单点登陆_不吹不黑，3步搞定单点登陆，顺便赠送社交登陆

​让我们用超级少的代码来实现单点登陆和社交登陆吧

目录

• 第一步，改一下本地 host
• 第二步，构建单点服务端(SsoServer)
• 第三步，构建单点客户端(Servlet - Spring Boot)
• 第四步，构建单点客户端(WebFlux - Spring Gateway)
• 扩展: 集成社交登陆(GitHub)
• 项目源码

第一步，改一下本地 host

这边交代一下，我们的 host 配置

127.0.0.1 example.hocgin.local
127.0.0.1 example2.hocgin.local
127.0.0.1 sso.hocgin.local

第二步，构建单点服务机(SsoServer)

1. 引入基础依赖

    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-oauth2-client</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.cloud</groupId>
      <artifactId>spring-cloud-starter-oauth2</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-web</artifactId>
    </dependency>

1. 在 Spring Security 进行配置
   2.1 配置 Web Security

这个主要是对登陆的方式和URI进行配置，如果使用默认的话只要开启 OAuth2.0 的配置即可。

/**
 * Created by hocgin on 2020/1/6.
 * email: hocgin@gmail.com
 *
 * @author hocgin
 */
@Slf4j
@Configuration
@EnableWebSecurity
@RequiredArgsConstructor(onConstructor = @__(@Lazy))
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
    private final AuthenticationConfigs authenticationConfigs;
    private final UserDetailsService userDetailsService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        // 基础信息配置
        http.csrf().disable()
            .cors().disable()
            .authorizeRequests()
            // 使用 GitHub 进行社交登陆
            .antMatchers("/login/oauth2/code/github").permitAll()
            .anyRequest().authenticated().and()
        ;

        // 异常处理配置(这边针对AJAX进行不同处理，如果不需要可以忽略)
        http.exceptionHandling()
            .defaultAuthenticationEntryPointFor(new AjaxAuthenticationEntryPoint(), new IsAjaxRequestMatcher())
            .defaultAccessDeniedHandlerFor(new AjaxAccessDeniedHandler(), new IsAjaxRequestMatcher());

        // 登陆相关配置
        authenticationConfigs.configure(http, authenticationManagerBean());
    }

    // 这边省略了大量非重代码..
}

@Configuration
public class AuthenticationConfigs {
    static final String LOGIN_SUCCESS_PAGE = "/index";
    static final String LOGIN_PAGE = "/login";

    public void configure(HttpSecurity http, AuthenticationManager authenticationManager) throws Exception {
        final AuthorizedSuccessHandle successHandler = new AuthorizedSuccessHandle(LOGIN_SUCCESS_PAGE);
        final AuthorizedFailureHandle failureHandle = new AuthorizedFailureHandle(LOGIN_PAGE);

        // ==== OAuth2.0 ====
        http.oauth2Client();
        http.oauth2Login().loginPage(LOGIN_PAGE);

        // ==== Form 表单 ====
        {
            http.formLogin().loginPage(LOGIN_PAGE)
                .successHandler(successHandler)
                .failureHandler(failureHandle)
                .permitAll();
        }
    }
}

2.2 资源服务配置

主要是配置资源的访问权限，可以理解为配置单点客户机的用户名和密码

@Configuration
@EnableAuthorizationServer
@RequiredArgsConstructor(onConstructor = @__(@Lazy))
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
    private final AuthenticationManager authenticationManager;
    private final PasswordEncoder passwordEncoder;
    private final SsoProperties properties;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {

        // 这边使用内存的方式来存储，单点客户端信息
        InMemoryClientDetailsServiceBuilder builder = clients.inMemory();
        for (SsoProperties.Client client : properties.getClients()) {
            builder.withClient(client.getClientId())
                .secret(passwordEncoder.encode(client.getClientSecret()))
                .authorizedGrantTypes("client_credentials", "authorization_code", "refresh_token", "password")
                .scopes("user_info")
                .redirectUris(client.getRedirectUris())
                .autoApprove(true);
        }
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
        oauthServer.allowFormAuthenticationForClients()
            .tokenKeyAccess("permitAll()")
            .checkTokenAccess("isAuthenticated()")
        ;
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManager);
    }
}

2.3 配置允许的单点客户端账户

server:
  port: 20000
sso:
  oauth:
    clients:
      - client-id: client_example
        client-secret: hocgin
        redirect-uris:
          - http://example.hocgin.local:20001/login/oauth2/code/custom
          - http://example2.hocgin.local:20002/login/oauth2/code/custom

⚠️ 注意哦，这边只是说明了单点服务端的一些重点配置，如果需要完整的配置可以参考文章末尾的源码哈。当然这边已经是最最复杂的部分了。如果你已经看到这边了，恭喜你！后面啥代码都不用写啦。

第三步，构建单点客户机(Servlet) - Spring Boot

1. 引入依赖

    <dependency>
      <groupId>in.hocg.boot</groupId>
      <artifactId>sso-client-spring-boot-starter</artifactId>
      <version>1.0.0-SNAPSHOT</version>
    </dependency>

1. 进行项目配置

server:
  port: 20002
spring:
  security:
    oauth2:
      shostname: http://sso.hocgin.local:20000
      client:
        registration:
          custom:
            client-id: client_example
            client-secret: hocgin
            redirect-uri: '{baseUrl}/{action}/oauth2/code/{registrationId}'
            authorization-grant-type: authorization_code
        provider:
          custom:
            user-info-uri: ${spring.security.oauth2.shostname}/oauth/user
            authorization-uri: ${spring.security.oauth2.shostname}/oauth/authorize
            token-uri: ${spring.security.oauth2.shostname}/oauth/token
            user-name-attribute: name
boot:
  sso:
    client:
      ignore-urls:
        - '/ignore'

第四步，构建单点客户机(WebFlux) - Spring Gateway

1. 引入依赖

    <dependency>
      <groupId>in.hocg.boot</groupId>
      <artifactId>sso-client-spring-boot-starter</artifactId>
      <version>1.0.0-SNAPSHOT</version>
    </dependency>

1. 进行项目配置

spring:
  security:
    oauth2:
      shostname: http://sso.hocgin.local:20000
      client:
        registration:
          custom:
            client-id: client_example
            client-secret: hocgin
            redirect-uri: '{baseUrl}/{action}/oauth2/code/{registrationId}'
            authorization-grant-type: authorization_code
        provider:
          custom:
            user-info-uri: ${spring.security.oauth2.shostname}/oauth/user
            authorization-uri: ${spring.security.oauth2.shostname}/oauth/authorize
            token-uri: ${spring.security.oauth2.shostname}/oauth/token
            user-name-attribute: name

boot:
  sso:
    client:
      ignore-urls:
        - '/ignore'

嘿嘿，其实第三步和第四步是完完全全一样的啦！已经在 Servlet 和 Webflux 上做兼容了啦。当然以上的代码完全适用于任何 Spring Boot 项目，例如: Spring Boot Admin。

扩展: 集成社交登陆(GitHub)

如果我们需要集成一些标准的 OAuth2.0 只需要在 SSO-Server 上做集成就可以了。以下配置可以配置在 SSO-Server 上。

1. 配置yml文件

spring:
  security:
    oauth2:
      client:
        registration:
          github:
            client-id: (填写你自己的)
            client-secret: (填写你自己的)
            client-name: Github Login
            redirect-uri: '{baseUrl}/{action}/oauth2/code/{registrationId}'

1. 在html代码里面使用

<form th:action="@{/oauth2/authorization/github}" method="GET">
    <input type="hidden" name="scope" value="read_stream,user_posts,user_photos"/>
    <button type="submit">github</button>
</form>

OK! 你已经简单的集成了GitHub的社交登陆了。没办法在水一篇了很遗憾..

运行演示

流程:

1. 访问 example2.hocgin.local:20002/user
2. 登陆后跳转 example2.hocgin.local:20002/user
3. 查看 example.hocgin.local:20001/user 登陆信息
4. 查看 sso.hocgin.local:20000/user 登陆信息

项目源码

• SSO-Server
• SSO-Client(Spring Boot)
• SSO-Client(Spring Gateway)

附加任务

集齐50个赞再水一篇基于该项目的公众号扫码关注登陆和Github社交登陆的后续..嘿嘿嘿