oauth2 authorization code 大致流程
用户打开客户端后,客户端要求用户给予授权。
用户同意给予客户端授权。
客户端使用授权得到的code,向认证服务器申请token令牌。
认证服务器对客户端进行认证以后,确认无误,同意发放令牌。
客户端请求资源时携带token令牌,向资源服务器申请获取资源。
资源服务器确认令牌无误,同意向客户端开放资源。
security oauth2 整合的核心配置类
授权认证服务配置 AuthorizationServerConfiguration
security 配置 SecurityConfiguration
工程结构目录
image.png
pom.xml
security_oauth2_authorization
0.0.1-SNAPSHOT
jar
security_oauth2_authorization
oauth2 authorization_code 授权模式
org.springframework.boot
spring-boot-starter-parent
2.0.2.RELEASE
UTF-8
UTF-8
1.8
1.0.9.RELEASE
0.9.0
Finchley.RC2
org.springframework.boot
spring-boot-starter-thymeleaf
org.springframework.boot
spring-boot-starter-web
org.springframework.cloud
spring-cloud-starter-oauth2
org.springframework.cloud
spring-cloud-starter-security
org.springframework.security
spring-security-jwt
${security-jwt.version}
org.springframework.boot
spring-boot-starter-freemarker
org.projectlombok
lombok
true
org.springframework.boot
spring-boot-starter-test
test
org.springframework.cloud
spring-cloud-dependencies
${spring-cloud.version}
pom
import
org.springframework.boot
spring-boot-maven-plugin
授权认证服务配置类 AuthorizationServerConfiguration
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private MyUserDetailsService userDetailsService;
@Override
public void configure(final AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
String secret = passwordEncoder.encode("secret");
clients.inMemory() // 使用in-memory存储
.withClient("client") // client_id
.secret(secret) // client_secret
//.autoApprove(true) //如果为true 则不会跳转到授权页面,而是直接同意授权返回code
.authorizedGrantTypes("authorization_code","refresh_token") // 该client允许的授权类型
.scopes("app"); // 允许的授权范围
}
@Override
public void configure(final AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager).userDetailsService(userDetailsService)
.accessTokenConverter(accessTokenConverter())
.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST); //支持GET POST 请求获取token;
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter() {
@Override
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
String userName = authentication.getUserAuthentication().getName();
final Map additionalInformation = new HashMap();
additionalInformation.put("user_name", userName);
((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInformation);
OAuth2AccessToken token = super.enhance(accessToken, authentication);
return token;
}
};
//converter.setSigningKey("bcrypt");
KeyPair keyPair = new KeyStoreKeyFactory(new ClassPathResource("kevin_key.jks"), "123456".toCharArray())
.getKeyPair("kevin_key");
converter.setKeyPair(keyPair);
return converter;
}
}
web 安全配置 WebSecurityConfig
@Order(10)
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MyUserDetailsService userDetailsFitService;
@Override
@Bean
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.antMatchers("/","/oauth/**","/login","/health", "/css/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsFitService).passwordEncoder(passwordEncoder());
auth.parentAuthenticationManager(authenticationManagerBean());
}
@Bean
public PasswordEncoder passwordEncoder(){
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}
}
url 注册配置 MvcConfig
@Configuration
public class MvcConfig implements WebMvcConfigurer {
@Override
public void addViewControllers(ViewControllerRegistry registry) {
registry.addViewController("/login").setViewName("login"); //自定义的登陆页面
registry.addViewController("/oauth/confirm_access").setViewName("oauth_approval"); //自定义的授权页面
}
}
# security 登陆认证 MyUserDetailsService
@Service
public class MyUserDetailsService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException {
if ("admin".equalsIgnoreCase(name)) {
User user = mockUser();
return user;
}
return null;
}
private User mockUser() {
Collection authorities = new HashSet<>();
authorities.add(new SimpleGrantedAuthority("admin"));
PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
String pwd = passwordEncoder.encode("123456");
User user = new User("admin",pwd,authorities);
return user;
}
}
自定义登陆页面 login.html
登陆username
Password
登陆
自定义授权页面 oauth_approval.html
授权你是否授权client_id=client访问你的受保护资源?
action="../oauth/authorize" method="post">
Approve
action="../oauth/authorize" method="post">
Deny
application.yml
server:
port: 18084
spring:
application:
name: oauth2-server # 应用名称
thymeleaf:
prefix: classpath:/templates/
logging:
level:
org.springframework.security: DEBUG
1. 访问oauth2 服务
client_id:第三方应用在授权服务器注册的 Id
response_type:固定值 code。
redirect_uri:授权服务器授权重定向哪儿的 URL。
scope:权限
state:随机字符串,可以省略
如果未登陆则出现登录页面,输入用户名:admin 密码:123456 登陆系统
image.png
2. 成功登陆后自动跳转到授权页面
image.png
3. 携带授权之后返回的code 获取token
image.png
这里的账号和密码 是我们注册的 client_id 和 client_secret
image.png
成功登陆后获取token
image.png
4.携带toekn 访问资源
demo地址:
