devbox
不正经
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

Oauth2--- 授权码模式(authorization_code)过程

作者:不正经 | 2024-02-15 11:19:31

authorization_code

一、获取授权码Code:

访问授权服务器 /oauth/authorize 端点:(只用于"implicit", "authorization_code")

GET: http://127.0.0.1:8080/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.baidu.com

参数:

(1)response_type=code  必须指定。

  (2) client_id=client  客户端必须指定。

(3)redirect_uri=http:// 重定向地址 必须与数据表一致


结果:如果同意授权: 返回code=cown42 并跳转到redirect_uri=http://www.baidu.com

过程:比较client_id、及redirect_uri、scope、

涉及到核心类:

(1)DefaultRedirectResolver:redirect_uri地址校验。

(2)JdbcAuthorizationCodeServices/InMemoryAuthorizationCodeServices: 生成的code,并保存(code,OAuth2Authentication)在内存或数据库(oauth_code表)

(3)JdbcClientDetailsService: 从表oauth_client_details读取ClientDetails信息,用来校验。

(4)LoginUrlAuthenticationEntryPoint:末登录时,异常由ExceptionTranslationFilter doFilter()---》LoginUrlAuthenticationEntryPoint--》重定向到loginFromUrl页面。

 

  1. public class AuthorizationEndpoint extends AbstractEndpoint {
  2.  
  3. //一、相关操作:
  4. 	private AuthorizationCodeServices authorizationCodeServices = new InMemoryAuthorizationCodeServices();
  5. 	private RedirectResolver redirectResolver = new DefaultRedirectResolver();
  6. 	private UserApprovalHandler userApprovalHandler = new DefaultUserApprovalHandler();
  7. 	private SessionAttributeStore sessionAttributeStore = new DefaultSessionAttributeStore();
  8. 	private OAuth2RequestValidator oauth2RequestValidator = new DefaultOAuth2RequestValidator();
  9.    //授权确认页面
  10. 	private String userApprovalPage = "forward:/oauth/confirm_access";
  11. 	private String errorPage = "forward:/oauth/error";
  12.  
  13. //二、接口:
  14. @RequestMapping(value = "/oauth/authorize")
  15. 	public ModelAndView authorize(Map<String, Object> model, @RequestParam Map<String, String> parameters,SessionStatus sessionStatus, Principal principal) {
  16.  /*1. 通过DefaultOAuth2RequestFactory.createAuthorizationRequest()
  17.     AuthorizationRequest request = new AuthorizationRequest();
  18. 从client数据库表加载clietDetails信息
  19.    ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);		
  20. 	request.setResourceIdsAndAuthoritiesFromClientDetails(clientDetails);
  21. */		
  22. AuthorizationRequest authorizationRequest = getOAuth2RequestFactory().createAuthorizationRequest(parameters);
  23.  
  24. 		Set<String> responseTypes = authorizationRequest.getResponseTypes();
  25.         //2.反应类型必须是code
  26. 		if (!responseTypes.contains("token") && !responseTypes.contains("code")) {
  27. 			throw new UnsupportedResponseTypeException("Unsupported response types: " + responseTypes);
  28. 		}
  29.         //3.必须指定clientId
  30. 		if (authorizationRequest.getClientId() == null) {
  31. 			throw new InvalidClientException("A client id must be provided");
  32. 		}
  33.  
  34. 		try {
  35.             //4.访问该端点必须认证isAuthenticated = ture,抛出异常,由ExceptionTranslationFilter doFilter()---》LoginUrlAuthenticationEntryPoint--》重定向到loginFromUrl页面。
  36. 			if (!(principal instanceof Authentication) || !((Authentication) principal).isAuthenticated()) {
  37. 				throw new InsufficientAuthenticationException(
  38. 						"User must be authenticated with Spring Security before authorization can be completed.");
  39. 			}
  40.             //5.从数据库加载clientDetails
  41. 			ClientDetails client = getClientDetailsService().loadClientByClientId(authorizationRequest.getClientId());
  42.  
  43. 			//6. 必须指定redirect_uri 而且与数据库里的设置一至。同时认证类型只能:"implicit", "authorization_code"
  44. 			String redirectUriParameter = authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI);
  45. 			String resolvedRedirect = redirectResolver.resolveRedirect(redirectUriParameter, client);
  46. 			if (!StringUtils.hasText(resolvedRedirect)) {
  47. 				throw new RedirectMismatchException(
  48. 						"A redirectUri must be either supplied or preconfigured in the ClientDetails");
  49. 			}
  50. 			authorizationRequest.setRedirectUri(resolvedRedirect);
  51.  
  52. 			// 7。访问范畴Scope比对
  53. 			oauth2RequestValidator.validateScope(authorizationRequest, client);
  54.  
  55. 			// 8.是否受权
  56. 			authorizationRequest = userApprovalHandler.checkForPreApproval(authorizationRequest,
  57. 					(Authentication) principal);
  58. 			// TODO: is this call necessary?
  59. 			boolean approved = userApprovalHandler.isApproved(authorizationRequest, (Authentication) principal);
  60. 			authorizationRequest.setApproved(approved);
  61.  
  62. 			// 10.授权通过后,直接返回数据。
  63.             // (1) Code授权:生成code,同时保存在InMemoryAuthorizationCodeServices(默认)或JdbcAuthorizationCodeServices(表oauth_code)
  64. 			if (authorizationRequest.isApproved()) {
  65. 				if (responseTypes.contains("token")) {
  66. 					return getImplicitGrantResponse(authorizationRequest);
  67. 				}
  68. 				if (responseTypes.contains("code")) {
  69. 					return new ModelAndView(getAuthorizationCodeResponse(authorizationRequest,
  70. 							(Authentication) principal));
  71. 				}
  72. 			}
  73.  
  74. 			//11.弹窗口,让用户授权
  75. 			model.put("authorizationRequest", authorizationRequest);
  76.  
  77. 			return getUserApprovalPageResponse(model, authorizationRequest, (Authentication) principal);
  78.  
  79. 		}
  80. 		catch (RuntimeException e) {
  81. 			sessionStatus.setComplete();
  82. 			throw e;
  83. 		}
  84.  
  85. 	}

二、 获取访问令牌: 访问授权服务器 /oauth/token 端点

确保用户是已经登陆的情况,返回access_token格式.

  1. Post:
  2. http://localhost:8080/oauth/token?
  3. grant_type=authorization_code&code=o4YrCS&client_id=pair &client_secret=secret&redirect_uri=http://baidu.com

参数:

(1) clientId: 客户端id,参数指定同时Principal也必须一致。否则 InvalidClientException(必须)

(2)client_secret:客户端密匙

(2)grant_type:授权类型。(必须)

(3)code: 授权码(必须)

核心类:

(1)AuthorizationServerTokenServices/DefaultTokenServices:由这类产生、刷新、获取token.

  (2) TokenStore:由用户自己提供实现代码。

(3)类包装关系: AbstractEndpoint----》AuthorizationServerTokenServices(DefaultTokenServices)---》TokenStore

  1. @FrameworkEndpoint
  2. public class TokenEndpoint extends AbstractEndpoint {
  3.  
  4. 	private OAuth2RequestValidator oAuth2RequestValidator = new DefaultOAuth2RequestValidator();
  5.  
  6.     /**
  7.     * 获取access_token
  8.     **/
  9. 	@RequestMapping(value = "/oauth/token", method=RequestMethod.POST)
  10. 	public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam
  11. 	Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
  12.         //1.必须是认证通过的用户,否则会抛出异常,异常由ExceptionTranslationFilter doFilter()---》LoginUrlAuthenticationEntryPoint--》重定向到loginFromUrl页面。
  13. 		if (!(principal instanceof Authentication)) {
  14. 			throw new InsufficientAuthenticationException(
  15. 					"There is no client authentication. Try adding an appropriate authentication filter.");
  16. 		}
  17.         //2.读取数据表加载ClientDetails信息。
  18. 		String clientId = getClientId(principal);
  19. 		ClientDetails authenticatedClient = getClientDetailsService().loadClientByClientId(clientId);
  20.  
  21. 		TokenRequest tokenRequest = getOAuth2RequestFactory().createTokenRequest(parameters, authenticatedClient);
  22.         //2.检查clientId是否正确
  23. 		if (clientId != null && !clientId.equals("")) {		
  24. 			if (!clientId.equals(tokenRequest.getClientId())) {
  25. 				throw new InvalidClientException("Given client ID does not match authenticated client");
  26. 			}
  27. 		}
  28.         //3.检查Scope
  29. 		if (authenticatedClient != null) {
  30. 			oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient);
  31. 		}
  32.         //4.检查GrantType: 且不能为implicit
  33. 		if (!StringUtils.hasText(tokenRequest.getGrantType())) {
  34. 			throw new InvalidRequestException("Missing grant type");
  35. 		}
  36. 		if (tokenRequest.getGrantType().equals("implicit")) {
  37. 			throw new InvalidGrantException("Implicit grant type not supported from token endpoint");
  38. 		}
  39.         //5.如果是authorization_code类型,检查AuthCode:AuthCode != null && grant_type = authorization_code
  40. 		if (isAuthCodeRequest(parameters)) {
  41. 			// The scope was requested or determined during the authorization step
  42. 			if (!tokenRequest.getScope().isEmpty()) {
  43. 				logger.debug("Clearing scope of incoming token request");
  44. 				tokenRequest.setScope(Collections.<String> emptySet());
  45. 			}
  46. 		}
  47.         // 授权是刷新token: grant_type = refresh_token
  48. 		if (isRefreshTokenRequest(parameters)) {
  49. 			// A refresh token has its own default scopes, so we should ignore any added by the factory here.
  50. 			tokenRequest.setScope(OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.SCOPE)));
  51. 		}
  52.         //5.生成 token,TokenGranter(用户指定)生成一个OAuth2AccessToken。
  53.  
  54. 		OAuth2AccessToken token = getTokenGranter().grant(tokenRequest.getGrantType(), tokenRequest);
  55. 		if (token == null) {
  56. 			throw new UnsupportedGrantTypeException("Unsupported grant type: " + tokenRequest.getGrantType());
  57. 		}
  58.  
  59. 		return getResponse(token);
  60.  
  61. 	}
  1. public abstract class AbstractTokenGranter implements TokenGranter {
  2. 	
  3.     /**
  4.     * 核心类:提供token所有相关操作(最终由DefaultTokenServices实现类实现功能)
  5.     **/
  6. 	private final AuthorizationServerTokenServices tokenServices;
  7. 	private final ClientDetailsService clientDetailsService;
  8. 	private final OAuth2RequestFactory requestFactory;
  9. 	private final String grantType;
  10. }
  1. OAuth2AccessToken {
  2.    public static String BEARER_TYPE = "Bearer";
  3.    public static String OAUTH2_TYPE = "OAuth2";
  4.    public static String ACCESS_TOKEN = "access_token";
  5.    public static String TOKEN_TYPE = "token_type";
  6.    public static String EXPIRES_IN = "expires_in";
  7.    public static String REFRESH_TOKEN = "refresh_token";
  8.    public static String SCOPE = "scope";
  9. }
  1. /**
  2.  * 1.TokenStore:核心类,所有token相关的操作由它提供
  3.  * 2.核心功能:(1)提供accessToken 的创建、刷新服务 (2)loadAuthentication()accessToken获取用户信息过程
  4.  * 3.核心类:
  5.  *   (1)AuthorizationServerTokenServices:授权服务器的提供accessToken 的创建、刷新服务。
  6.  *   (2)ResourceServerTokenServices:授权服务器的提供accessToken 获取用户信息,提供给资源服务器去tokenString---> OAuth2Authentication
  7.  */
  8. public class DefaultTokenServices implements AuthorizationServerTokenServices, ResourceServerTokenServices,
  9.         ConsumerTokenServices, InitializingBean {
  10.  
  11.     //Token生成、保存服务。(核心重点)
  12.     private TokenStore tokenStore;
  13.     //ClientDetail 服务
  14.     private ClientDetailsService clientDetailsService;
  15.     //Token信息添加
  16.     private TokenEnhancer accessTokenEnhancer;
  17.     //认证管理:当token刷新时,用于重新认证
  18.     private AuthenticationManager authenticationManager;
  19.  
  20.     /**
  21.      *  生成 OAuth2AccessToken
  22.      */
  23.     @Transactional
  24.     public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException {
  25.  
  26.         //1. 直接从tokenStore服务获取accessToken
  27.         OAuth2AccessToken existingAccessToken = tokenStore.getAccessToken(authentication);
  28.         OAuth2RefreshToken refreshToken = null;
  29.         //1.tokenStore有accessToken时,检查是否失效。
  30.         if (existingAccessToken != null) {
  31.             if (existingAccessToken.isExpired()) {
  32.                 if (existingAccessToken.getRefreshToken() != null) {
  33.                     refreshToken = existingAccessToken.getRefreshToken();
  34.                     tokenStore.removeRefreshToken(refreshToken);
  35.                 }
  36.                 tokenStore.removeAccessToken(existingAccessToken);
  37.             }
  38.             else {
  39.                 tokenStore.storeAccessToken(existingAccessToken, authentication);
  40.                 return existingAccessToken;
  41.             }
  42.         }
  43.  
  44.        //2.生成 accessToken 和 refreshToken 并保存
  45.         refreshToken = createRefreshToken(authentication);
  46.         OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
  47.         tokenStore.storeAccessToken(accessToken, authentication);
  48.         tokenStore.storeRefreshToken(refreshToken, authentication);
  49.         
  50.         return accessToken;
  51.  
  52.     }
  53.  
  54.     /**
  55.      * 刷新aceessToken
  56.      */
  57.     @Transactional(noRollbackFor={InvalidTokenException.class, InvalidGrantException.class})
  58.     public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenRequest tokenRequest)
  59.             throws AuthenticationException {
  60.         //1. 刷新token
  61.         OAuth2RefreshToken refreshToken = tokenStore.readRefreshToken(refreshTokenValue);
  62.         //2.重新认证
  63.         OAuth2Authentication authentication = tokenStore.readAuthenticationForRefreshToken(refreshToken);
  64.         //3.重新生成、保存token
  65.         refreshToken = createRefreshToken(authentication);
  66.         OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
  67.         tokenStore.storeAccessToken(accessToken, authentication);
  68.         tokenStore.storeRefreshToken(accessToken.getRefreshToken(), authentication);
  69.         
  70.         return accessToken;
  71.     }
  72.  
  73.     /**
  74.      * 从accessToken 获取到OAuth2Authentication
  75.      */
  76.     public OAuth2Authentication loadAuthentication(String accessTokenValue) throws AuthenticationException,
  77.             InvalidTokenException {
  78.         OAuth2AccessToken accessToken = tokenStore.readAccessToken(accessTokenValue);
  79.         OAuth2Authentication result = tokenStore.readAuthentication(accessToken);
  80.         //校验
  81.         if (clientDetailsService != null) {
  82.             String clientId = result.getOAuth2Request().getClientId();
  83.             try {
  84.                 clientDetailsService.loadClientByClientId(clientId);
  85.             }
  86.             catch (ClientRegistrationException e) {
  87.                 throw new InvalidTokenException("Client not valid: " + clientId, e);
  88.             }
  89.         }
  90.         return result;
  91.     }
  92.  
  93.     /**
  94.      * 生成RefreshToken就是简单的json字符串
  95.      */
  96.     private OAuth2RefreshToken createRefreshToken(OAuth2Authentication authentication) {
  97.         // OAuth2RefreshToken数据结构: @JsonValue String getValue();
  98.         return new DefaultOAuth2RefreshToken(value);
  99.     }
  100.  
  101.     /**
  102.      * 生成 OAuth2AccessToken
  103.      */
  104.     private OAuth2AccessToken createAccessToken(OAuth2Authentication authentication, OAuth2RefreshToken refreshToken) {
  105.         //生成AccessToken
  106.         /**OAuth2AccessToken数据结构
  107.          private String value;
  108.         private Date expiration;
  109.         private String tokenType = BEARER_TYPE.toLowerCase();
  110.         private OAuth2RefreshToken refreshToken;
  111.         private Set<String> scope;
  112.         private Map<String, Object> additionalInformation = Collections.emptyMap();
  113.         */
  114.         
  115.         DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(UUID.randomUUID().toString());
  116.         token.setRefreshToken(refreshToken);
  117.         token.setScope(authentication.getOAuth2Request().getScope());
  118.         //调用用户指定的accessTokenEnhancer进行数据插入
  119.         return accessTokenEnhancer != null ? accessTokenEnhancer.enhance(token, authentication) : token;
  120.     }
  121.  
  122.     
  123. }

 

三、访问资源服务器受保护的资源:

根据access_token获取资源, 附上令牌在请求头,**需加上 Bearer **

访问http://localhost:8080/rest/api/ping?access_token=a8ae6a78-289d-4594-a421-9b56aa8f7213

(1)PostMan工具: GET/POST: /xxx/xxxx Header: Authorization Bearer access_token

(2)Curl命令: curl -X GET \ http://localhost:9001/test \ -i -H "Accept: application/json" -H "Authorization: Bearer eyJhbG" \

 

四、配置AuthorizationServerEndpointsConfigurer:

主要注入想着的ServerBean。

  1. /**
  2. 	 * 配置token的保存方式
  3. 	 * 1. 密码模式下配置认证管理器 AuthenticationManager
  4. 	 * 2. 设置 AccessToken的存储介质tokenStore, 默认使用内存当做存储介质。
  5. 	 */
  6. 	@Override
  7. 	public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
  8.  
  9. 		TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
  10. 		endpoints
  11. 				.authenticationManager(authenticationManager)
  12. 				.userDetailsService(userDetailsService) //MUST:密码模式下需设置一个AuthenticationManager对象,获取 UserDetails信息
  13. 				.tokenStore(tokenStore)//token的保存方式
  14. 				.tokenEnhancer(tokenEnhancerChain);//token里加点信息
  15. }
  16.  
  17. //所有Endpoints所用的到服务都在这里注入完成,保存在这个对象
  18. public final class AuthorizationServerEndpointsConfigurer {
  19.  
  20. 	private AuthorizationServerTokenServices tokenServices;
  21.  
  22. 	private ConsumerTokenServices consumerTokenServices;
  23.  
  24. 	private AuthorizationCodeServices authorizationCodeServices;
  25.  
  26. 	private ResourceServerTokenServices resourceTokenServices;
  27.  
  28. 	private TokenStore tokenStore;
  29.  
  30. 	private TokenEnhancer tokenEnhancer;
  31.  
  32. 	private AccessTokenConverter accessTokenConverter;
  33.  
  34. 	private ApprovalStore approvalStore;
  35.  
  36. 	private TokenGranter tokenGranter;
  37.  
  38. 	private OAuth2RequestFactory requestFactory;
  39.  
  40. 	private OAuth2RequestValidator requestValidator;
  41.  
  42. 	private UserApprovalHandler userApprovalHandler;
  43.  
  44. 	private AuthenticationManager authenticationManager;
  45.  
  46. 	private ClientDetailsService clientDetailsService;
  47.  
  48. 	private String prefix;
  49.  
  50. 	private Map<String, String> patternMap = new HashMap<String, String>();
  51.  
  52. 	private Set<HttpMethod> allowedTokenEndpointRequestMethods = new HashSet<HttpMethod>();
  53.  
  54. 	private FrameworkEndpointHandlerMapping frameworkEndpointHandlerMapping;
  55.  
  56. 	private boolean approvalStoreDisabled;
  57.  
  58. 	private List<Object> interceptors = new ArrayList<Object>();
  59.  
  60. 	private DefaultTokenServices defaultTokenServices;
  61.  
  62. 	private UserDetailsService userDetailsService;
  63.  
  64. 	private boolean tokenServicesOverride = false;
  65.  
  66. 	private boolean userDetailsServiceOverride = false;
  67.  
  68. 	private boolean reuseRefreshToken = true;
  69.  
  70. 	private WebResponseExceptionTranslator<OAuth2Exception> exceptionTranslator;
  71.  
  72. 	private RedirectResolver redirectResolver;
  73. }

 

本文内容由网友自发贡献,转载请注明出处:https://www.wpsshop.cn/w/不正经/article/detail/84066
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号