springboot从原理上实现oauth2
一直以来,使用spring-cloud-starter-oauth2进行用户认证,然而只要配置一些配置文件,写一个登陆页,就可以进行简单的使用。这样会造成我们无法理解oauth2的工作原理,从哪跳转到哪,又在哪里做验证。这样会导致oauth2用起来感觉莫名奇妙,也无法体会到它的安全性。
从网上找了一幅图,就是整个oauth2.0的协议实现原理。
代码
1.springboot客户端依赖:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.oltu.oauth2</groupId>
<artifactId>org.apache.oltu.oauth2.client</artifactId>
<version>0.31</version>
</dependency>
</dependencies>
2.springboot服务端依赖:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.oltu.oauth2</groupId>
<artifactId>org.apache.oltu.oauth2.authzserver</artifactId>
<version>0.31</version>
</dependency>
<dependency>
<groupId>org.apache.oltu.oauth2</groupId>
<artifactId>org.apache.oltu.oauth2.resourceserver</artifactId>
<version>0.31</version>
</dependency>
</dependencies>
这里用的springboot版本是2.0.3
3.在客户端web项目中构造一个oauth的客户端请求对象(OAuthClientRequest),在此对象中携带客户端信息(clientId、accessTokenUrl、response_type、redirectUrl),将此信息放入http请求中,重定向到服务端。此步骤对应上图1
ServerController.java
@RequestMapping("/requestServerCode")
public String requestServerFirst(HttpServletRequest request, HttpServletResponse response, RedirectAttributes attr)throws OAuthProblemException {
clientId = "clientId";
clientSecret = "clientSecret";
accessTokenUrl = "responseCode";
userInfoUrl = "userInfoUrl";
redirectUrl = "http://localhost:8081/oauthclient01/server/callbackCode";
responseType = "code";
OAuthClient oAuthClient = new OAuthClient(new URLConnectionClient());
String requestUrl = null;
try{
OAuthClientRequest accessTokenRequest = OAuthClientRequest
.authorizationLocation(accessTokenUrl)
.setResponseType(responseType)
.setClientId(clientId)
.setRedirectURI(redirectUrl)
.buildQueryMessage();
requestUrl = accessTokenRequest.getLocationUri();
System.out.println(requestUrl);
}catch (OAuthSystemException e){
e.printStackTrace();
}
return "redirect:http://localhost:8082/oauthserver/" + requestUrl;
}
此段代码对应开发步骤1.其中accessTokenUrl是服务端返回code的controller方法映射地址。redirectUrl是告诉服务端,code要传回客户端的一个controller方法,该方法的映射地址就是redirectUrl。
4.在服务端web项目中接受第一步传过来的request,从中获取客户端信息,可以自行验证信息的可靠性。同时构造一个oauth的code授权许可对象(OAuthAuthorizationResponseBuilder),并在其中设置授权码code,将此对象传回客户端。此步骤对应上图2
AuthorizeController.java
@RequestMapping("/responseCode")
public Object toShowUser(Model model, HttpServletRequest request){
System.out.println("-------------------------服务端/responseCode---------------------------------------------------");
try{
OAuthAuthzRequest oauthRequest = new OAuthAuthzRequest(request);
if(oauthRequest.getClientId() != null && oauthRequest.getClientId() != ""){
String authorizationCode = "authorizationCode";
String responseType = oauthRequest.getParam(OAuth.OAUTH_RESPONSE_TYPE);
OAuthASResponse.OAuthAuthorizationResponseBuilder builder = OAuthASResponse.authorizationResponse(request, HttpServletResponse.SC_FOUND);
builder.setCode(authorizationCode);
String redirectURI = oauthRequest.getParam(OAuth.OAUTH_REDIRECT_URI);
final OAuthResponse response = builder.location(redirectURI).buildQueryMessage();
System.out.println("服务的/responseCode内,返回的回调路径:" + response.getLocationUri());
System.out.println("----------------------服务端/responseCode-----------------------------------------------");
String responseUri = response.getLocationUri();
HttpHeaders headers = new HttpHeaders();
try{
headers.setLocation(new URI(response.getLocationUri()));
}catch(URISyntaxException e){
e.printStackTrace();
}
return "redirect:" + responseUri;
}
}catch (OAuthSystemException e) {
e.printStackTrace();
} catch (OAuthProblemException e) {
e.printStackTrace();
}
System.out.println("---------------------服务端/responseCode-----------------------------------------------------");
return null;
}
5.在客户端web项目中接受第二步的请求request,从中获得code。同时构造一个oauth的客户端请求对象(OAuthClientRequest),此次在此对象中不仅要携带客户端信息(clientId、accessTokenUrl、clientSecret、GrantType、redirectUrl),还要携带接受到的code。再构造一个客户端请求工具对象(oAuthClient),这个工具封装了httpclient,用此对象将这些信息以post(一定要设置成post)的方式请求到服务端,目的是为了让服务端返回资源访问令牌。此步骤对应上图3。(另外oAuthClient请求服务端以后,会自行接受服务端的响应信息。
ServerController.java
@RequestMapping("/callbackCode")
public Object toLogin(HttpServletRequest request)throws OAuthProblemException{
System.out.println("-----------------客户端/callbackCode--------------------------------------------------------------------");
clientId = "clientId";
clientSecret = "clientSecret";
accessTokenUrl = "http://localhost:8082/oauthserver/responseAccessToken";
userInfoUrl = "userInfoUrl";
redirectUrl = "http://localhost:8081/oauthclient01/server/accessToken";
code = request.getParameter("code");
System.out.println(code);
OAuthClient oAuthClient = new OAuthClient(new URLConnectionClient());
try{
OAuthClientRequest accessTokenRequest = OAuthClientRequest
.tokenLocation(accessTokenUrl)
.setGrantType(GrantType.AUTHORIZATION_CODE)
.setClientId(clientId)
.setClientSecret(clientSecret)
.setCode(code)
.setRedirectURI(redirectUrl)
.buildQueryMessage();
OAuthAccessTokenResponse oAuthResponse = oAuthClient.accessToken(accessTokenRequest, OAuth.HttpMethod.POST);
String accessToken = oAuthResponse.getAccessToken();
// 获取时间用于查看token是否过期Long expiresln = oAuthResponse.getExpiresIn();
System.out.println("客户端/callbackCode方法的token:::" + accessToken);
System.out.println("--------------客户端/callbackCode------------------------------------------------------------------");
return "redirect:http://localhost:8081/oauthclient01/server/accessToken?accessToken=" + accessToken;
}catch (OAuthSystemException e){
e.printStackTrace();
}
return null;
}
6.在服务端web项目中接受第三步传过来的request,从中获取客户端信息和code,并自行验证。再按照自己项目的要求生成访问令牌(accesstoken),同时构造一个oauth响应对象(OAuthASResponse),携带生成的访问指令(accesstoken),返回给第三步中客户端的oAuthClient。oAuthClient接受响应之后获取accesstoken,此步骤对应上图4
AccessTokenController.java
@RequestMapping(value = "/responseAccessToken",method = RequestMethod.POST)
public HttpEntity token(HttpServletRequest request){
System.out.println("-----------------服务端/responseAccessToken-------------------------------------");
OAuthIssuer oAuthIssuerImpl = null;
OAuthResponse response = null;
try{
OAuthTokenRequest oauthRequest = new OAuthTokenRequest(request);
String authCode = oauthRequest.getParam(OAuth.OAUTH_CODE);
String clientSecret = oauthRequest.getClientSecret();
if(clientSecret != null || clientSecret != ""){
oAuthIssuerImpl = new OAuthIssuerImpl(new MD5Generator());
final String accessToken = oAuthIssuerImpl.accessToken();
System.out.println(accessToken);
System.out.println("--000---");
response = OAuthASResponse
.tokenResponse(HttpServletResponse.SC_OK)
.setAccessToken(accessToken)
.buildJSONMessage();
}
System.out.println("----------------服务端/responseAccessToken---------------------------------------");
return new ResponseEntity(response.getBody(), HttpStatus.valueOf(response.getResponseStatus()));
}catch (OAuthSystemException e) {
e.printStackTrace();
}catch (OAuthProblemException e) {
e.printStackTrace();
}
System.out.println("------------服务端/responseAccessToken----------------------------------------------");
return null;
}
7.此时客户端web项目中已经有了从服务端返回过来的accesstoken,那么在客户端构造一个服务端资源请求对象(OAuthBearerClientRequest),在此对象中设置服务端资源请求URI,并携带上accesstoken。再构造一个客户端请求工具对象(oAuthClient),用此对象去服务端靠accesstoken换取资源。此步骤对应上图5
在服务端web项目中接受第五步传过来的request,从中获取accesstoken并自行验证。之后就可以将客户端请求的资源返回给客户端了。
ServerController.java
@RequestMapping("/accessToken")
public ModelAndView accessToken(String accessToken){
System.out.println("-----------------客户端/accessToken---------------------------------------------------------------------");
userInfoUrl = "http://localhost:8082/oauthserver/userInfo";
System.out.println("accessToken");
OAuthClient oAuthClient = new OAuthClient(new URLConnectionClient());
try{
OAuthClientRequest userInfoRequest = new OAuthBearerClientRequest(userInfoUrl)
.setAccessToken(accessToken).buildQueryMessage();
OAuthResourceResponse resourceResponse = oAuthClient.resource(userInfoRequest,OAuth.HttpMethod.GET,OAuthResourceResponse.class);
String username = resourceResponse.getBody();
System.out.println(username);
ModelAndView modelAndView = new ModelAndView("usernamePage");
modelAndView.addObject("username",username);
System.out.println("---------------------客户端/accessToken-------------------------------------------------------------");
return modelAndView;
}catch (OAuthSystemException e){
e.printStackTrace();
}catch (OAuthProblemException e){
e.printStackTrace();
}
System.out.println("-------------------客户端/accessToken------------------------------------------------------------------");
return null;
}
UserInfoController.java
@RequestMapping("/userInfo")
public HttpEntity userInfo(HttpServletRequest request)throws OAuthSystemException{
System.out.println("--------------------服务端/userInfo----------------------------------------------");
try{
OAuthAccessResourceRequest oauthRequest = new OAuthAccessResourceRequest(request, ParameterStyle.QUERY);
String accessToken = oauthRequest.getAccessToken();
System.out.println("accessToken");
User user = new User();
user.setUsername("tom");
user.setPassword("123456");
String username = accessToken+"---"+Math.random()+"----"+user.getUsername();
System.out.println(username);
System.out.println("服务端/userInfo::::::ppp");
System.out.println("-----------服务端/userInfo----------------------------------------------------------");
return new ResponseEntity(username, HttpStatus.OK);
}catch(OAuthProblemException e){
e.printStackTrace();
String errorCode = e.getError();
if (OAuthUtils.isEmpty(errorCode)) {
OAuthResponse oauthResponse = OAuthRSResponse
.errorResponse(HttpServletResponse.SC_UNAUTHORIZED)
.buildHeaderMessage();
HttpHeaders headers = new HttpHeaders();
headers.add(OAuth.HeaderType.WWW_AUTHENTICATE,
oauthResponse.getHeader(OAuth.HeaderType.WWW_AUTHENTICATE));
return new ResponseEntity(headers, HttpStatus.UNAUTHORIZED);
}
OAuthResponse oauthResponse = OAuthRSResponse
.errorResponse(HttpServletResponse.SC_UNAUTHORIZED)
.setError(e.getError())
.setErrorDescription(e.getDescription())
.setErrorUri(e.getUri())
.buildHeaderMessage();
HttpHeaders headers = new HttpHeaders();
headers.add(OAuth.HeaderType.WWW_AUTHENTICATE,
oauthResponse.getHeader(OAuth.HeaderType.WWW_AUTHENTICATE));
System.out.println("-----------服务端/userInfo------------------------------------------------------------------------------");
return new ResponseEntity(HttpStatus.BAD_REQUEST);
}
}
另外:项目中有些参数是自己指定,然后认证服务端是不需要写跳转的IP,这也是oauth2的精髓,需要跳转的地方都有客户端提供,项目中生成的accessToken可以当成token使用,这样其他服务就不需要再认证,只要判断是否由此token就可以了。
如果想要深入研究底层原理的话,推荐两个博客:
阮一峰
张开涛
那还有同学问了,如果我的客户端不是java,而是nginx咋办,那么你可以看我的另外一篇博客。
https://blog.csdn.net/lwy572039941/article/details/102397704
项目地址:
https://download.csdn.net/download/lwy572039941/11835481