基于Spring Boot 2.0.3,Spring Cloud OAuth 2.0实现四种授权方式,实现后的验证交互步骤
OAuth 2.0定义了四种授权方式。
1.授权码模式(authorization code)
2.简化模式(implicit)
3.密码模式(resource owner password credentials)
4.客户端模式(client credentials)
客户端模式(client credentials)
client_id=unity-client
client_secret=unity
{
"access_token": "32f044cd-48ef-4382-9a77-7ee35bd9a824",
"token_type": "bearer",
"expires_in": 41413,
"scope": "read write"
}
访问资源服务器
http://localhost:8080/api/order/11?access_token=32f044cd-48ef-4382-9a77-7ee35bd9a824
order id : 11
表oauth_client_details 字段 resource_ids 内容要和资源服务器配置的一样
@Configuration
@EnableResourceServer
@EnableOAuth2Client
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.requestMatchers().antMatchers("/api/**").and().authorizeRequests().anyRequest().authenticated();
}
private static final String DEMO_RESOURCE_ID = "api";
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(DEMO_RESOURCE_ID).stateless(true);
}
}
BCryptPasswordEncoder
http://localhost:8080/oauth/token?grant_type=client_credentials&scope=read&client_id=clients&client_secret=$08$MU/8V8maXM/fldSLnat1Re7VFgE8wd1XxH5q/iSz7CHOQ7RXaHVre
授权码模式(authorization code)
http://localhost:8080/oauth/authorize?client_id=unity-client&response_type=code&redirect_uri=http://www.baidu.com
输入用户的用户,密码
https://www.baidu.com/?code=uX6fl0
根据code换取access_code,注意使用post方法
http://localhost:8080/oauth/token?client_id=client&grant_type=authorization_code&redirect_uri=http://www.baidu.com&code=uX6fl0
注意这个code要和上个步骤中获得的code保持一致
输入客户端的用户,密码
用户名输入client,密码是secret,点击确定
{"access_token":"2f695ad8-0e64-478e-a5c4-b13597dc0df2","token_type":"bearer","refresh_token":"c67241bd-1c0f-4b9f-bd61-6948b788e12d","expires_in":43199,"scope":"app"}
访问资源服务器
http://localhost:8080/api/order/11?access_token=2f695ad8-0e64-478e-a5c4-b13597dc0df2
order id : 11
{"access_token":"ec4b4d6c-3dfe-48fe-93b3-e3e335e6637b","token_type":"bearer","refresh_token":"c67241bd-1c0f-4b9f-bd61-6948b788e12d","expires_in":43199,"scope":"app"}
{"access_token":"8be81c35-641f-4997-ac34-ede545ced3d5","token_type":"bearer","refresh_token":"c67241bd-1c0f-4b9f-bd61-6948b788e12d","expires_in":43199,"scope":"app"}
refresh_token必须在过期之前调用才能换新的token
只要refresh_token有效,就可以直接用它来换新的access_token
密码模式(resource owner password credentials)
http://localhost:8080/oauth/token?grant_type=password&username=admin&password=123
{"access_token":"8be81c35-641f-4997-ac34-ede545ced3d5","token_type":"bearer","refresh_token":"c67241bd-1c0f-4b9f-bd61-6948b788e12d","expires_in":42630,"scope":"app"}
简化模式(implicit)
该模式直接在浏览器中向认证服务器申请令牌,无需经过client端的服务器,跳过了"授权码"这个步骤,所有步骤在浏览器中完成,直接在回调url中传递令牌。
适合直接在前端应用获取token的应用
步骤跟authorization code类似,只不过少了授权码:
在浏览器向认证服务器请求token
用户登录(如果之前没有登陆的话)
用户授权
授权完直接跳转到redirectUri并在url中携带token
需要开启表单验证
@Override
protected void configure(HttpSecurity http) throws Exception {
// [1]
// http.httpBasic().and().csrf().disable();
// [2]
// http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();
http.csrf().disable();
http.requestMatchers().antMatchers("/oauth/**", "/login/**", "/logout/**").and().authorizeRequests()
.antMatchers("/oauth/**").authenticated().and().formLogin().permitAll();
}
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>auth-service</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>auth-service</name>
<description>Demo project for Spring Boot</description>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.3.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<java.version>1.8</java.version>
<spring-cloud.version>Finchley.SR1</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-security</artifactId>
</dependency>
<!-- 引入Druid依赖 -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.10</version>
</dependency>
<!-- https://mvnrepository.com/artifact/mysql/mysql-connector-java -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.12</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>