CloudFoundry User Account and Authentication (UAA) Server Client Details

陈振阳

已于 2022-09-26 19:14:32 修改

阅读量1.4k

点赞数

分类专栏： OAuth2 文章标签： json java 前端

于 2019-07-02 17:29:32 首次发布

本文链接：https://blog.csdn.net/xichenguan/article/details/94460095

版权

OAuth2 专栏收录该内容

23 篇文章 0 订阅

订阅专栏

oauth_client_details表存储了client的信息；

client_id: Client identifier, unique within identity zone
client_secret: client secret;
authorized_grant_types: List of grant types that can be used to obtain a token with this client. Can include `authorization_code`, `password`, `implicit`, and/or `client_credentials`.
redirect_uri: Allowed URI pattern for redirect during authorization. Wildcard patterns can be specified using the Ant-style pattern. Null/Empty value is forbidden. oauth_client_details#web_server_redirect_uri;
scope: Scopes allowed for the client
resource_ids: Resources the client is allowed access to
authorities: Scopes which the client is able to grant when creating a client
autoapprove: Scopes that do not require user approval
access_token_validity: time in seconds to access token expiration after it is issued
refresh_token_validity: time in seconds to refresh token expiration after it is issued
identity_zone_id: zone id
lastmodified: modify timestamp;
required_user_scope: see additional_information#required_user_groups; lower priority;

org.cloudfoundry.identity.uaa.client.ClientMetadata
show_on_home_page: TODO
app_launch_url: TODO
app_icon:TODO

additional_information#allowedproviders: A list of origin keys (alias) for identity providers the client is limited to. Null implies any identity provider is allowed.
additional_information#name: A human readable name for the client
additional_information#token_salt: A random string used to generate the client's revokation key. Change this value to revoke all active tokens for the client
additional_information#createdwith: What scope the bearer token had when client was created
additional_information#approvals_deleted: Were the approvals deleted for the client, and an audit event sent
additional_information#required_user_groups: A list of group names. If a user doesn't belong to all the required groups, the user will not be authenticated and no tokens will be issued to this client for that user. If this field is not set, authentication and token issuance will proceed normally.

additional_information
这个字段存储的是一个JSON对象，

public class ClientConstants {
    public static final String ALLOWED_PROVIDERS = "allowedproviders";
    public static final String AUTO_APPROVE = "autoapprove";
    public static final String CREATED_WITH = "createdwith";
    public static final String CLIENT_NAME = "name";
    public static final String APPROVALS_DELETED = "approvals_deleted";
    public static final String TOKEN_SALT = "token_salt";
    public static final String REQUIRED_USER_GROUPS = "required_user_groups";
    public static final String LAST_MODIFIED = "lastModified";
}

上面定义了uaa内置支持的一些属性，下面挨个看一下
required_user_groups：获取到一个AccessToken ，在后续的使用中，再次将AccessToken 传给uaa的时候，uaa会对AccessToken中持有的信息进行验证，以避免AccessToken被修改，不是uaa自己签名的AccessToken了；

不可设置，从 MultitenantJdbcClientDetailsService.ClientDetailsRowMapper 可以看到，辞职取自oauth_client_details表的 required_user_groups 自断；

其中有一步就是对AccessToken 中的client和user信息进行验证，在这一步中，如果client配置了required_user_groups，uaa就会验证token所代表的user的authorities（user scope），是否是 required_user_groups 的超集。

具体逻辑请查看 UAA TokenValidation # checkClientAndUser 方法；

allowedproviders 在 /oauth/authorize 的过程中，首先会创建一个AuthorizationRequest，创建AuthorizationRequest 对象之前，UAA会进行一些验证，比如用户请求的scope是否有效，其中就包括对IDP（Identity Provider）的验证，主要是验证当前是否有可用的IDP配置。

具体验证逻辑查看 UAA UaaAuthorizationRequestManager # checkClientIdpAuthorization 方法。

createdwith 记录创建client时初始的scope的值；

name，一个人类可读的名字；可设置，主要用于web前端战士；

lastModified，辞职不用设置，从 ClientDetailsRowMapper 可以发现 additional_information 里的 lastModified 取自oauth_client_details表的lastmodified自端的指；

token_salt，access token , refresh token ,id token 上都有rev_sig自断，此指是client信息+user信息的hash指，计算hash是可以加盐，取之就是辞职token_salt；由于验证 uaa 在 token是会验证token上的rev_sig指，以判断token是否被篡改，所以，修改辞职可以达到让此client的所有的access token 立即是小的目的，TokenRevocationEndpoint#revokeTokensForClient接口就是使用此方式让client 的所有的token 立即是小，然后在慢慢删除client的相关信息；

autoapprove，可配置，辞职跟oauth_client_details表的autoapprove意义一样，辞职的优先级高于oauth_client_details表的autoapprove的指；具体查看MultitenantJdbcClientDetailsService.ClientDetailsRowMapper；

approvals_deleted,可配置，如果设置为true，则在client的密码有更新时，会基于spring 的时间系统发送一个ClientApprovalsDeletedEvent时间；暂时没发现处理这个时间的地方！

Oauth2将获取AccessToken的过程分为两步，授权（Authorization）和认证（Authentication ，也就是获取token），
授权是让用户选择授权的权限；