Spring Security Oauth2系列（三）_org.springframework.security.oauth2.core.oauth2aut

首先在讲这个话题之前，我想把自己遇见的最大的问题分享给大家

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.

Sat Mar 17 14:24:30 CST 2018
There was an unexpected error (type=Unauthorized, status=401).
Authentication Failed: Could not obtain access token

这个问题相信大家遇见得可能不是很多，可以调试跟踪client的OAuth2ClientAuthenticationProcessingFilter类中的源码（注意是client，因为这个地方是在完成了认证授权过后获取token的步骤）

调试源码篇幅比较长，有兴趣的读者可以自行尝试调试，主要是OAuth2RestTemplate类中的2个获取accessToken的方法和AuthorizationCodeAccessTokenProvider类中的obtainAccessToken的方法

错误分析：

这个错误只在使用Aut horizationCode中才会出现，就说客户端反复刷新带有code和state的参数导致的，由于code已经使用过一次，刷新过后会导致code过期，所以你反复使用会认为是非法的操作，所以可能是"CSRF攻击"。

解决方法：

server:
   session:
      cookie:
        name: x x x

客户端配置文件添加这句话即可，有兴趣参考国外大神GitHub连接: https://github.com/eugenp/tutorials/tree/master/spring-security-sso

获取authorization_code相关类解析

开始进入正题，主要讲解与spring-security-oauth2部分相关源码，spring-security部分源码请大家在本社区的security自行了解学习org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint

主要判断请求用户是否已经被用户授权，若已授权则返回新的authorization_code ， 反之 跳转到用户授权页面

    @RequestMapping({"/oauth/authorize"})
    public ModelAndView authorize(Map<String, Object> model, @RequestParam Map<String, String> parameters, SessionStatus sessionStatus, Principal principal) {
        // 根据请求参数封装 认证请求对象  ---- > AuthorizationRequest
        // Pull out the authorization request first, using the OAuth2RequestFactory. All further logic should
        // query off of the authorization request instead of referring back to the parameters map. The contents of the
        // parameters map will be stored without change in the AuthorizationRequest object once it is created.
 
        AuthorizationRequest authorizationRequest = this.getOAuth2RequestFactory().createAuthorizationRequest(parameters);
 
        //获取请求中的response_type类型，并检验； 此方法只支持 code 类型和 token类型
 
        Set<String> responseTypes = authorizationRequest.getResponseTypes();
        if (!responseTypes.contains("token") && !responseTypes.contains("code")) {
            throw new UnsupportedResponseTypeException("Unsupported response types: " + responseTypes);
        } else if (authorizationRequest.getClientId() == null) {
            throw new InvalidClientException("A client id must be provided");
        } else {
            try {
            ／/大家在自定义授权页面的时候在security中设置拦截了/oauth/authorize的，经常会出现匿名用户访问的原因就在这里，因为你不拦截的话他是不会进入security的自定义认证流程中去
                if (principal instanceof Authentication && ((Authentication)principal).isAuthenticated()) {
                    //获取客户端详情
                    ClientDetails client = this.getClientDetailsService().loadClientByClientId(authorizationRequest.getClientId());
 
                     // The resolved redirect URI is either the redirect_uri from the parameters or the one from
                     // clientDetails. Either way we need to store it on the AuthorizationRequest.
 
                    String redirectUriParameter = (String)authorizationRequest.getRequestParameters().get("redirect_uri");
 
                     // 如果数据库中配置了Client的redirect client则请求的redirect URL必须与数据库中配置的相匹配OK
                     //如果数据库中无配置，则直接返回请求中携带的redirect url
 
                    String resolvedRedirect = this.redirectResolver.resolveRedirect(redirectUriParameter, client);
                    if (!StringUtils.hasText(resolvedRedirect)) {
                        throw new RedirectMismatchException("A redirectUri must be either supplied or preconfigured in the ClientDetails");
                    } else {
                        authorizationRequest.setRedirectUri(resolvedRedirect);
            //根据ClientDetail 校验请求的scoppe
                        // We intentionally only validate the parameters requested by the client (ignoring any data that may have
                        // been added to the request by the manager).
 
                        this.oauth2RequestValidator.validateScope(authorizationRequest, client);
 
                           // 此处检测请求的用户是否已经被授权，或者有配置默认授权的权限； 若已经有accessToke存在或者被配置默认授权的权限则返回含有授权的对象
                          //用到userApprovalHandler---- > TokenStoreUserApprovalHandler
                         // Some systems may allow for approval decisions to be remembered or approved by default. Check for
                        // such logic here, and set the approved flag on the authorization request accordingly.
 
                        authorizationRequest = this.userApprovalHandler.checkForPreApproval(authorizationRequest, (Authentication)principal);
                        // TODO: is this call necessary?
                        boolean approved = this.userApprovalHandler.isApproved(authorizationRequest, (Authentication)principal);
 
                         //若已经授权则直接返回对应的视图，返回的视图中包含新生成的authorization_code（固定长度的随机字符串）值，此处新生成的code会存与库中
                        // Validation is all done, so we can check for auto approval...
 
                        authorizationRequest.setApproved(approved);
                        if (authorizationRequest.isApproved()) {
                            if (responseTypes.contains("token")) {
                                return this.getImplicitGrantResponse(authorizationRequest);
                            }
 
                            if (responseTypes.contains("code")) {
                                return new ModelAndView(this.getAuthorizationCodeResponse(authorizationRequest, (Authentication)principal));
                            }
                        }
                          // Place auth request into the model so that it is stored in the session
                         // for approveOrDeny to use. That way we make sure that auth request comes from the session,
                        // so any auth request parameters passed to approveOrDeny will be ignored and retrieved from the session.
 
                        model.put("authorizationRequest", authorizationRequest);
 
                       //未被授权者跳转到授权界面，让用户选择是否授权
 
                        return this.getUserApprovalPageResponse(model, authorizationRequest, (Authentication)principal);
                    }
                } else {
                    throw new InsufficientAuthenticationException("User must be authenticated with Spring Security before authorization can be completed.");
                }
            } catch (RuntimeException var11) {
                sessionStatus.setComplete();
                throw var11;
            }
        }
    }

用于处理用户授权页面的结果 ， 用户是否授予第三方权限 ； 请求中必须包参数 user_oauth_approval

    @RequestMapping(
        value = {"/oauth/authorize"},
        method = {RequestMethod.POST},
        params = {"user_oauth_approval"}
    )
 
    public View approveOrDeny(@RequestParam Map<String, String> approvalParameters, Map<String, ?> model, SessionStatus sessionStatus, Principal principal) {
        if (!(principal instanceof Authentication)) {
            sessionStatus.setComplete();
            throw new InsufficientAuthenticationException("User must be authenticated with Spring Security before authorizing an access token.");
        } else {
                //获取当前session中存放的 authorizationRequest 
            AuthorizationRequest authorizationRequest = (AuthorizationRequest)model.get("authorizationRequest");
            if (authorizationRequest == null) {
                sessionStatus.setComplete();
                throw new InvalidRequestException("Cannot approve uninitialized authorization request.");
            } else {
                RedirectView var8;
                try {
                    Set<String> responseTypes = authorizationRequest.getResponseTypes();
                    authorizationRequest.setApprovalParameters(approvalParameters);
                    //根据用户是否授权更新 authorizationRequest 对象中的 approved 属性； 
                    authorizationRequest = this.userApprovalHandler.updateAfterApproval(authorizationRequest, (Authentication)principal);
                    boolean approved = this.userApprovalHandler.isApproved(authorizationRequest, (Authentication)principal);
                    authorizationRequest.setApproved(approved);
                    if (authorizationRequest.getRedirectUri() == null) {
                        sessionStatus.setComplete();
                        throw new InvalidRequestException("Cannot approve request when no redirect URI is provided.");
                    }
 
                    if (authorizationRequest.isApproved()) {
                        View var12;
                        if (responseTypes.contains("token")) {
                            var12 = this.getImplicitGrantResponse(authorizationRequest).getView();
                            return var12;
                        }
 
                       //生成Authorization_code 并储存，返回给客户端
 
                        var12 = this.getAuthorizationCodeResponse(authorizationRequest, (Authentication)principal);
                        return var12;
                    }
 
                    var8 = new RedirectView(this.getUnsuccessfulRedirect(authorizationRequest, new UserDeniedAuthorizationException("User denied access"), responseTypes.contains("token")), false, true, false);
                } finally {
                    sessionStatus.setComplete();
                }
 
                return var8;
            }
        }
    }
        //部分无关紧要源码省略
        ....................
}

获取AccessToken请求相关类解析

org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter(此Filter是在用户已经进行过身份认证，并且已经通过的条件下)

     //此方法主要作用为：提取客户端的Client_id 和 Client_secret 传递给你AuthenticationManager进行认证
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
        //验证请求的方法是否支持 ，  POST 、 GET  此处只支持POST方法
        if (this.allowOnlyPost && !"POST".equalsIgnoreCase(request.getMethod())) {
            throw new HttpRequestMethodNotSupportedException(request.getMethod(), new String[]{"POST"});
        } else {
            //获取客户端信息
            String clientId = request.getParameter("client_id");
            String clientSecret = request.getParameter("client_secret");
         //如果身份已经认证 直接放行，无需在进行认证
        //（此处有疑问，SecurityContextHolder.getContext() 获取的Authentication一定是当前用户的认证信息吗，如何保证？？？？？？？？？？）
        // If the request is already authenticated we can assume that this
        // filter is not needed
 
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication != null && authentication.isAuthenticated()) {
                return authentication;
            } else if (clientId == null) {
                throw new BadCredentialsException("No client credentials presented");
            } else {
                if (clientSecret == null) {
                    clientSecret = "";
                }
 
                clientId = clientId.trim();
                UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(clientId, clientSecret);
                //提交给AuthenticationManager 进行身份认证 ---- > 类 AbstractUserDetailsAuthenticationProvider
                return this.getAuthenticationManager().authenticate(authRequest);
            }
        }
    }

org.springframework.security.oauth2.provider.endpoint.TokenEndpoint

//此方法的主要作用为：
1、获取客户端详情并根据请求参数组装TokenRequest；
2、校验请求的Scope；
3、为客户端是生成Token

    @RequestMapping(value = "/oauth/token", method=RequestMethod.POST)
    public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam
    Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
 
        if (!(principal instanceof Authentication)) {
            throw new InsufficientAuthenticationException(
                    "There is no client authentication. Try adding an appropriate authentication filter.");
        }
 
        //通过clientId 获取客户端详情
        String clientId = getClientId(principal);
        ClientDetails authenticatedClient = getClientDetailsService().loadClientByClientId(clientId);
 
        //获取请求的相关参数，如grant_type,client_id,scope(此处会依据用户的权限进行过滤)等， 封装组建TokenRequest 
        TokenRequest tokenRequest = getOAuth2RequestFactory().createTokenRequest(parameters, authenticatedClient);
 
        if (clientId != null && !clientId.equals("")) {
            // Only validate the client details if a client authenticated during this
            // request.
            if (!clientId.equals(tokenRequest.getClientId())) {
                // double check to make sure that the client ID in the token request is the same as that in the
                // authenticated client
                throw new InvalidClientException("Given client ID does not match authenticated client");
            }
        }
        //对客户端传入的Scope进行校验 ， Scope超限将直接抛出异常
        if (authenticatedClient != null) {
            oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient);
        }
        if (!StringUtils.hasText(tokenRequest.getGrantType())) {
            throw new InvalidRequestException("Missing grant type");
        }
        if (tokenRequest.getGrantType().equals("implicit")) {
            throw new InvalidGrantException("Implicit grant type not supported from token endpoint");
        }
        // grant_type=authorzation_code 时清空scope
        if (isAuthCodeRequest(parameters)) {
            // The scope was requested or determined during the authorization step
            if (!tokenRequest.getScope().isEmpty()) {
                logger.debug("Clearing scope of incoming token request");
                tokenRequest.setScope(Collections.<String> emptySet());
            }
        }
        //grant_type=refresh_token 时 需要设置scope ，因为它有自己的scope
        if (isRefreshTokenRequest(parameters)) {
            // A refresh token has its own default scopes, so we should ignore any added by the factory here.
            tokenRequest.setScope(OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.SCOPE)));
        }
 
        //为客户端生成token （此处会验证客户端的grant_type，只有检验通过才会生成Token）  ------- >类 DefaultTokenServices
        OAuth2AccessToken token = getTokenGranter().grant(tokenRequest.getGrantType(), tokenRequest);
        if (token == null) {
            throw new UnsupportedGrantTypeException("Unsupported grant type: " + tokenRequest.getGrantType());
        }
        //封装返回
        return getResponse(token);
 
    }

org.springframework.security.oauth2.provider.token.DefaultTokenServices

生成accessToken和RefreshToken

    @Transactional
    public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException {
 
        //首先尝试获取当前存在的Token
        OAuth2AccessToken existingAccessToken = tokenStore.getAccessToken(authentication);
        OAuth2RefreshToken refreshToken = null;
        //如果accesToken已存在并且没有失效，则重新保存并返回；如果accessToken失效，则提取refrehToken并清除老的AccessToken；
        //如果accessToken为null，则直接生成新的Token
        if (existingAccessToken != null) {
            if (existingAccessToken.isExpired()) {
                if (existingAccessToken.getRefreshToken() != null) {
                    refreshToken = existingAccessToken.getRefreshToken();
                    // The token store could remove the refresh token when the
                    // access token is removed, but we want to
                    // be sure...
                    tokenStore.removeRefreshToken(refreshToken);
                }
                tokenStore.removeAccessToken(existingAccessToken);
            }
            else {
                // Re-store the access token in case the authentication has changed
                tokenStore.storeAccessToken(existingAccessToken, authentication);
                return existingAccessToken;
            }
        }
        //老的refreshToken 不失效将会复用，失效的话生成新的RefresshToken
        // Only create a new refresh token if there wasn't an existing one
        // associated with an expired access token.
        // Clients might be holding existing refresh tokens, so we re-use it in
        // the case that the old access token
        // expired.
        if (refreshToken == null) {
            refreshToken = createRefreshToken(authentication);
        }
        // But the refresh token itself might need to be re-issued if it has
        // expired.
        else if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
            ExpiringOAuth2RefreshToken expiring = (ExpiringOAuth2RefreshToken) refreshToken;
            if (System.currentTimeMillis() > expiring.getExpiration().getTime()) {
                refreshToken = createRefreshToken(authentication);
            }
        }
        //生成新的accessToken，并储存 ， 保存refreshToken
        OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
        tokenStore.storeAccessToken(accessToken, authentication);
        // In case it was modified
        refreshToken = accessToken.getRefreshToken();
        if (refreshToken != null) {
            tokenStore.storeRefreshToken(refreshToken, authentication);
        }
        return accessToken;
    }

资源访问相关类

org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter

主要功能就是获取请求中携带的Token，然后通过Token提取Authentication，然后将Authentication放入上下文 ； 获取Authentication成功将会允许访问资源

        try {
            //提取请求携带的Token组建一个认证Authentication ，Token提取过程：从Hander和url中获取携带的Token
            Authentication authentication = tokenExtractor.extract(request);
 
            if (authentication == null) {
                if (stateless && isAuthenticated()) {
                    if (debug) {
                        logger.debug("Clearing security context.");
                    }
                    SecurityContextHolder.clearContext();
                }
                if (debug) {
                    logger.debug("No token in request, will continue chain.");
                }
            }
            else {
                request.setAttribute(OAuth2AuthenticationDetails.ACCESS_TOKEN_VALUE, authentication.getPrincipal());
                if (authentication instanceof AbstractAuthenticationToken) {
                    AbstractAuthenticationToken needsDetails = (AbstractAuthenticationToken) authentication;
                    needsDetails.setDetails(authenticationDetailsSource.buildDetails(request));
                }
                //获取Token携带的认证信息 ， Oauth2AuthenticationMananger主要做三件是1、通过token获取用户的Oauth2Authentcation对象（TokenServices）；2、验证访问的资源resourceId是否符合范围；3、验证客户端访问的Scope(clientDetailsService)
                Authentication authResult = authenticationManager.authenticate(authentication);
 
                if (debug) {
                    logger.debug("Authentication success: " + authResult);
                }
                //将当前的Authentication 放入Context中 ，访问后面资源 
                eventPublisher.publishAuthenticationSuccess(authResult);
                SecurityContextHolder.getContext().setAuthentication(authResult);
 
            }
        }
        catch (OAuth2Exception failed) {
            SecurityContextHolder.clearContext();
 
            if (debug) {
                logger.debug("Authentication request failed: " + failed);
            }
            eventPublisher.publishAuthenticationFailure(new BadCredentialsException(failed.getMessage(), failed),
                    new PreAuthenticatedAuthenticationToken("access-token", "N/A"));
 
            authenticationEntryPoint.commence(request, response,
                    new InsufficientAuthenticationException(failed.getMessage(), failed));
 
            return;
        }
 
        chain.doFilter(request, response);
    }

org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager

Oauth2AuthenticationMananger主要功能:

1. 通过token获取用户的Oauth2Authentcation对象（TokenServices）；
2. 验证访问的资源resourceId是否符合范围；

3. 验证客户端访问的Scope(clientDetailsService)

        if (authentication == null) {
            throw new InvalidTokenException("Invalid token (token not found)");
        }
        String token = (String) authentication.getPrincipal();
        //通过token获取用户的Oauth2Authentcation对象（TokenServices）；
        OAuth2Authentication auth = tokenServices.loadAuthentication(token);
        if (auth == null) {
            throw new InvalidTokenException("Invalid token: " + token);
        }
    
        //验证访问的资源resourceId是否符合范围；
        Collection<String> resourceIds = auth.getOAuth2Request().getResourceIds();
        if (resourceId != null && resourceIds != null && !resourceIds.isEmpty() && !resourceIds.contains(resourceId)) {
            throw new OAuth2AccessDeniedException("Invalid token does not contain resource id (" + resourceId + ")");
        }
        //验证客户端访问的Scope(clientDetailsService)
        checkClientDetails(auth);
    
        if (authentication.getDetails() instanceof OAuth2AuthenticationDetails) {
            OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) authentication.getDetails();
            // Preserve the authentication details if any from the one loaded by token services
            details.setDecodedDetails(auth.getDetails());
        }
        auth.setDetails(authentication.getDetails());
        auth.setAuthenticated(true);
        return auth;
   

   spring-security-oauth2源码太多，个人能力有限只能将自己对它的初步理解进行梳理梳理，具体想如何掌握最好请各位大神们自己搭建环境进行源码调试，自然对流程能有个大楷的认识，如果以上观点有错误还请大神们多多指教！
   参考本人github地址:https://github.com/dqqzj/spring4all/tree/master/oauth2