Springboot整理之Oauth2(认证、授权)
文章目录
前言
springboot版本:2.3.5.RELEASE;
开发工具:IDEA2019.1;
JDK:1.8;
MAVAN:apache-maven-3.5.4;
项目代码:
密码模式https://github.com/lwd2307997664/demoOauth2.git
授权码模式https://github.com/lwd2307997664/demoOauth2-code.git
一、Oauth2简介
OAuth(开放授权)是一个开放标准,允许用户授权第三方移动应用访问他们存储在另外的服务提供者上的信息,而不需要将用户名和密码提供给第三方移动应用或分享他们数据的所有内容,OAuth2.0是OAuth协议的延续版本,但不向后兼容OAuth 1.0即完全废止了OAuth1.0。
实现这一功能是通过提供一个令牌(token),每一个令牌都会授权一个特定的网站在特定的时段内访问特定的资源。
传统的Web应用认证通常是基于Session的,但是这种在前后台分离的架构中,使用Session会有很多不便,比如一些移动端不支持Cookie,随意使用Oauth2更好的解决这个问题。
二、Oauth2角色
- 资源所有者:即用户,具有头像、照片、基本信息等资源;
- 客户端:即第三方应用。
- 授权服务器:即用来验证用户提供的信息是否正确,并返回一个令牌给第三方应用。(获取token的过程)
- 资源服务器:提供给用户资源的服务器。(即携带token发请求获取信息)
一般来说,授权服务器和资源服务器可以是同一台服务器。
三、Oauth2授权流程
授权流程如下:
- 1、客户端(即第三方应用)想用户请求授权;
- 2、用户同意授权,并返回个许可凭证。
- 3、客户端拿着授权许可凭证去授权服务器申请令牌。(获取token请求)
- 4、授权服务器验证信息无误后,发放令牌给客户端。(返回token信息)
- 5、客户端拿着令牌去资源服务器访问资源。(请求中header携带token)
- 6、资源服务器确认令牌无误后,发放资源。(返回响应)
三、OAuth2四种授权方式
- 1、授权码模式(authorization code)用在客户端与服务端应用之间授权
- 2、简化模式(implicit)用在移动app或者web app(这些app是在用户的设备上的,如在手机上调起微信来进行认证授权)
- 3、密码模式(resource owner password credentials)应用直接都是受信任的(都是由一家公司开发的)
- 4、客户端模式(client credentials)用在应用API访问
密码形式的和授权码形式的: 第一个是不用授权,通过密码调用。 第二个是需要授权
四、Oauth2密码模式实战
1、依赖添加
https://start.spring.io/创建个简单的项目,并添加依赖,因为Oauth2实在Spring Security的基础上完成的,所以需要加入security依赖,需要用到Oauth2,添加依赖,令牌存放到redis里,添加redis依赖,具体如下:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.5.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.yangxf</groupId>
<artifactId>demoOauth2</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demoOauth2</name>
<description>Demo project for Spring Boot Oauth2密码模式</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.3.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- redis依赖start-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<dependency>
<groupId>redis.clients</groupId>
<artifactId>jedis</artifactId>
</dependency>
<dependency>
<groupId>io.lettuce</groupId>
<artifactId>lettuce-core</artifactId>
</dependency>
<!-- redis依赖end-->
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
2、application.propertise添加配置
spring.redis.database=0
spring.redis.host=192.168.138.130 #换成自己的redis的配置
spring.redis.port=6379
spring.redis.password=redis
spring.redis.jedis.pool.max-active=8
spring.redis.jedis.pool.max-wait=-1ms
spring.redis.jedis.pool.max-idle=8
spring.redis.jedis.pool.min-idle=0
以上配置完,项目就能简单启动啦,然后可以继续配置授权服务器以及资源服务器啦,上面说了授权和资源可以是一台服务器,也可以是分开的,这里是配置在同一个服务上。
3、配置授权服务器
/**
* FileName: AuthorizationServerConfig
* Author: linwd
* Date: 2021/3/31 12:01
* Description: 授权服务器配置
* History:
* <author> <time> <version> <desc>
* 作者姓名 修改时间 版本号 描述
*/
package com.yangxf.demoOauth2.auth;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.connection.RedisConnectionFactory;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore;
/**
* 〈一句话功能简述〉<br>
* 〈授权服务器配置〉
*
* @author linwd
* @create 2021/3/31
* @since 1.0.0
*/
@Configuration
@EnableAuthorizationServer //开启授权服务器
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
/**
* 用于支持password模式
* 如启动时报AuthenticationManager无法注入的错误,可能是spring security配置类中没有配置这个
* @Bean
* @Override
* public AuthenticationManager authenticationManagerBean() throws Exception {
* return super.authenticationManagerBean();
* }
*/
@Autowired
private AuthenticationManager authenticationManager;
/**
* 调用redis的,将令牌缓存到redis中,以便微服务之间获取信息
*/
@Autowired
RedisConnectionFactory redisConnectionFactory;
/**
* 该对象用于刷新token提供支持,
* 如启动时报UserDetailsService注入错误,可能是spring security配置类中没有配置这个
* @Bean
* @Override
* public UserDetailsService userDetailsService(){
* return super.userDetailsService();
* }
*/
@Autowired
UserDetailsService userDetailsService;
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
/**
* authorizedGrantTypes--授权模式为password,refresh_token
* accessTokenValiditySeconds--配置了过期时间
* resourceIds--配置了资源id
* secret--配置了加密后的密码
*
* @param clients
* @throws Exception
*/
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("password")
.authorizedGrantTypes("password", "refresh_token")
.accessTokenValiditySeconds(1800)
.resourceIds("rids")
.scopes("all")
.secret(passwordEncoder().encode("123456"));
}
/**
* 令牌的存储,用于支持password模式以及令牌刷新
*
* @param endpoints
* @throws Exception
*/
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(new RedisTokenStore(redisConnectionFactory))
.authenticationManager(authenticationManager)
.userDetailsService(userDetailsService);
}
/**
* 支持client_id和client_secret做登录认证
*
* @param security
* @throws Exception
*/
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.allowFormAuthenticationForClients();
}
}
4、配置资源服务器
/**
* FileName: ResourceServerConfig
* Author: linwd
* Date: 2021/3/31 12:33
* Description: 资源服务器配置
* History:
* <author> <time> <version> <desc>
* 作者姓名 修改时间 版本号 描述
*/
package com.yangxf.demoOauth2.resource;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
/**
* 〈一句话功能简述〉<br>
* 〈资源服务器配置〉
*
* @author linwd
* @create 2021/3/31
* @since 1.0.0
*/
@Configuration
@EnableResourceServer //开启资源服务器
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("rids").stateless(true);//配置资源id,与授权服务器配置的资源id一致,基于令牌认证
}
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin/**").hasRole("admin")
.antMatchers("/user/**").hasRole("user")
.anyRequest().authenticated();
}
}
5、配置Security
/**
* FileName: WebSecurityConfig
* Author: linwd
* Date: 2021/3/31 12:47
* Description: spring security配置
* History:
* <author> <time> <version> <desc>
* 作者姓名 修改时间 版本号 描述
*/
package com.yangxf.demoOauth2.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
/**
* 〈一句话功能简述〉<br>
* 〈spring security配置〉
*
* @author linwd
* @create 2021/3/31
* @since 1.0.0
*/
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
@Override
public UserDetailsService userDetailsService(){
return super.userDetailsService();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(new BCryptPasswordEncoder().encode("123456"))
.roles("admin")
.and()
.withUser("lin")
.password(new BCryptPasswordEncoder().encode("123456"))
.roles("user");
}
/**
* 主要是对/oauth/**的请求放行,此处配置优先级高于资源服务器中的HttpSecurity配置,即请求路径先路过这
* @param http
* @throws Exception
*/
@Override
public void configure(HttpSecurity http) throws Exception {
http.antMatcher("/oauth/**").authorizeRequests()
.antMatchers("/oauth/**").permitAll()
.and().csrf().disable();
}
}
6、验证
- 获取token
POST请求,为显示方便,放在地址栏中
localhost:8080/oauth/token?username=admin&password=123456&grant_type=password&scope=all&client_id=password&client_secret=123456
- 刷新token
POST请求,为显示方便,放在地址栏中
localhost:8080/oauth/token?grant_type=refresh_token&refresh_token=97db7258-da45-498f-b890-249b0ad415c7&client_id=password&client_secret=123456
用之前获取token时获取到的refresh_token来刷新token
- 资源请求
获取token时是用admin用户登录的,那么他具有的是访问/admin/**,的权限,
访问/user/hello时会失败。
访问/admin/hello时会成功。
以下是验证结果
五、Oauth2授权码实战
1、授权码访问流程
(A):客户端携带client_id、redirect_uri,中间通过代理者访问授权服务器,如果已经登录过会直接返回redirect_uri,没有登录过就跳转到登录页面
(B)授权服务器对客户端进行身份验证(通过用户代理,让用户输入用户名和密码)
(C)授权通过,会重定向到redirect_uri并携带授权码code作为uri参数
(D)客户端携带授权码访问授权服务器
(E)验证授权码通过,返回acceptToken.
从调用接口来说,
从调接口方面,简单来说:
- 第一步:获取code:
eg:oauthServer+"/oauth/authorize?client_id="+clientId+"&response_type=code&redirect_uri="+redirectUrl+"&scope=all"如果没有登录,则会跳转到统一身份认证登录页面。如果用户登录了,调用接口后,会重定向到redirect_uri,授权码会作为它的参数- 第二步:获取access_token
eg:oauthServer+"/oauth/token?code="+code+"&grant_type=authorization_code&client_secret="+clientSecret+"&redirect_uri="+redirectUri+"&client_id="+clientId
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1ODk1MzQ5NzMsInVzZXJfbmFtZSI6Im5pY2t5IiwiYXV0aG9yaXRpZXMiOlsiUk9MRV9hZG1pbiJdLCJqdGkiOiJmMjM0M2Q0NC1hODViLTQyOGYtOWE1ZS1iNTE4NTAwNTM5ODgiLCJjbGllbnRfaWQiOiJvYSIsInNjb3BlIjpbImFsbCJdfQ.LWkN2gC2dBrGTn5uSPzfdW6yRj7jhlX87EE8scY02hI",
"token_type": "bearer",
"expires_in": 59,
"scope": "all",
"user_name": "nicky",
"jti": "f2343d44-a85b-428f-9a5e-b51850053988"
}
- 访问系统资源,此时统一认证服务会根据该认证客户端权限信息判断,决定是否返回信息。
2、依赖注入
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.3.5.RELEASE</version>
</dependency>
3、授权服务器配置
/**
* FileName: AuthorizationServerConfig
* Author: linwd
* Date: 2021/3/31 12:01
* Description: 授权服务器配置
* History:
* <author> <time> <version> <desc>
* 作者姓名 修改时间 版本号 描述
*/
package com.yangxf.demoOauth2.auth;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
/**
* 〈一句话功能简述〉<br>
* 〈授权服务器配置〉
*
* @author linwd
* @create 2021/3/31
* @since 1.0.0
*/
@Configuration
//开启授权服务
@EnableAuthorizationServer
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
private static final String CLIENT_ID = "120001";
private static final String SECRET_CHAR_SEQUENCE = "e1123123ew21312312";
private static final String SCOPE_READ = "read";
private static final String SCOPE_WRITE = "write";
private static final String TRUST = "trust";
private static final String USER ="user";
private static final String ALL = "all";
private static final int ACCESS_TOKEN_VALIDITY_SECONDS = 10*60;
private static final int FREFRESH_TOKEN_VALIDITY_SECONDS = 10*60;
// 密码模式授权模式
private static final String GRANT_TYPE_PASSWORD = "password";
//授权码模式
private static final String AUTHORIZATION_CODE = "authorization_code";
//refresh token模式
private static final String REFRESH_TOKEN = "refresh_token";
//简化授权模式
private static final String IMPLICIT = "implicit";
//指定哪些资源是需要授权验证的
private static final String RESOURCE_ID = "resource_id";
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients
// 使用内存存储
.inMemory()
//标记客户端id
.withClient(CLIENT_ID)
//客户端安全码
.secret(passwordEncoder().encode(SECRET_CHAR_SEQUENCE))
//为true 直接自动授权成功返回code
.autoApprove(true)
.redirectUris("http://127.0.0.1:8080/login") //重定向uri
//允许授权范围
.scopes(ALL)
//token 时间秒
.accessTokenValiditySeconds(ACCESS_TOKEN_VALIDITY_SECONDS)
//刷新token 时间 秒
.refreshTokenValiditySeconds(FREFRESH_TOKEN_VALIDITY_SECONDS)
//允许授权类型
.authorizedGrantTypes(AUTHORIZATION_CODE );
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
// 使用内存保存生成的token
endpoints.authenticationManager(authenticationManager).tokenStore(memoryTokenStore());
}
/**
* 认证服务器的安全配置
*
* @param security
* @throws Exception
*/
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security
//.realm(RESOURCE_ID)
// 开启/oauth/token_key验证端口认证权限访问
.tokenKeyAccess("isAuthenticated()")
// 开启/oauth/check_token验证端口认证权限访问
.checkTokenAccess("isAuthenticated()")
//允许表单认证
.allowFormAuthenticationForClients();
}
@Bean
public TokenStore memoryTokenStore() {
// 最基本的InMemoryTokenStore生成token
return new InMemoryTokenStore();
}
}
4、Security配置
/**
* FileName: WebSecurityConfig
* Author: linwd
* Date: 2021/3/31 12:47
* Description: spring security配置
* History:
* <author> <time> <version> <desc>
* 作者姓名 修改时间 版本号 描述
*/
package com.yangxf.demoOauth2.security;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
/**
* 〈一句话功能简述〉<br>
* 〈spring security配置〉
*
* @author linwd
* @create 2021/3/31
* @since 1.0.0
*/
@Configuration
@EnableWebSecurity
@Order(1)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin")
.password(new BCryptPasswordEncoder().encode("123456"))
.roles("admin");
}
@Override
public void configure(WebSecurity web) throws Exception {
//解决静态资源被拦截的问题
web.ignoring().antMatchers("/asserts/**");
web.ignoring().antMatchers("/favicon.ico");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http // 配置登录页并允许访问
.formLogin().permitAll()
// 配置Basic登录
//.and().httpBasic()
// 配置登出页面
.and().logout().logoutUrl("/logout").logoutSuccessUrl("/")
.and().authorizeRequests().antMatchers("/oauth/**", "/login/**", "/logout/**").permitAll()
// 其余所有请求全部需要鉴权认证
.anyRequest().authenticated()
// 关闭跨域保护;
.and().csrf().disable();
}
}
5、测试
- 获取code
浏览器访问地址:
http://localhost:8080/oauth/authorize?client_id=120001&client_secret=e1123123ew21312312&response_type=code&username=admin&password=123456
红框部分就是code参数,拿到授权码code去获取token。
- 获取token
localhost:8080/oauth/token?grant_type=authorization_code&code=zAx87n&redirect_uri=http://127.0.0.1:8080/login&scope=all
header部分:
Authorization Basic MTIwMDAxOmUxMTIzMTIzZXcyMTMxMjMxMg==
MTIwMDAxOmUxMTIzMTIzZXcyMTMxMjMxMg==是clientId+":"+clientSecret用Base64.encodeBase64加密所得。