户信息

image.png

点击发送,可以看到用户信息的返回。

image.png

认证信息存在Header中,Authorization Bearer后面的就是Token:)

😭完

以上简单配置的基础上,再加改进,细粒度控制,持久化存储,就能成为一个”合格”的OAuth server了:)