Spring Seurity系列（二十二）OAuth2服务提供商核心源码了解

 Spring Security Oauth2核心源码：

/oauth/token的请求会被 TokenEndpoint拦截获取ClientDetails,并一起封装在TokenRequest中。

然后会调用TokenGranter:

CompositeTokenGranter#grant

    //四种授权模式+刷新令牌的模式根据grant_type判断
    public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
        for (TokenGranter granter : tokenGranters) {
            OAuth2AccessToken grant = granter.grant(grantType, tokenRequest);
            if (grant!=null) {
                return grant;
            }
        }
        return null;
    }

AbstractTokenGranter#getAccessToken

protected OAuth2AccessToken getAccessToken(ClientDetails client, TokenRequest tokenRequest) {
        return tokenServices.createAccessToken(getOAuth2Authentication(client, tokenRequest));
    }

DefaultTokenServices#createAccessToken

public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException {
        //从tokenStore获取OAuth2AccessToken （如果令牌存在，不同的授权模式下将返回同一个令牌）
        OAuth2AccessToken existingAccessToken = tokenStore.getAccessToken(authentication);
        OAuth2RefreshToken refreshToken = null;
        //判断是否过期
        if (existingAccessToken != null) {
            if (existingAccessToken.isExpired()) {
                if (existingAccessToken.getRefreshToken() != null) {
                    //删除过期的令牌
                    refreshToken = existingAccessToken.getRefreshToken();
                    // The token store could remove the refresh token when the
                    // access token is removed, but we want to
                    // be sure...

                    tokenStore.removeRefreshToken(refreshToken);
                }
                tokenStore.removeAccessToken(existingAccessToken);
            }
            else {
                //如果令牌存在则从新存储一下
                // Re-store the access token in case the authentication has changed
                tokenStore.storeAccessToken(existingAccessToken, authentication);
                //存储完直接返回
                return existingAccessToken;
            }
        }

        // Only create a new refresh token if there wasn't an existing one
        // associated with an expired access token.
        // Clients might be holding existing refresh tokens, so we re-use it in
        // the case that the old access token
        // expired.
        //判断刷新令牌不存在
        if (refreshToken == null) {
            //创建刷新令牌
            refreshToken = createRefreshToken(authentication);
        }
        // But the refresh token itself might need to be re-issued if it has
        // expired.
        else if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
            //过期
            ExpiringOAuth2RefreshToken expiring = (ExpiringOAuth2RefreshToken) refreshToken;
            if (System.currentTimeMillis() > expiring.getExpiration().getTime()) {
                refreshToken = createRefreshToken(authentication);
            }
        }
        //根据刷新令牌创建OAuth2AccessToken
        OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
        tokenStore.storeAccessToken(accessToken, authentication);
        // In case it was modified
        refreshToken = accessToken.getRefreshToken();
        if (refreshToken != null) {
            tokenStore.storeRefreshToken(refreshToken, authentication);
        }
        //返回OAuth2AccessToken
        return accessToken;

    }

说明：本系列博客是记录慕课网中的教程的学习，以便我自己复习回忆。文中涉及的一些细节问题请参考慕课网中相关视频。

贴出慕课网视频教程地址： http://coding.imooc.com/class/134.html

借鉴博客：借鉴博客