1.oauth2
oauth2(开放授权) 是一个开放标准,在不需要用户将账号密码提供给第三方应用,来授权访问,比如微信的第三方登陆
oauth2 有四种模式:
授权码模式(authorization_code ),
密码模式(password), 用户名和密码访问
隐式授权模式(Implicit Grant),
客户端凭证模式(Client Credentials Grant) 服务器通信的场景
2.授权码模式:
授权码模式是功能最完整,流程最严密的授权模式。
1. 用户先访问客户端,客户端去认证服务器,认证服务器通过,返回一个授权码 并且重定向到指定的URL中,
例如: http://localhost:8080/oauth2/oauth/authorize?grant_type=authorization_code&client_id=console&client_secret=console&redirect_uri=http://127.0.0.1:8080/token/getToken&response_type=code
3. 客户端拿到授权授权码,以及之前的重定向URL,去认证服务器申请token。
授权服务器配置:
package com.homeinns.config.autoconfigure;
import com.homeinns.service.JdbcUserDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Conditional;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.oauth2.config.annotation.builders.ClientDetailsServiceBuilder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.error.WebResponseExceptionTranslator;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.TokenEnhancer;
import org.springframework.security.oauth2.provider.token.TokenEnhancerChain;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
@Component
@EnableAuthorizationServer
@Conditional(value = EnableOauth2.class) //是否开启oauth2认证
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private TokenConfigure tokenConfigure;
@Autowired
@Qualifier("jdbcUserDetailsService")
private JdbcUserDetailsService userDetailsService;
@Autowired
@Qualifier("clientAuthenticationManager")
private AuthenticationManager authenticationManager;
@Autowired
@Qualifier("jwtTokenStore")
private TokenStore tokenStore;
@Autowired
@Qualifier("jwtAccessTokenConverter")
private JwtAccessTokenConverter jwtAccessTokenConverter;
@Autowired
private TokenEnhancer jwtTokenEnhancer;
@Autowired
private WebResponseExceptionTranslator customWebResponseExceptionTranslator;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.tokenStore(tokenStore) //指定token存储位置
.authenticationManager(authenticationManager) //指定认证管理器
.userDetailsService(userDetailsService); //
// 自定义token生成方式
TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
List<TokenEnhancer> enhancerList = new ArrayList();
enhancerList.add(jwtTokenEnhancer);
enhancerList.add(jwtAccessTokenConverter);
tokenEnhancerChain.setTokenEnhancers(enhancerList);
endpoints.tokenEnhancer(tokenEnhancerChain)
.accessTokenConverter(jwtAccessTokenConverter);
endpoints.exceptionTranslator(customWebResponseExceptionTranslator);
// 配置TokenServices参数
DefaultTokenServices tokenServices = (DefaultTokenServices) endpoints.getDefaultAuthorizationServerTokenServices();
tokenServices.setTokenStore(endpoints.getTokenStore());
tokenServices.setSupportRefreshToken(true);
tokenServices.setClientDetailsService(endpoints.getClientDetailsService());
tokenServices.setTokenEnhancer(endpoints.getTokenEnhancer());
// token有效期自定义设置,默认12小时
tokenServices.setAccessTokenValiditySeconds(60 * 60 * 12);
//刷新token的有效期,默认一天
tokenServices.setRefreshTokenValiditySeconds(60 * 60 * 24);
endpoints.tokenServices(tokenServices);
}
//客户端配置,目前存储在内存中,可以改为数据库存储
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
ClientDetailsServiceBuilder<org.springframework.security.oauth2.config.annotation.builders.InMemoryClientDetailsServiceBuilder>.ClientBuilder scopes = clients.inMemory().withClient(tokenConfigure.getClientId())
.secret(tokenConfigure.getOauth2Secret())
.redirectUris(tokenConfigure.getRedirectUri())
.refreshTokenValiditySeconds(tokenConfigure.getRefreshToken().intValue())
.accessTokenValiditySeconds(tokenConfigure.getAccessToken().intValue())
.scopes(tokenConfigure.getScope());
//授权模式
for (String grantType : tokenConfigur