Spring Security OAuth2.0 token生成与刷新机制源码阅读

最新推荐文章于 2024-02-29 15:14:50 发布
最新推荐文章于 2024-02-29 15:14:50 发布
阅读量2.4k 收藏 15
点赞数 1
分类专栏: java 鉴权 文章标签: oauth2
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Mr1ght/article/details/118603371
版权
java 同时被 2 个专栏收录
23 篇文章 1 订阅
订阅专栏
鉴权
5 篇文章 2 订阅
订阅专栏

一.介绍

Spring Security Oauth2是目前市面上非常流行的实现了OAuth2.0协议的权限框架。本文会介绍其是如何获取token以及刷新token的。

二.AbstractEndPoint

UML

Spring Security OAuth2获取token校验token等接口均配置在EndPoint中的

AuthorizationEndpoint主要是第三方授权模式中的 获取code的流程接口 http://localhost:xxxx/auth/oauth/authorize

TokenEndpoint主要是获取token/刷新token的接口 http://localhost:xxxx/auth/oauth/token

2.1 AuthorizationEndpoint

AuthorizationEndpoint主要是获取第三方授权模式中的code,核心代码如下

@RequestMapping(value = "/oauth/authorize", method = RequestMethod.POST, params = OAuth2Utils.USER_OAUTH_APPROVAL)
	public View approveOrDeny(@RequestParam Map<String, String> approvalParameters, Map<String, ?> model,
			SessionStatus sessionStatus, Principal principal) {

		if (!(principal instanceof Authentication)) {
			sessionStatus.setComplete();
			throw new InsufficientAuthenticationException(
					"User must be authenticated with Spring Security before authorizing an access token.");
		}

		AuthorizationRequest authorizationRequest = (AuthorizationRequest) model.get("authorizationRequest");

		if (authorizationRequest == null) {
             //清空session缓存
			sessionStatus.setComplete();
			throw new InvalidRequestException("Cannot approve uninitialized authorization request.");
		}

		try {
			Set<String> responseTypes = authorizationRequest.getResponseTypes();

			authorizationRequest.setApprovalParameters(approvalParameters);
			authorizationRequest = userApprovalHandler.updateAfterApproval(authorizationRequest,
					(Authentication) principal);
			boolean approved = userApprovalHandler.isApproved(authorizationRequest, (Authentication) principal);
			authorizationRequest.setApproved(approved);

			if (authorizationRequest.getRedirectUri() == null) {
				sessionStatus.setComplete();
				throw new InvalidRequestException("Cannot approve request when no redirect URI is provided.");
			}

			if (!authorizationRequest.isApproved()) {
				return new RedirectView(getUnsuccessfulRedirect(authorizationRequest,
						new UserDeniedAuthorizationException("User denied access"), responseTypes.contains("token")),
						false, true, false);
			}

			if (responseTypes.contains("token")) {
				return getImplicitGrantResponse(authorizationRequest).getView();
			}
			
            //生成code并跳转到传递过来的redirect_uri上
			return getAuthorizationCodeResponse(authorizationRequest, (Authentication) principal);
		}
		finally {
			sessionStatus.setComplete();
		}

	}

	
	//生成view
	private View getAuthorizationCodeResponse(AuthorizationRequest authorizationRequest, Authentication authUser) {
		try {
			return new RedirectView(getSuccessfulRedirect(authorizationRequest,
					generateCode(authorizationRequest, authUser)), false, true, false);
		}catch (OAuth2Exception e) {
			return new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e, false), false, true, false);
		}
	}

	
	//生成code
	private String generateCode(AuthorizationRequest authorizationRequest, Authentication authentication)
			throws AuthenticationException {

		try {

			OAuth2Request storedOAuth2Request = getOAuth2RequestFactory().createOAuth2Request(authorizationRequest);

			OAuth2Authentication combinedAuth = new OAuth2Authentication(storedOAuth2Request, authentication);
			String code = authorizationCodeServices.createAuthorizationCode(combinedAuth);

			return code;

		}
		catch (OAuth2Exception e) {

			if (authorizationRequest.getState() != null) {
				e.addAdditionalInformation("state", authorizationRequest.getState());
			}

			throw e;

		}
	}

2.2 TokenEndPoint

此处是TokenEndPoint的部分代码

	@RequestMapping(value = "/oauth/token", method=RequestMethod.POST)
	public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam
	Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {

		if (!(principal instanceof Authentication)) {
			throw new InsufficientAuthenticationException(
					"There is no client authentication. Try adding an appropriate authentication filter.");
		}
		//校验clientId
		String clientId = getClientId(principal);
		ClientDetails authenticatedClient = getClientDetailsService().loadClientByClientId(clientId);

		TokenRequest tokenRequest = getOAuth2RequestFactory().createTokenRequest(parameters, authenticatedClient);

		if (clientId != null && !clientId.equals("")) {
			// Only validate the client details if a client authenticated during this
			// request.
			if (!clientId.equals(tokenRequest.getClientId())) {
				// double check to make sure that the client ID in the token request is the same as that in the
				// authenticated client
				throw new InvalidClientException("Given client ID does not match authenticated client");
			}
		}
		if (authenticatedClient != null) {
			oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient);
		}
        
        //校验grantType
		if (!StringUtils.hasText(tokenRequest.getGrantType())) {
			throw new InvalidRequestException("Missing grant type");
		}
		if (tokenRequest.getGrantType().equals("implicit")) {
             //implicit模式不支持token获取
			throw new InvalidGrantException("Implicit grant type not supported from token endpoint");
		}

        //判断是否是第三方授权模式
		if (isAuthCodeRequest(parameters)) {
			// The scope was requested or determined during the authorization step
			if (!tokenRequest.getScope().isEmpty()) {
				logger.debug("Clearing scope of incoming token request");
				tokenRequest.setScope(Collections.<String> emptySet());
			}
		}

        //判断是否是refresh_token模式
		if (isRefreshTokenRequest(parameters)) {
			// A refresh token has its own default scopes, so we should ignore any added by the factory here.
			tokenRequest.setScope(OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.SCOPE)));
		}

        //适配器模式,通过grant_type匹配对应的Granter,创建access_token并返回
		OAuth2AccessToken token = getTokenGranter().grant(tokenRequest.getGrantType(), tokenRequest);
		if (token == null) {
			throw new UnsupportedGrantTypeException("Unsupported grant type: " + tokenRequest.getGrantType());
		}

		return getResponse(token);
	}

	/**
	 * @param principal the currently authentication principal
	 * @return a client id if there is one in the principal
	 */
	protected String getClientId(Principal principal) {
		Authentication client = (Authentication) principal;
		if (!client.isAuthenticated()) {
			throw new InsufficientAuthenticationException("The client is not authenticated.");
		}
		String clientId = client.getName();
		if (client instanceof OAuth2Authentication) {
			// Might be a client and user combined authentication
			clientId = ((OAuth2Authentication) client).getOAuth2Request().getClientId();
		}
		return clientId;
	}


	private ResponseEntity<OAuth2AccessToken> getResponse(OAuth2AccessToken accessToken) {
		HttpHeaders headers = new HttpHeaders();
		headers.set("Cache-Control", "no-store");
		headers.set("Pragma", "no-cache");
		headers.set("Content-Type", "application/json;charset=UTF-8");
		return new ResponseEntity<OAuth2AccessToken>(accessToken, headers, HttpStatus.OK);
	}

	private boolean isRefreshTokenRequest(Map<String, String> parameters) {
		return "refresh_token".equals(parameters.get("grant_type")) && parameters.get("refresh_token") != null;
	}

	private boolean isAuthCodeRequest(Map<String, String> parameters) {
		return "authorization_code".equals(parameters.get("grant_type")) && parameters.get("code") != null;
	}

三.TokenGranter

grant_type的类型有:password(密码模式)、authorization_code(授权码模式)、implicit(隐式模式,不能获取token)、client_credentials(客户端模式)、refresh_token

TokenGranter UML

TokenGranter接口下定义了各种模式,核心方法是grant,执行此方法可以获得OAuth2AccessToken

3.1 CompositeTokenGranter

Spring Security OAuth2默认使用的是CompositeTokenGranter

	private TokenGranter tokenGranter() {
        //如果tokenGranter没有设置,则默认使用的 CompositeTokenGranter ,但本质上还是使用的AbstractTokenGranter的几个子类
		if (tokenGranter == null) {
			tokenGranter = new TokenGranter() {
				private CompositeTokenGranter delegate;

				@Override
				public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
					if (delegate == null) {
						delegate = new CompositeTokenGranter(getDefaultTokenGranters());
					}
					return delegate.grant(grantType, tokenRequest);
				}
			};
		}
		return tokenGranter;
	}

	//获取默认的几种模式,不过只包括第三方授权、efresh_code、客户端、密码这四个模式
	private List<TokenGranter> getDefaultTokenGranters() {
		ClientDetailsService clientDetails = clientDetailsService();
		AuthorizationServerTokenServices tokenServices = tokenServices();
		AuthorizationCodeServices authorizationCodeServices = authorizationCodeServices();
		OAuth2RequestFactory requestFactory = requestFactory();

		List<TokenGranter> tokenGranters = new ArrayList<TokenGranter>();
		tokenGranters.add(new AuthorizationCodeTokenGranter(tokenServices, authorizationCodeServices, clientDetails,
				requestFactory));
		tokenGranters.add(new RefreshTokenGranter(tokenServices, clientDetails, requestFactory));
		ImplicitTokenGranter implicit = new ImplicitTokenGranter(tokenServices, clientDetails, requestFactory);
		tokenGranters.add(implicit);
		tokenGranters.add(new ClientCredentialsTokenGranter(tokenServices, clientDetails, requestFactory));
		if (authenticationManager != null) {
			tokenGranters.add(new ResourceOwnerPasswordTokenGranter(authenticationManager, tokenServices,
					clientDetails, requestFactory));
		}
		return tokenGranters;
	}

看一下CompositeTokenGranter的代码,这是一个TokenGranter的集合类,他的grant方法是依次判断tokenGranters里的TokenGrantergrant_type哪一个和前端传递的grant_type匹配,如果有匹配的,执行对应的Granter,如果没有,就直接返回Null

public class CompositeTokenGranter implements TokenGranter {

	private final List<TokenGranter> tokenGranters;

	public CompositeTokenGranter(List<TokenGranter> tokenGranters) {
		this.tokenGranters = new ArrayList<TokenGranter>(tokenGranters);
	}
	
	public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
        //遍历各个granter并匹配grantType
		for (TokenGranter granter : tokenGranters) {
			OAuth2AccessToken grant = granter.grant(grantType, tokenRequest);
			if (grant!=null) {
				return grant;
			}
		}
		return null;
	}
	
	public void addTokenGranter(TokenGranter tokenGranter) {
		if (tokenGranter == null) {
			throw new IllegalArgumentException("Token granter is null");
		}
		tokenGranters.add(tokenGranter);
	}

}

3.2 AbstractTokenGranter

这个抽象类是我们上面所说的几种模式的父类,在继承TokenGranter的同时,抽取了各个模式的共有方法和代码

public abstract class AbstractTokenGranter implements TokenGranter {
	
	protected final Log logger = LogFactory.getLog(getClass());

	private final AuthorizationServerTokenServices tokenServices;

	private final ClientDetailsService clientDetailsService;
	
	private final OAuth2RequestFactory requestFactory;
	
	private final String grantType;

	protected AbstractTokenGranter(AuthorizationServerTokenServices tokenServices,
			ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory, String grantType) {
		this.clientDetailsService = clientDetailsService;
		this.grantType = grantType;
		this.tokenServices = tokenServices;
		this.requestFactory = requestFactory;
	}

    //实现tokenGranter接口的方法
	public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
		
        //匹配grant_type
		if (!this.grantType.equals(grantType)) {
			return null;
		}
		
		String clientId = tokenRequest.getClientId();
		ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
        //判断账号权限
		validateGrantType(grantType, client);

		if (logger.isDebugEnabled()) {
			logger.debug("Getting access token for: " + clientId);
		}
        
        //获取access_token
		return getAccessToken(client, tokenRequest);

	}

    //获取access_token方法,可以看到,此处获取access_token的本质是创建access_token,意味着每次获取都会创建一个新的access_token
    //tokenServices的解析见下面的 DefaultTokenServices
	protected OAuth2AccessToken getAccessToken(ClientDetails client, TokenRequest tokenRequest) {
		return tokenServices.createAccessToken(getOAuth2Authentication(client, tokenRequest));
	}

	protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
		OAuth2Request storedOAuth2Request = requestFactory.createOAuth2Request(client, tokenRequest);
		return new OAuth2Authentication(storedOAuth2Request, null);
	}

	protected void validateGrantType(String grantType, ClientDetails clientDetails) {
		Collection<String> authorizedGrantTypes = clientDetails.getAuthorizedGrantTypes();
		if (authorizedGrantTypes != null && !authorizedGrantTypes.isEmpty()
				&& !authorizedGrantTypes.contains(grantType)) {
			throw new InvalidClientException("Unauthorized grant type: " + grantType);
		}
	}

	protected AuthorizationServerTokenServices getTokenServices() {
		return tokenServices;
	}
	
	protected OAuth2RequestFactory getRequestFactory() {
		return requestFactory;
	}

}

3.3 DefaultTokenServices

在分析具体的几个模式的代码之前,我们需要先来看看AuthorizationServerTokenServices的子类DefaultTokenServices,这个是其默认实现(这里只贴出其createAccessToken方法和createRefreshToken的代码)

public class DefaultTokenServices implements AuthorizationServerTokenServices, ResourceServerTokenServices,
		ConsumerTokenServices, InitializingBean {

	private int refreshTokenValiditySeconds = 60 * 60 * 24 * 30; // default 30 days.

	private int accessTokenValiditySeconds = 60 * 60 * 12; // default 12 hours.

    //判断是否支持refreshToken
	private boolean supportRefreshToken = false;
	//刷新(即重新生成)access_token时,是否需要刷新(即重新生成)refresh_token
	private boolean reuseRefreshToken = true;

	private TokenStore tokenStore;

	private ClientDetailsService clientDetailsService;

	private TokenEnhancer accessTokenEnhancer;

	private AuthenticationManager authenticationManager;

	/**
	 * Initialize these token services. If no random generator is set, one will be created.
	 */
	public void afterPropertiesSet() throws Exception {
		Assert.notNull(tokenStore, "tokenStore must be set");
	}

	@Transactional
	public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException {
		//取出存储的access_token
		OAuth2AccessToken existingAccessToken = tokenStore.getAccessToken(authentication);
		OAuth2RefreshToken refreshToken = null;
		if (existingAccessToken != null) {
			if (existingAccessToken.isExpired()) {
                //存储的有access_token但已过期,从存储中删除此access_token,如果此access_token有对应的refresh_token,则从存储中删除此refresh_token
				if (existingAccessToken.getRefreshToken() != null) {
					refreshToken = existingAccessToken.getRefreshToken();
					// The token store could remove the refresh token when the
					// access token is removed, but we want to
					// be sure...
					tokenStore.removeRefreshToken(refreshToken);
				}
				tokenStore.removeAccessToken(existingAccessToken);
			}
			else {
				// Re-store the access token in case the authentication has changed
                 //存储的有access_token,并且未过期,存储后直接返回即可
				tokenStore.storeAccessToken(existingAccessToken, authentication);
				return existingAccessToken;
			}
		}

		// Only create a new refresh token if there wasn't an existing one
		// associated with an expired access token.
		// Clients might be holding existing refresh tokens, so we re-use it in
		// the case that the old access token
		// expired.
		if (refreshToken == null) {
			refreshToken = createRefreshToken(authentication);
		}
		// But the refresh token itself might need to be re-issued if it has
		// expired.
		else if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
			ExpiringOAuth2RefreshToken expiring = (ExpiringOAuth2RefreshToken) refreshToken;
			if (System.currentTimeMillis() > expiring.getExpiration().getTime()) {
                 //如果refresh_token已过期,创建新的
				refreshToken = createRefreshToken(authentication);
			}
		}

		OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
		tokenStore.storeAccessToken(accessToken, authentication);
		// In case it was modified
		refreshToken = accessToken.getRefreshToken();
		if (refreshToken != null) {
			tokenStore.storeRefreshToken(refreshToken, authentication);
		}
		return accessToken;

	}

	@Transactional(noRollbackFor={InvalidTokenException.class, InvalidGrantException.class})
	public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenRequest tokenRequest)
			throws AuthenticationException {

        //如果不支持刷新token,则直接报错
		if (!supportRefreshToken) {
			throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue);
		}

		OAuth2RefreshToken refreshToken = tokenStore.readRefreshToken(refreshTokenValue);
		if (refreshToken == null) {
			throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue);
		}

		OAuth2Authentication authentication = tokenStore.readAuthenticationForRefreshToken(refreshToken);
		if (this.authenticationManager != null && !authentication.isClientOnly()) {
			// The client has already been authenticated, but the user authentication might be old now, so give it a
			// chance to re-authenticate.
			Authentication user = new PreAuthenticatedAuthenticationToken(authentication.getUserAuthentication(), "", authentication.getAuthorities());
			user = authenticationManager.authenticate(user);
			Object details = authentication.getDetails();
			authentication = new OAuth2Authentication(authentication.getOAuth2Request(), user);
			authentication.setDetails(details);
		}
		String clientId = authentication.getOAuth2Request().getClientId();
		if (clientId == null || !clientId.equals(tokenRequest.getClientId())) {
			throw new InvalidGrantException("Wrong client for this refresh token: " + refreshTokenValue);
		}

		// clear out any access tokens already associated with the refresh
		// token.
		tokenStore.removeAccessTokenUsingRefreshToken(refreshToken);

		if (isExpired(refreshToken)) {
			tokenStore.removeRefreshToken(refreshToken);
			throw new InvalidTokenException("Invalid refresh token (expired): " + refreshToken);
		}

		authentication = createRefreshedAuthentication(authentication, tokenRequest);

         //设定的规则是刷新access_token时一起刷新refresh_token
		if (!reuseRefreshToken) {
			tokenStore.removeRefreshToken(refreshToken);
			refreshToken = createRefreshToken(authentication);
		}

		OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
		tokenStore.storeAccessToken(accessToken, authentication);
		if (!reuseRefreshToken) {
			tokenStore.storeRefreshToken(accessToken.getRefreshToken(), authentication);
		}
		return accessToken;
	}

}

3.4 AuthorizationCodeTokenGranter

这个类是继承了AbstractTokenGranter的,其并没有重写父类的grant方法,只是重写了getAccessToken方法中获取用户信息的方法,即getOAuth2Authentication方法,因为authorization_code模式需要校验重定向uricode

public class AuthorizationCodeTokenGranter extends AbstractTokenGranter {

	private static final String GRANT_TYPE = "authorization_code";

	private final AuthorizationCodeServices authorizationCodeServices;

	public AuthorizationCodeTokenGranter(AuthorizationServerTokenServices tokenServices,
			AuthorizationCodeServices authorizationCodeServices, ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory) {
		this(tokenServices, authorizationCodeServices, clientDetailsService, requestFactory, GRANT_TYPE);
	}

	protected AuthorizationCodeTokenGranter(AuthorizationServerTokenServices tokenServices, AuthorizationCodeServices authorizationCodeServices,
			ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory, String grantType) {
		super(tokenServices, clientDetailsService, requestFactory, grantType);
		this.authorizationCodeServices = authorizationCodeServices;
	}

	@Override
	protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {

		Map<String, String> parameters = tokenRequest.getRequestParameters();
        //获取code
		String authorizationCode = parameters.get("code");
		String redirectUri = parameters.get(OAuth2Utils.REDIRECT_URI);

		if (authorizationCode == null) {
			throw new InvalidRequestException("An authorization code must be supplied.");
		}

        //删除并判断code是否合法(这也是为什么code只能使用一次的原因)
		OAuth2Authentication storedAuth = authorizationCodeServices.consumeAuthorizationCode(authorizationCode);
		if (storedAuth == null) {
			throw new InvalidGrantException("Invalid authorization code: " + authorizationCode);
		}

		OAuth2Request pendingOAuth2Request = storedAuth.getOAuth2Request();
		// https://jira.springsource.org/browse/SECOAUTH-333
		// This might be null, if the authorization was done without the redirect_uri parameter
		String redirectUriApprovalParameter = pendingOAuth2Request.getRequestParameters().get(
				OAuth2Utils.REDIRECT_URI);

        //校验重定向uri是否跟获取code时传递的一样。
		if ((redirectUri != null || redirectUriApprovalParameter != null)
				&& !pendingOAuth2Request.getRedirectUri().equals(redirectUri)) {
			throw new RedirectMismatchException("Redirect URI mismatch.");
		}

        //校验clientId
		String pendingClientId = pendingOAuth2Request.getClientId();
		String clientId = tokenRequest.getClientId();
		if (clientId != null && !clientId.equals(pendingClientId)) {
			// just a sanity check.
			throw new InvalidClientException("Client ID mismatch");
		}

		// Secret is not required in the authorization request, so it won't be available
		// in the pendingAuthorizationRequest. We do want to check that a secret is provided
		// in the token request, but that happens elsewhere.

        //封装用户信息并存储、返回
		Map<String, String> combinedParameters = new HashMap<String, String>(pendingOAuth2Request
				.getRequestParameters());
		// Combine the parameters adding the new ones last so they override if there are any clashes
		combinedParameters.putAll(parameters);
		
		// Make a new stored request with the combined parameters
		OAuth2Request finalStoredOAuth2Request = pendingOAuth2Request.createOAuth2Request(combinedParameters);
		
		Authentication userAuth = storedAuth.getUserAuthentication();
		
		return new OAuth2Authentication(finalStoredOAuth2Request, userAuth);

	}

}

3.5 ResourceOwnerPasswordTokenGranter

密码模式

public class ResourceOwnerPasswordTokenGranter extends AbstractTokenGranter {

	private static final String GRANT_TYPE = "password";

	private final AuthenticationManager authenticationManager;

	public ResourceOwnerPasswordTokenGranter(AuthenticationManager authenticationManager,
			AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory) {
		this(authenticationManager, tokenServices, clientDetailsService, requestFactory, GRANT_TYPE);
	}

	protected ResourceOwnerPasswordTokenGranter(AuthenticationManager authenticationManager, AuthorizationServerTokenServices tokenServices,
			ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory, String grantType) {
		super(tokenServices, clientDetailsService, requestFactory, grantType);
		this.authenticationManager = authenticationManager;
	}

	@Override
	protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {

		Map<String, String> parameters = new LinkedHashMap<String, String>(tokenRequest.getRequestParameters());
		String username = parameters.get("username");
		String password = parameters.get("password");
		// Protect from downstream leaks of password
		parameters.remove("password");

		Authentication userAuth = new UsernamePasswordAuthenticationToken(username, password);
		((AbstractAuthenticationToken) userAuth).setDetails(parameters);
		try {
             //根据用户名和密码获取用户信息(带校验功能)
			userAuth = authenticationManager.authenticate(userAuth);
		}
		catch (AccountStatusException ase) {
			//covers expired, locked, disabled cases (mentioned in section 5.2, draft 31)
			throw new InvalidGrantException(ase.getMessage());
		}
		catch (BadCredentialsException e) {
			// If the username/password are wrong the spec says we should send 400/invalid grant
			throw new InvalidGrantException(e.getMessage());
		}
		if (userAuth == null || !userAuth.isAuthenticated()) {
			throw new InvalidGrantException("Could not authenticate user: " + username);
		}
		
		OAuth2Request storedOAuth2Request = getRequestFactory().createOAuth2Request(client, tokenRequest);		
		return new OAuth2Authentication(storedOAuth2Request, userAuth);
	}
}

四.总结

通过阅读Spring Security OAuth2的源码我们发现

  1. Spring Security OAuth2的获取token部分主要是使用适配器模式,通过接口传递的grant_type来判断具体的模式,通过抽象类的公有方法及子类的覆盖方法完成token的获取与刷新
  2. Spring Security OAuth2token获取与刷新是同一个接口,刷新时,refresh_token可以配置成一起刷新或不刷新。如果refresh_token会在access_token刷新时一起刷新的话,那么就可以实现如果用户持续访问系统,便可以一直保持登录,无须再次登录的功能
  3. Spring Security OAth2token刷新策略实质上是重新生成新的token返回,而不是我们理解的把原来的token的过期时长进行延长
Mr1ght
关注
  • 1
    点赞
  • 15
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
springboot_security_oauth2.0_redis:redis 缓存,mysql存储用户信息
04-30
#大部分码来自 @author lxg,类里面有作者信息 #本人在基础上整合与修改。 springboot_security_oauth2.0 add requeset: add response: {"access_token":"b2c338d7-c71d-4e8b-b2bf-809a2fb1b27c","token_type":"bearer","refresh_token":"3c66fd1c-60b5-44d2-a614-548941c13c25","expires_in":43051,"scope":"read"} {"access_token":"25baa135-1fc3-48f3-892b-a4eddce08715","token_type":"bearer","refresh_token":"adb454ee-9a4b-4f65-a073-fc6c513a4bdd",
spring security-码流程分析(五)-oauth默认请求地址(/oauth/token)是如何生效的?
luoxiaomei999的博客
04-06 4319
spring security经常在项目中用到,但是平常只是简单的使用肯定是不够的,我们需要了解深层次的东西,才能在使用的过程中不畏惧,本次打算从demo入手,跟踪码,剖析security内在 一、@FrameworkEndpoint注解的作用 1、在之前的文章中我们看到AuthorizationServerEndpointsConfiguration配置中配置了AuthorizationEndpoint和TokenEndpoint等,他们都是继承自AbstractEndpoint 2、Author.
融云即时通讯Token 更新机制是怎么样的?
rongcloud2019的博客
02-29 388
同一个用户 ID,可以多次获取 Token,在有效期内Token 都可以正常使用,Token 超过有效期后失效,需重新获取。Token 有效期可在开发者后台进行配置,默认为永久有效。后续登录过程中,就不必再向融云请求 Token,由 App Server 直接提供之前保存过的 Token。开发者后台刷新 App Secret 后,以前获取的 Token 失效,需要用新的 App Secret 生成签名,重新获取 Token。我们不会主动更新 Token,更新 Token 的操作是由开发者发起的。
oauth2 密码模式和授权模式
weixin_44401399的博客
11-23 1760
https://blog.csdn.net/feinifi/article/details/108123831 笔记部分 oauth2实验 pom <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> 当用.
oauth2.0鉴权,登录访问 “/oauth/token”,请求头Authorization(basicToken)如何取值???
君临天下tjm的博客
06-30 4612
springcloud项目通常使用oauth2.0做鉴权管理微服务模块,当使用grantType="password"和jwt存储token时,需要设置clientId和clientSecret,这两个值可以随便取,配置在application.yml文件里面。访问 “/oauth/token”,参数@RequestHeader("Authorization")的取值是Basic开头,加空格,加clientId:clientSecret格式进行base64加密后的字符串。 在做用户登录的时候,需要传入us
Oauth2.0 认证服务器添加验证码登陆方式
白云苍狗
07-29 1146
自定义验证码授权模式配置到AuthorizationServerConfig.tokenGranter()将配置好的授权列表添加到AuthorizationServerEndpointsConfigurer中AuthorizationServerConfig其他配置已省略,详细见Oauth2.0认证服务器搭建//配置授权方式}/***先获取已有的五种授权列表,然后将自定义的授权方式置入*...
12、oauth授权认证流程
lixiang987654321的专栏
09-25 1974
使用Spring Security4的四种方法概述 1、一种是全部利用配置文件,将用户、权限、资(url)硬编码在xml文件中; 2、二种是用户和权限用数据库存储,而资(url)和权限的对应采用硬编码配置。 3、三种是细分角色和权限,并将用户、角色、权限和资均采用数据库存储,并且自定义过滤器,代替原有的FilterSecurityInterceptor过滤器 并分别实...
User must be authenticated with Spring Security before authorization can be completed
honor_zhang的博客
08-10 8308
问题描述 利用Spring cloud oauth2实现Oauth 2权限控制时,调用/oauth/authorize获取授权码,抛出了User must be authenticated with Spring Security before authorization can be completed异常? 请求接口: 控制台异常信息为: 接口部分码为: @RequestMapping(value = "/oauth/authorize") public ModelAndV...
User must be authenticated with Spring Security before authorization can be completed.解决方法
一火的专栏
11-26 2982
org.springframework.security.authentication.InsufficientAuthenticationException: User must be authenticated with Spring Security before authorization can be completed.
自定义spring security oauth /auth/token的返回内容格式
05-07 2770
https://blog.csdn.net/u013905744/article/details/100637224 场景 在前后端分离的项目中,一般后端返回给前端的格式是一个固定的json格式。 在这个前提下,spring security oauth 生成access token的请求/auth/token的返回内容就需要自定义 原返回值 我们希望使用我们自己固定的json格式 需求...
自定义spring security oauth2 /oauth/token以及token失效/过期的返回内容格式
qq_37634156的博客
06-12 1万+
在整合Spring Security Oauth2的时候,获取token的接口/oauth/token的返回内容格式为固定的,如下图所示:而token过期或者无效的返回参数格式如下图所示:实际在我们的项目中有时候会要求自定义返回内容格式,下面分别介绍获取tokentoken失效/过期的自定义返回内容格式。 2、创建获取token接口返回值的转换类 创建一个类来完成对获取token接口的返回参数进行转换成我们自定义的格式,这里使用到了@JsonSerialize注解,该注解主要用于数据转换,不知
基于springboot+oauth2.0+jwtToken鉴权认证开发的后台接口,整套架构采用restful风格,车牌识别,阿里云消息推送,短信接口等
04-04
内容只为接口开发,配合前端和移动app调用使用,不包含html页面,基于springboot+oauth2.0+jwttoken鉴权(内有怎么使用redistoken和数据库token注释)+restful风格+阿里短信+阿里消息推送+车牌识别等。该项目为工作...
2021-01-26-SpringSecurity-OAUTH2-密码模式获取token-码包hrm-itsource.rar
01-26
2021-01-26-SpringSecurity-OAUTH2-密码模式获取token-码包hrm-itsource.rar
java毕业设计 SpringCloud+SpringCloud+token分布式系统认证码+详细文档+全部资料(优秀项目)
最新发布
04-16
java毕业设计 SpringCloud+SpringCloudAlibaba+SpringSecurity+OAuth2.0基于token实现分布式系统认证码+详细文档+全部资料(优秀项目).zip 【备注】 1、该资内项目代码都经过测试运行成功,功能ok的情况下才...
Java SpringBlade微服务开发平台框架码.zip
05-19
Java springBlade微服务开发平台 是一个由商业级项目升级优化而来的微服务架构,采用Spring Boot 2.6 、Spring Clou,用前后端分离的模式,前端开两个框架:Sword (基于 React、Ant Design)、Saber (基于 Vue、...
Spring Security Oauth2 认证(获取token/刷新token)流程(password模式)
killerover84的专栏-----天下
11-13 2524
Spring Security Oauth2 认证(获取token/刷新token)流程(password模式) 2018年05月11日 23:05:31 昵称2018 阅读数:9641 标签: Spring Security Oauth2认证流程/oauth/token认证流程refresh token流程Spring Security Oauth2认证码分析Spring Securi...
接口鉴权auth、oauth、session、cookie、sign
weixin_47049882的博客
03-18 1949
# 大多数互联网公司用token与sign # auth 鉴权 # oauth鉴权涉及很多系统,需要第三方系统授予操作权限,一般第三方比较多,例:支付宝、QQ、微信、微博等等 # cookies描述:cookies是服务器根据每个用户生成的它类似于我们的临时身份证,cookis只是编码身份的一种,还有token和签名 # session参数:很多接口需要一些公共的参数, # 比如cookies, fw值系统中(都用公共的参数cookies值)通过登录生成,添加地址,文件上传接口 # 建立三个接口,登录接.
获取token(/oauth/token
热门推荐
trusause的博客
10-08 2万+
1、入口方法(spring-security-oauth2-2.0.14.RELEASE-sources.jar) @FrameworkEndpoint public class TokenEndpoint extends AbstractEndpoint { @RequestMapping(value = "/oauth/token", method=RequestMethod.P...
oauth2的token认证接口/oauth/token、/oauth/check_token、/oauth/authorize在哪个包里
Dream_it_possible!的博客
07-02 2万+
在org.springframework.security.oauth2.provider.endpoint里的TokenEndpoint类里 // // Source code recreated from a .class file by IntelliJ IDEA // (powered by Fernflower decompiler) // package org.springframework.security.oauth2.provider.endpoint; import java.
spring security oauth2.0实现
06-28
### 回答1: 好的,我可以为您提供关于Spring Security OAuth 2.0实现的中文回答。 Spring Security OAuth 2.0是Spring Security框架的一部分,它为应用程序提供了OAuth 2.0认证和授权的支持。OAuth 2.0是一种常用的授权协议,它允许用户授权第三方应用程序访问他们的受保护资Spring Security OAuth 2.0实现了OAuth 2.0协议中的授权服务器和资服务器两个角色。 要使用Spring Security OAuth 2.0,您需要完成以下步骤: 1.添加Spring Security OAuth 2.0依赖项:在Maven或Gradle项目中,您需要添加Spring Security OAuth 2.0的依赖项。例如,在Maven项目中,您可以添加以下依赖项: ```xml <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth2</artifactId> <version>2.3.6.RELEASE</version> </dependency> ``` 2.配置OAuth 2.0客户端:您需要配置OAuth 2.0客户端,以便您的应用程序可以访问受保护的资。这通常涉及到注册应用程序并获取客户端ID和客户端密钥。 3.配置授权服务器:您需要配置授权服务器,以便用户可以授权应用程序访问他们的受保护资。授权服务器可以与您的应用程序集成,也可以作为单独的服务运行。 4.配置资服务器:您需要配置资服务器,以便它可以验证访问令牌并授予对受保护资的访问权限。 5.保护受保护的资:您需要配置Spring Security以保护受保护的资,并确保只有经过身份验证和授权的用户可以访问它们。 以上是使用Spring Security OAuth 2.0实现OAuth 2.0认证和授权所需的主要步骤。如果您需要更详细的指导,请参考Spring Security OAuth 2.0的官方文档。 ### 回答2: Spring Security OAuth2.0是一个基于Spring框架的安全认证和访问控制框架,它实现了OAuth2.0协议并提供了OAuth2.0客户端和服务器的实现,可以帮助Spring应用程序保护和管理访问资Spring Security OAuth2.0的实现主要包括客户端和服务器的认证和授权过程。在客户端认证过程中,首先会发送请求获取访问令牌,然后将访问令牌发送给资服务器以访问所需的资。在服务器认证过程中,首先要检验客户端是否有访问资的权限,如果有则颁发授权码或访问令牌,否则返回错误信息。 在实现中,Spring Security OAuth2.0主要涉及到四个角色:资拥有者、客户端、授权服务器和资服务器。资拥有者可以是用户,识别资拥有者是通过认证授权服务器来完成的。客户端是向授权服务器申请OAuth2.0访问令牌的应用程序。授权服务器是用来对客户端进行身份验证和授权的服务器,它可以使用多种身份验证方式和批准策略来验证客户端的请求,然后授权它访问所需的资。资服务器是维护、提供API的服务器,它可以验证OAuth2.0访问令牌,然后允许或拒绝客户端的请求。 Spring Security OAuth2.0框架中提供了一些接口和类来实现OAuth2.0的认证和授权过程。例如,OAuth2AuthenticationProcessingFilter是用于授权客户端访问资的过滤器,它首先对客户端的访问请求进行身份验证,然后检查是否有访问资的权限。如果客户端有访问权限,则颁发访问令牌。 在实际使用中,Spring Security OAuth2.0可以与其他技术栈集成,例如Spring Boot、Spring Cloud、JavaEE等,可以实现用户级别、角色级别、API级别、组织级别等多种细粒度的访问控制方式,从而帮助企业实现灵活的访问控制。同时,Spring Security OAuth2.0框架也提供了一些扩展配置和插件,可以根据企业自身需求进行二次开发和定制,实现更加高效和安全的应用程序。 ### 回答3: Spring Security是一个功能强大的安全框架,提供了基于应用程序的安全性控制和身份验证机制。而OAuth2.0则是一种允许用户使用第三方应用程序访问资的框架,并且该框架将安全性设计为一个核心功能。 Spring SecurityOAuth2.0可以结合使用来提高应用程序的安全性。Spring Security OAuth2.0是一个非常特殊的模块,它为OAuth2.0提供了完整的实现。 使用Spring Security OAuth2.0,我们可以实现以下功能: 1. 身份验证和授权管理:提供授权服务器和资服务器来进行身份验证和授权的管理。 2. Token管理:生成和管理OAuth2.0令牌以确保安全性。 3. 支持多种授权类型:支持授权码模式、客户端模式、密码模式、隐式模式等多种授权类型,实现不同场景下的资访问控制。 4. 集成Spring Boot:Spring Security OAuth2.0被设计成与Spring Boot高度集成,方便易用。 5. 提供公开API:提供了一组公开API,方便第三方应用程序的接入。 Spring SecurityOAuth2.0的集成需要我们做以下几个步骤: 1. 在Spring Security配置文件中添加OAuth2.0配置。 2. 定义安全领域对象,包括用户、角色和授权管理等。 3. 实现OAuth2.0的授权服务器和资服务器。 4. 配置OAuth2.0客户端,使其可以访问受保护的资。 总之,Spring Security OAuth2.0能够帮助开发者集成身份验证和授权管理功能,并为第三方应用程序提供安全的访问资方式。它为应用程序提供了更高级别的安全性和可扩展性。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值