前言
注意:我本地没有生成公钥和私钥,所以每次启动项目jwkSource都会重新生成,导致之前认证的token都会失效,具体如何生成私钥和公钥以及怎么配置到授权服务器中,网上有很多方法自行实现即可
之前有个项目用的0.0.3的,正好最近想研究研究,所以就去了官网看文档研究了一下,1.1.1基于的事security6.x的版本, security6与5.7之前的版本有很大的差别,废话不多说,直接上代码(代码中也有一些注释)
最基础的配置官网都有,这里不去体现,主要体现功能:
- 自定义认证和授权
- 自定义端点拦截器
- 持久化到数据库
版本
依赖项 | 版本 |
---|---|
springboot | 3.1.2 |
spring-authorization-server | 1.1.1 |
jdk | 17 |
dynamic-datasource-spring-boot3-starter | 4.1.2 |
mybatis-plus | 3.5.3 |
sql文件
代码实操
目录结构
pom文件
需要额外引入spring security cas包原因是启动时(logging等级:org.springframework.security: trace)会报错:java.lang.ClassNotFoundException:org.springframework.security.cas.jackson2.CasJackson2Module错误。
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>3.1.2</version><relativePath/> <!-- lookup parent from repository --></parent><groupId>com.example</groupId><artifactId>demo</artifactId><version>0.0.1-SNAPSHOT</version><name>demo</name><description>demo</description><properties><java.version>17</java.version></properties><dependencyManagement>
<!-- <dependencies>-->
<!-- <!– SpringBoot的依赖配置–>-->
<!-- <dependency>-->
<!-- <groupId>org.springframework.boot</groupId>-->
<!-- <artifactId>spring-boot-dependencies</artifactId>-->
<!-- <version>2.5.14</version>-->
<!-- <type>pom</type>-->
<!-- <scope>import</scope>-->
<!-- </dependency>-->
<!-- </dependencies>--></dependencyManagement><dependencies><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter</artifactId></dependency><dependency><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId><optional>true</optional></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-test</artifactId><scope>test</scope></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-oauth2-authorization-server</artifactId></dependency><!-- 添加spring security cas支持这里需添加spring-security-cas依赖,否则启动时报java.lang.ClassNotFoundException: org.springframework.security.cas.jackson2.CasJackson2Module错误。--><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-cas</artifactId></dependency><dependency><groupId>com.alibaba.fastjson2</groupId><artifactId>fastjson2</artifactId><version>2.0.34</version></dependency><dependency><groupId>com.baomidou</groupId><artifactId>mybatis-plus-boot-starter</artifactId><version>3.5.3</version></dependency><!-- 阿里数据库连接池 --><dependency><groupId>com.alibaba</groupId><artifactId>druid-spring-boot-starter</artifactId><version>1.2.16</version></dependency><!-- SpringBoot Web容器 --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency><dependency><groupId>mysql</groupId><artifactId>mysql-connector-java</artifactId><version>8.0.31</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-data-jdbc</artifactId></dependency><dependency><groupId>com.baomidou</groupId><artifactId>dynamic-datasource-spring-boot3-starter</artifactId><version>4.1.2</version></dependency><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-aop</artifactId></dependency></dependencies><build><plugins><plugin><groupId>org.springframework.boot</groupId><artifactId>spring-boot-maven-plugin</artifactId><configuration><excludes><exclude><groupId>org.projectlombok</groupId><artifactId>lombok</artifactId></exclude></excludes></configuration></plugin></plugins></build></project>
授权服务器配置(包名:authenticationServer )
CustomAuthorizationServerConfiguration
import com.example.demo.config.security.provider.WeChatMiniAppAuthenticationProvider;
import com.example.demo.config.security.provider.converter.WeChatMiniAppAuthenticationConverter;
import com.example.demo.utils.OAuth2ConfigurerUtils;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeAuthenticationConverter;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2ClientCredentialsAuthenticationConverter;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2RefreshTokenAuthenticationConverter;
import org.springframework.security.web.util.matcher.RequestMatcher;public class CustomAuthorizationServerConfiguration {public static void applyDefaultSecurity(HttpSecurity http, JWKSource<SecurityContext> jwkSource) throws Exception {OAuth2AuthorizationServerConfigurer authorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer();OAuth2AuthorizationService authorizationService = OAuth2ConfigurerUtils.getBean(http,OAuth2AuthorizationService.class);// 认证过滤器链authorizationServerConfigurer.tokenEndpoint(oAuth2TokenEndpointConfigurer -> {oAuth2TokenEndpointConfigurer.accessTokenRequestConverters( customJwtAuthenticationToken -> {customJwtAuthenticationToken.add(new OAuth2AuthorizationCodeAuthenticationConverter());customJwtAuthenticationToken.add(new OAuth2RefreshTokenAuthenticationConverter());customJwtAuthenticationToken.add(new OAuth2ClientCredentialsAuthenticationConverter());customJwtAuthenticationToken.add(new WeChatMiniAppAuthenticationConverter());})// 返回accessToken的后置处理器 https://docs.spring.io/spring-authorization-server/docs/current/reference/html/protocol-endpoints.html#oauth2-token-endpoint
// .accessTokenResponseHandler()// 异常返回处理器
// .errorResponseHandler().authenticationProviders((customProviders) -> {// 自定义认证提供者customProviders.add(new WeChatMiniAppAuthenticationProvider(jwkSource,authorizationService));});});// 端点匹配器RequestMatcher endpointsMatcher = authorizationServerConfigurer.getEndpointsMatcher();http.securityMatcher(endpointsMatcher)// .authorizeHttpRequests(authorizeRequests -> authorizeRequests.anyRequest().authenticated())// csrf.csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher)).apply(authorizationServerConfigurer);}}
认证提供者(包名:provider)
预处理(包名: Converter)
WeChatMiniAppAuthenticationConverter
可以说是预处理类转换token信息
import com.example.demo.config.security.provider.token.WeChatMiniAppAuthenticationToken;
import com.example.demo.config.security.provider.type.AuthorizationGrantTypes;
import jakarta.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;import java.util.LinkedHashMap;
import java.util.Map;public final class WeChatMiniAppAuthenticationConverter implements AuthenticationConverter {private final Logger logger = LoggerFactory.getLogger(WeChatMiniAppAuthenticationConverter.class);/*** 参数对象** @param request {@link HttpServletRequest}* @return {@link Authentication}*/@Overridepublic Authentication convert(HttpServletRequest request) {String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);if (!AuthorizationGrantTypes.WECHAT_MINIAPP.getValue().equals(grantType)) {return null;}// 获取参数MultiValueMap<String, String> parameters = getParameters(request);logger.info("微信小程序授权入参:{}", parameters);// 微信CODE// 其他参数Map<String, Object> additionalParameters = getOtherParameters(parameters);// clientPrincipalAuthentication clientPrincipal = SecurityContextHolder.getContext().getAuthentication();logger.info("小程序授权全部参数:{}", additionalParameters);return new WeChatMiniAppAuthenticationToken(clientPrincipal, additionalParameters, "code","appid", "encryptedData", "ivStr");}/*** 获取其他参数** @param parameters {@link MultiValueMap}* @return {@link Map}*/private Map<String, Object> getOtherParameters(MultiValueMap<String, String> parameters) {Map<String, Object> additionalParameters = new LinkedHashMap<>(16);parameters.forEach((key, value) -> {if (!key.equals(OAuth2ParameterNames.GRANT_TYPE)&& !key.equals(OAuth2ParameterNames.SCOPE)) {additionalParameters.put(key, value.get(0));}});return additionalParameters;}static MultiValueMap<String, String> getParameters(HttpServletRequest request) {Map<String, String[]> parameterMap = request.getParameterMap();MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>(parameterMap.size());parameterMap.forEach((key, values) -> {for (String value : values) {parameters.add(key, value);}});return parameters;}}
自定义token (包名: token)
WeChatMiniAppAuthenticationToken
@Setter
@Getter
public class WeChatMiniAppAuthenticationToken extends OAuth2AuthorizationGrantAuthenticationToken {/*** appId 应用ID*/private final String appId;/*** code 小程序CODE*/private final String code;private final String encryptedData;private final String ivStr;/*** Sub-class constructor.* @param clientPrincipal the authenticated client principal* @param additionalParameters the additional parameters* @param code {@link String } 小程序code* @param appId {@link String } 平台appid* @param encryptedData {@link String } encryptedData* @param ivStr {@link String } ivStr*/public WeChatMiniAppAuthenticationToken(Authentication clientPrincipal,Map<String, Object> additionalParameters, String code,String appId, String encryptedData, String ivStr) {super(AuthorizationGrantTypes.WECHAT_MINIAPP, clientPrincipal, additionalParameters);this.code = code;this.appId = appId;this.encryptedData = encryptedData;this.ivStr = ivStr;}
}
定义认证type (包名:type)
AuthorizationGrantTypes
人获取access_token时,会用到grantType
public class AuthorizationGrantTypes {public static final AuthorizationGrantType WECHAT_MINIAPP = new AuthorizationGrantType("wechat_miniapp");}
资源服务器 (包名:resourceServer)
CustomAuthenticationTokenConverter
自定义jwt 预处理器
public class CustomAuthenticationToken implements Converter<Jwt, AbstractAuthenticationToken> {private final Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();private static final String PRINCIPAL_CLAIM_NAME = "data";private final Logger logger = LoggerFactory.getLogger(CustomAuthenticationToken.class);public CustomAuthenticationToken() {}public AbstractAuthenticationToken convert(@NonNull Jwt jwt) {this.logger.info("convert ->jwt:{}", JSONObject.toJSONString(jwt));Collection<GrantedAuthority> authorities = this.extractAuthorities(jwt);// 获取个性化的token信息String principalClaimValue = jwt.getClaimAsString(PRINCIPAL_CLAIM_NAME);if (principalClaimValue == null) {return new JwtAuthenticationToken(jwt, authorities);} else {UserDto user = this.extractUserInfo(jwt);user.setToken(jwt.getTokenValue());CustomJwtAuthenticationToken jwtAuthenticationToken = new CustomJwtAuthenticationToken(jwt, user, authorities);SecurityContextHolder.getContext().setAuthentication(jwtAuthenticationToken);return jwtAuthenticationToken;}}protected Collection<GrantedAuthority> extractAuthorities(Jwt jwt) {return this.jwtGrantedAuthoritiesConverter.convert(jwt);}protected UserDto extractUserInfo(Jwt jwt) {String principalClaimValue = jwt.getClaimAsString("data");return JSONObject.parseObject(principalClaimValue, UserDto.class);}
}
CustomJwtAuthenticationToken
自定义的jwt
@Transient
public class CustomJwtAuthenticationToken extends AbstractOAuth2TokenAuthenticationToken<Jwt> {private static final long serialVersionUID = 560L;private final String name;public CustomJwtAuthenticationToken(Jwt jwt, Object principal, Collection<? extends GrantedAuthority> authorities) {super(jwt, principal, "", authorities);this.setAuthenticated(true);this.name = jwt.getSubject();}public Map<String, Object> getTokenAttributes() {return ((Jwt)this.getToken()).getClaims();}public String getName() {return this.name;}
}
CustomOauth2AuthenticationEntryPoint
自定义协议端点
public class CustomOauth2AuthenticationEntryPoint implements AuthenticationEntryPoint {private static final Logger logger = LoggerFactory.getLogger(CustomOauth2AuthenticationEntryPoint.class);private String realmName;public CustomOauth2AuthenticationEntryPoint() {}public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException {logger.error(e.getLocalizedMessage(), e);HttpStatus status = HttpStatus.UNAUTHORIZED;Map<String, String> parameters = new LinkedHashMap<>();if (Objects.nonNull(this.realmName)) {parameters.put("realm", this.realmName);}if (e instanceof OAuth2AuthenticationException oAuth2AuthenticationException) {OAuth2Error error = oAuth2AuthenticationException.getError();parameters.put("error", error.getErrorCode());if (StringUtils.hasText(error.getDescription())) {String errorMessage = error.getDescription();parameters.put("error_description", errorMessage);}if (StringUtils.hasText(error.getUri())) {parameters.put("error_uri", error.getUri());}if (error instanceof BearerTokenError bearerTokenError) {if (StringUtils.hasText(bearerTokenError.getScope())) {parameters.put("scope", bearerTokenError.getScope());}status = ((BearerTokenError)error).getHttpStatus();}}ResponseEntity<String> unauthenticated = new ResponseEntity<String>("Unauthenticated", HttpStatusCode.valueOf(status.value()));String message = JSON.toJSONString(unauthenticated);String wwwAuthenticate = WwwAuthenticateHeaderBuilder.computeWwwAuthenticateHeaderValue(parameters);response.addHeader("WWW-Authenticate", wwwAuthenticate);response.setStatus(status.value());response.setContentType("application/json");response.getWriter().write(message);}
}
WwwAuthenticateHeaderBuilder
public final class WwwAuthenticateHeaderBuilder {public WwwAuthenticateHeaderBuilder() {}public static String computeWwwAuthenticateHeaderValue(Map<String, String> parameters) {StringJoiner wwwAuthenticate = new StringJoiner(", ", "Bearer ", "");if (!parameters.isEmpty()) {parameters.forEach((k, v) -> {wwwAuthenticate.add(k + "=\"" + v + "\"");});}return wwwAuthenticate.toString();}
}
Oauth2ResourceServerConfigurer
资源服务器配置
public final class Oauth2ResourceServerConfigurer {public Oauth2ResourceServerConfigurer() {}public static void applyDefaultSecurity(HttpSecurity http) throws Exception {http.oauth2ResourceServer((oauth2ResourceServerConfigurer) ->oauth2ResourceServerConfigurer// 无权限处理器
// .accessDeniedHandler()// 自定义协议端点.authenticationEntryPoint(new CustomOauth2AuthenticationEntryPoint()).jwt((jwtConfigurer) -> jwtConfigurer.jwtAuthenticationConverter(new CustomAuthenticationToken())));}
}
SecurityConfig
实现授权及资源服务器
package com.example.demo.config.security;import com.example.demo.config.security.authenticationServer.CustomAuthorizationServerConfiguration;
import com.example.demo.config.security.resourceServer.Oauth2ResourceServerConfigurer;
import com.example.demo.service.CustomUserDetailsService;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import lombok.extern.slf4j.Slf4j;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.jackson2.CoreJackson2Module;
import org.springframework.security.jackson2.SecurityJackson2Modules;
import org.springframework.security.oauth2.core.*;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.server.authorization.*;
import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
import org.springframework.security.oauth2.server.authorization.jackson2.OAuth2AuthorizationServerJackson2Module;
import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
import org.springframework.security.oauth2.server.authorization.settings.TokenSettings;
import org.springframework.security.oauth2.server.authorization.token.*;
import org.springframework.security.web.SecurityFilterChain;import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.time.Duration;
import java.util.UUID;/***** @author qb* @since 2023/7/21 15:14* @version 1.0*/
@Slf4j
@Configuration
@EnableWebSecurity
public class SecurityConfig {// 协议端点过滤器链@Bean@Order(1)public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {CustomAuthorizationServerConfiguration.applyDefaultSecurity(http,jwkSource());
// // 开启oidc connect 1.0
// http.getConfigurer(OAuth2AuthorizationServerConfigurer.class).oidc(Customizer.withDefaults());
// // 重定向到未通过身份验证的登录页面 授权终结点
// http.exceptionHandling((exceptions) -> exceptions.defaultAuthenticationEntryPointFor(
// new LoginUrlAuthenticationEntryPoint("/login"),
// new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
// ))
// // 授权服务 接受的用户信息和/或客户端注册的访问令牌
// .oauth2ResourceServer((resourceServer) -> resourceServer.jwt(Customizer.withDefaults()));return http.build();}// 协议认证筛选器@Bean@Order(2)public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {Oauth2ResourceServerConfigurer.applyDefaultSecurity(http);http.csrf(AbstractHttpConfigurer::disable).authorizeHttpRequests(auth ->auth.requestMatchers("/login","/callback","/oauth2/client/**").permitAll().anyRequest().authenticated());return http.build();}// 自定义认证service@Beanpublic UserDetailsService userDetailsService() {return new CustomUserDetailsService();}// 密码加密@Beanpublic PasswordEncoder passwordEncoder(){
// return PasswordEncoderFactories.createDelegatingPasswordEncoder();return new BCryptPasswordEncoder();}/*** 管理客户端* @return /*/@Beanpublic RegisteredClientRepository registeredClientRepository(JdbcTemplate jdbcTemplate) {
// RegisteredClient oidcClient = defaultClient();// 配置模式
// JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(jdbcTemplate);
// if (null == jdbcRegisteredClientRepository.findByClientId("client")) {
// jdbcRegisteredClientRepository.save(oidcClient);
// }return new JdbcRegisteredClientRepository(jdbcTemplate);}private static RegisteredClient defaultClient() {// 方便测试,先注册一个测试客户端RegisteredClient oidcClient = RegisteredClient.withId(UUID.randomUUID().toString()).clientId("client")// 123456.clientSecret("$2a$10$gJUJo9Ad3wDIhBGVH.8/i.Ox82tSCR4.UkbiDWEDUVQnIzcTMPjKK")// 可以基于 basic 的方式和授权服务器进行认证.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)// 授权码.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)// 刷新token.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)// 客户端模式.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)// 密码模式.authorizationGrantType(AuthorizationGrantType.JWT_BEARER)// 重定向url.redirectUri("http://127.0.0.1:9000/callback").postLogoutRedirectUri("http://127.0.0.1:9000/")// 客户端申请的作用域,也可以理解这个客户端申请访问用户的哪些信息,比如:获取用户信息,获取用户照片等.scope(OidcScopes.OPENID).scope(OidcScopes.PROFILE).clientSettings(ClientSettings.builder()// 是否需要用户确认一下客户端需要获取用户的哪些权限// 比如:客户端需要获取用户的 用户信息、用户照片 但是此处用户可以控制只给客户端授权获取 用户信息。.requireAuthorizationConsent(true).build()).tokenSettings(TokenSettings.builder()// accessToken 的有效期.accessTokenTimeToLive(Duration.ofHours(1))// refreshToken 的有效期.refreshTokenTimeToLive(Duration.ofDays(3))// 是否可重用刷新令牌.reuseRefreshTokens(true).build()).build();return oidcClient;}/*** 自定义授权service* @return /*/@Beanpublic OAuth2AuthorizationService authorizationService(JdbcTemplate jdbcTemplate, RegisteredClientRepository registeredClientRepository) {
// JdbcOAuth2AuthorizationService authorizationService = new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository);
// JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper rowMapper = new JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper(registeredClientRepository);
// ClassLoader classLoader = JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper.class.getClassLoader();
// ObjectMapper objectMapper = new ObjectMapper();
// objectMapper.registerModules(new CoreJackson2Module());
// objectMapper.registerModules(SecurityJackson2Modules.getModules(classLoader));
// objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module());
// rowMapper.setObjectMapper(objectMapper);
// authorizationService.setAuthorizationRowMapper(rowMapper);
// return authorizationService;return new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository);}/*** 自定义确认授权 service 配置**/@Beanpublic OAuth2AuthorizationConsentService authorizationConsentService(JdbcTemplate jdbcTemplate,RegisteredClientRepository registeredClientRepository) {return new JdbcOAuth2AuthorizationConsentService(jdbcTemplate, registeredClientRepository);}/*** 签名实例* 此处注意,目前重启项目就会导致之前已存在的token失效,需要改为固定私钥和公钥,生成到项目目录下* @return /*/@Beanpublic JWKSource<SecurityContext> jwkSource(){var keyPair = generateRsaKeyPair();// 公钥RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();RSAKey rsaKey = new RSAKey.Builder(publicKey).privateKey(privateKey).keyID(UUID.randomUUID().toString()).build();var jwkSet = new JWKSet(rsaKey);return new ImmutableJWKSet<>(jwkSet);}// 解析JWKSource访问令牌,构建 JwtDecoder 实例@Beanpublic JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource){return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);}// 启动时生成的 with 密钥的实例,用于创建上述内容。java.security.KeyPairJWKSourceprivate static KeyPair generateRsaKeyPair(){KeyPair keyPair ;try {KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");keyPairGenerator.initialize(2048);keyPair = keyPairGenerator.generateKeyPair();}catch (Exception e) {throw new IllegalStateException(e);}return keyPair;}/*** 自定义jwt信息,全局(自定义jwt实现例外)* @return /*/@Beanpublic OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() {return context -> {context.getJwsHeader().header("client-id", context.getRegisteredClient().getClientId());context.getClaims().claim("test","哈哈哈").build();log.info("jwtCustomizer -> getJwsHeader:{}",context.getJwsHeader());log.info("jwtCustomizer -> claim:{}", context.getClaims());// Customize claims};}/*** 自定义token属性 预留* @return /*/@Beanpublic OAuth2TokenCustomizer<OAuth2TokenClaimsContext> accessTokenCustomizer() {return context -> {OAuth2TokenClaimsSet.Builder claims = context.getClaims();claims.claim("test200","哈哈哈哈哈").build();log.info("accessTokenCustomizer -> claims:{}",claims);// Customize claims};}// Jwt编码上下文 拓展token
// @Bean
// public OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() {
// return context -> {
// JwsHeader.Builder headers = context.getJwsHeader();
// JwtClaimsSet.Builder claims = context.getClaims();
// headers.header("client-id", context.getRegisteredClient().getClientId());
// log.info("jwtCustomizer headers:{}",headers);
// if (context.getTokenType().equals(OAuth2TokenType.ACCESS_TOKEN)) {
// // Customize headers/claims for access_token
//
// } else if (context.getTokenType().getValue().equals(OidcParameterNames.ID_TOKEN)) {
// // Customize headers/claims for id_token
// }
// };
// }// 自定义 授权服务器的实例,设置用于配置spring授权服务器@Beanpublic AuthorizationServerSettings authorizationServerSettings() {// 总之server服务,例如:个性化认证及授权相关的路径return AuthorizationServerSettings.builder().build();}// 会话管理
// @Bean
// public SessionRegistry sessionRegistry() {
// return new SessionRegistryImpl();
// }// @Bean
// public HttpSessionEventPublisher httpSessionEventPublisher() {
// return new HttpSessionEventPublisher();
// }}
MybatisPlusConfig
@Configuration
public class MybatisPlusConfig {/*** 新的分页插件,一缓和二缓遵循mybatis的规则,需要设置 MybatisConfiguration#useDeprecatedExecutor = false 避免缓存出现问题(该属性会在旧插件移除后一同移除)*/@Beanpublic MybatisPlusInterceptor mybatisPlusInterceptor() {MybatisPlusInterceptor interceptor = new MybatisPlusInterceptor();interceptor.addInnerInterceptor(new PaginationInnerInterceptor(DbType.MYSQL));return interceptor;}}
controller包
ClientController
注册客户端
@RequestMapping("/oauth2/client")
@RestController
@RequiredArgsConstructor
public class ClientController {private final RegisteredClientRepository registeredClientRepository;private final PasswordEncoder passwordEncoder;/*** 注册客户端*/@PostMappingpublic ResponseEntity<Boolean> registeredClientRepository(@RequestBody RegisteredOauth2Client registeredClient) {// @formatter:offRegisteredClient entity = RegisteredClient.withId(UUID.randomUUID().toString())// ID.clientId(registeredClient.getClientId())// 秘钥.clientSecret(passwordEncoder.encode(registeredClient.getClientSecret()))// POST 请求方法.clientAuthenticationMethods(clientAuthenticationMethods ->clientAuthenticationMethods.addAll(registeredClient.getClientAuthenticationMethods()))// CLIENT_CREDENTIALS.authorizationGrantTypes(authorizationGrantTypes ->authorizationGrantTypes.addAll(registeredClient.getAuthorizationGrantTypes()))// 范围.scopes(strings -> {// 超级strings.addAll(registeredClient.getScopes());}).tokenSettings(registeredClient.getTokenSettings())// 客户端配置.clientSettings(registeredClient.getClientSettings()).build();// Save registered client in dbregisteredClientRepository.save(entity);return ResponseEntity.ok(true);}}
InfoController
测试 当前认证上下文信息
@RestController
@RequestMapping("/info")
public class InfoController {@GetMapping("/token")public Object token(){return SecurityContextHolder.getContext().getAuthentication().getPrincipal();}}
domain
BaseResponseDto
@Data
@AllArgsConstructor
@NoArgsConstructor
@Builder
public class BaseResponseDto {private String code;private String message;}
LoginRequest
@Data
public class LoginRequest {private String username;private String password;}
UserDto
@Data
@Accessors(chain = true)
public class UserDto {private String id;private String hosId;private String token;}
RegisteredOauth2Client 重要
这个类可以着重看一下
@Data
@NoArgsConstructor
public class RegisteredOauth2Client implements Serializable {/*** 客户端ID*/private String clientId;/*** 客户端秘钥*/private String clientSecret;/*** 客户端名称*/private String clientName;/*** 权限范围*/private Set<String> scopes;private Instant clientIdIssuedAt;private Instant clientSecretExpiresAt;private Set<ClientAuthenticationMethod> clientAuthenticationMethods;private Set<AuthorizationGrantType> authorizationGrantTypes;private Set<String> redirectUris;private ClientSettings clientSettings = ClientSettings.builder()// 是否需要用户确认一下客户端需要获取用户的哪些权限// 比如:客户端需要获取用户的 用户信息、用户照片 但是此处用户可以控制只给客户端授权获取 用户信息。.requireAuthorizationConsent(true).build();private TokenSettings tokenSettings = TokenSettings.builder()// accessToken 的有效期.accessTokenTimeToLive(Duration.ofHours(1))// refreshToken 的有效期.refreshTokenTimeToLive(Duration.ofDays(3))// 是否可重用刷新令牌.reuseRefreshTokens(true).build();
}
UserEntity
@Data
@TableName("user")
public class UserEntity {@TableId("id_")private Long id;@TableField("username")private String username;@TableField("password")private String password;}
mapper
UserMapper
public interface UserMapper extends BaseMapper<UserEntity> {}
service
IUserService
public interface IUserService extends IService<UserEntity> {
}
UserServiceImpl
@Service
@RequiredArgsConstructor
public class UserServiceImpl extends ServiceImpl<UserMapper, UserEntity> implements IUserService {}
utils
HelperUtils
public class HelperUtils {public static final ObjectWriter JSON_WRITER = new ObjectMapper().writer().withDefaultPrettyPrinter();}
JwtUtils
public final class JwtUtils {private JwtUtils() {}public static JwsHeader.Builder headers() {return JwsHeader.with(SignatureAlgorithm.RS256);}public static JwtClaimsSet.Builder accessTokenClaims(RegisteredClient registeredClient,String issuer, String subject,Set<String> authorizedScopes) {Instant issuedAt = Instant.now();Instant expiresAt = issuedAt.plus(registeredClient.getTokenSettings().getAccessTokenTimeToLive());/*** iss (issuer):签发人/发行人* sub (subject):主题* aud (audience):用户* exp (expiration time):过期时间* nbf (Not Before):生效时间,在此之前是无效的* iat (Issued At):签发时间* jti (JWT ID):用于标识该 JWT*/// @formatter:offJwtClaimsSet.Builder claimsBuilder = JwtClaimsSet.builder();if (StringUtils.hasText(issuer)) {claimsBuilder.issuer(issuer);}claimsBuilder.subject(subject).audience(Collections.singletonList(registeredClient.getClientId())).issuedAt(issuedAt).expiresAt(expiresAt).notBefore(issuedAt);if (!CollectionUtils.isEmpty(authorizedScopes)) {claimsBuilder.claim(OAuth2ParameterNames.SCOPE, authorizedScopes);}// @formatter:onreturn claimsBuilder;}public static JwtClaimsSet.Builder idTokenClaims(RegisteredClient registeredClient,String issuer, String subject, String nonce) {Instant issuedAt = Instant.now();// TODO Allow configuration for ID Token time-to-liveInstant expiresAt = issuedAt.plus(30, ChronoUnit.MINUTES);// @formatter:offJwtClaimsSet.Builder claimsBuilder = JwtClaimsSet.builder();if (StringUtils.hasText(issuer)) {claimsBuilder.issuer(issuer);}claimsBuilder.subject(subject).audience(Collections.singletonList(registeredClient.getClientId())).issuedAt(issuedAt).expiresAt(expiresAt).claim(IdTokenClaimNames.AZP, registeredClient.getClientId());if (StringUtils.hasText(nonce)) {claimsBuilder.claim(IdTokenClaimNames.NONCE, nonce);}// TODO Add 'auth_time' claim// @formatter:onreturn claimsBuilder;}}
OAuth2ConfigurerUtils
/*** 复制security底层的工具类*/
public class OAuth2ConfigurerUtils {private OAuth2ConfigurerUtils() {}public static RegisteredClientRepository getRegisteredClientRepository(HttpSecurity httpSecurity) {RegisteredClientRepository registeredClientRepository = (RegisteredClientRepository)httpSecurity.getSharedObject(RegisteredClientRepository.class);if (registeredClientRepository == null) {registeredClientRepository = (RegisteredClientRepository)getBean(httpSecurity, RegisteredClientRepository.class);httpSecurity.setSharedObject(RegisteredClientRepository.class, registeredClientRepository);}return registeredClientRepository;}public static OAuth2AuthorizationService getAuthorizationService(HttpSecurity httpSecurity) {OAuth2AuthorizationService authorizationService = (OAuth2AuthorizationService)httpSecurity.getSharedObject(OAuth2AuthorizationService.class);if (authorizationService == null) {authorizationService = (OAuth2AuthorizationService)getOptionalBean(httpSecurity, OAuth2AuthorizationService.class);if (authorizationService == null) {authorizationService = new InMemoryOAuth2AuthorizationService();}httpSecurity.setSharedObject(OAuth2AuthorizationService.class, authorizationService);}return (OAuth2AuthorizationService)authorizationService;}public static OAuth2AuthorizationConsentService getAuthorizationConsentService(HttpSecurity httpSecurity) {OAuth2AuthorizationConsentService authorizationConsentService = (OAuth2AuthorizationConsentService)httpSecurity.getSharedObject(OAuth2AuthorizationConsentService.class);if (authorizationConsentService == null) {authorizationConsentService = (OAuth2AuthorizationConsentService)getOptionalBean(httpSecurity, OAuth2AuthorizationConsentService.class);if (authorizationConsentService == null) {authorizationConsentService = new InMemoryOAuth2AuthorizationConsentService();}httpSecurity.setSharedObject(OAuth2AuthorizationConsentService.class, authorizationConsentService);}return (OAuth2AuthorizationConsentService)authorizationConsentService;}public static OAuth2TokenGenerator<? extends OAuth2Token> getTokenGenerator(HttpSecurity httpSecurity) {OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator = (OAuth2TokenGenerator)httpSecurity.getSharedObject(OAuth2TokenGenerator.class);if (tokenGenerator == null) {tokenGenerator = (OAuth2TokenGenerator)getOptionalBean(httpSecurity, OAuth2TokenGenerator.class);if (tokenGenerator == null) {JwtGenerator jwtGenerator = getJwtGenerator(httpSecurity);OAuth2AccessTokenGenerator accessTokenGenerator = new OAuth2AccessTokenGenerator();OAuth2TokenCustomizer<OAuth2TokenClaimsContext> accessTokenCustomizer = getAccessTokenCustomizer(httpSecurity);if (accessTokenCustomizer != null) {accessTokenGenerator.setAccessTokenCustomizer(accessTokenCustomizer);}OAuth2RefreshTokenGenerator refreshTokenGenerator = new OAuth2RefreshTokenGenerator();if (jwtGenerator != null) {tokenGenerator = new DelegatingOAuth2TokenGenerator(new OAuth2TokenGenerator[]{jwtGenerator, accessTokenGenerator, refreshTokenGenerator});} else {tokenGenerator = new DelegatingOAuth2TokenGenerator(new OAuth2TokenGenerator[]{accessTokenGenerator, refreshTokenGenerator});}}httpSecurity.setSharedObject(OAuth2TokenGenerator.class, tokenGenerator);}return (OAuth2TokenGenerator)tokenGenerator;}private static JwtGenerator getJwtGenerator(HttpSecurity httpSecurity) {JwtGenerator jwtGenerator = (JwtGenerator)httpSecurity.getSharedObject(JwtGenerator.class);if (jwtGenerator == null) {JwtEncoder jwtEncoder = getJwtEncoder(httpSecurity);if (jwtEncoder != null) {jwtGenerator = new JwtGenerator(jwtEncoder);OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer = getJwtCustomizer(httpSecurity);if (jwtCustomizer != null) {jwtGenerator.setJwtCustomizer(jwtCustomizer);}httpSecurity.setSharedObject(JwtGenerator.class, jwtGenerator);}}return jwtGenerator;}private static JwtEncoder getJwtEncoder(HttpSecurity httpSecurity) {JwtEncoder jwtEncoder = (JwtEncoder)httpSecurity.getSharedObject(JwtEncoder.class);if (jwtEncoder == null) {jwtEncoder = (JwtEncoder)getOptionalBean(httpSecurity, JwtEncoder.class);if (jwtEncoder == null) {JWKSource<SecurityContext> jwkSource = getJwkSource(httpSecurity);if (jwkSource != null) {jwtEncoder = new NimbusJwtEncoder(jwkSource);}}if (jwtEncoder != null) {httpSecurity.setSharedObject(JwtEncoder.class, jwtEncoder);}}return (JwtEncoder)jwtEncoder;}public static JWKSource<SecurityContext> getJwkSource(HttpSecurity httpSecurity) {JWKSource<SecurityContext> jwkSource = (JWKSource)httpSecurity.getSharedObject(JWKSource.class);if (jwkSource == null) {ResolvableType type = ResolvableType.forClassWithGenerics(JWKSource.class, new Class[]{SecurityContext.class});jwkSource = (JWKSource)getOptionalBean(httpSecurity, type);if (jwkSource != null) {httpSecurity.setSharedObject(JWKSource.class, jwkSource);}}return jwkSource;}private static OAuth2TokenCustomizer<JwtEncodingContext> getJwtCustomizer(HttpSecurity httpSecurity) {ResolvableType type = ResolvableType.forClassWithGenerics(OAuth2TokenCustomizer.class, new Class[]{JwtEncodingContext.class});return (OAuth2TokenCustomizer)getOptionalBean(httpSecurity, type);}private static OAuth2TokenCustomizer<OAuth2TokenClaimsContext> getAccessTokenCustomizer(HttpSecurity httpSecurity) {ResolvableType type = ResolvableType.forClassWithGenerics(OAuth2TokenCustomizer.class, new Class[]{OAuth2TokenClaimsContext.class});return (OAuth2TokenCustomizer)getOptionalBean(httpSecurity, type);}public static AuthorizationServerSettings getAuthorizationServerSettings(HttpSecurity httpSecurity) {AuthorizationServerSettings authorizationServerSettings = (AuthorizationServerSettings)httpSecurity.getSharedObject(AuthorizationServerSettings.class);if (authorizationServerSettings == null) {authorizationServerSettings = (AuthorizationServerSettings)getBean(httpSecurity, AuthorizationServerSettings.class);httpSecurity.setSharedObject(AuthorizationServerSettings.class, authorizationServerSettings);}return authorizationServerSettings;}public static <T> T getBean(HttpSecurity httpSecurity, Class<T> type) {return ((ApplicationContext)httpSecurity.getSharedObject(ApplicationContext.class)).getBean(type);}public static <T> T getBean(HttpSecurity httpSecurity, ResolvableType type) {ApplicationContext context = (ApplicationContext)httpSecurity.getSharedObject(ApplicationContext.class);String[] names = context.getBeanNamesForType(type);if (names.length == 1) {return (T) context.getBean(names[0]);} else if (names.length > 1) {throw new NoUniqueBeanDefinitionException(type, names);} else {throw new NoSuchBeanDefinitionException(type);}}public static <T> T getOptionalBean(HttpSecurity httpSecurity, Class<T> type) {Map<String, T> beansMap = BeanFactoryUtils.beansOfTypeIncludingAncestors((ListableBeanFactory)httpSecurity.getSharedObject(ApplicationContext.class), type);if (beansMap.size() > 1) {int var10003 = beansMap.size();String var10004 = type.getName();throw new NoUniqueBeanDefinitionException(type, var10003, "Expected single matching bean of type '" + var10004 + "' but found " + beansMap.size() + ": " + StringUtils.collectionToCommaDelimitedString(beansMap.keySet()));} else {return !beansMap.isEmpty() ? beansMap.values().iterator().next() : null;}}public static <T> T getOptionalBean(HttpSecurity httpSecurity, ResolvableType type) {ApplicationContext context = (ApplicationContext)httpSecurity.getSharedObject(ApplicationContext.class);String[] names = context.getBeanNamesForType(type);if (names.length > 1) {throw new NoUniqueBeanDefinitionException(type, names);} else {return names.length == 1 ? (T) context.getBean(names[0]) : null;}}
}
效果截图
注册客户端
{"clientId":"123456",
"clientSecret":"8b30c1482ff973cfc92e51e1ec636966",
"clientName":"test",
"scopes":[
"super"
],
"clientAuthenticationMethods":["client_secret_post"],
"authorizationGrantTypes": ["refresh_token", "client_credentials", "sms_app,wechat_miniapp"]
}
客户端授权
grant_type:wechat_miniapp
scope:super
client_id:123456
client_secret:8b30c1482ff973cfc92e51e1ec636966
appId:123456789