Overview
Everyone knows that there are four authorization modes in the oauth2 certification system:
-
Authorization code mode (authorization code)
-
Simplified mode (implicit)
-
Client credentials
-
Password mode (password)
So how to add a custom authorization mode, such as login based on mobile phone number and SMS verification code like the following?
To customize the licensing model we have to understand the whole process of certification under oauth2.0, the authentication entry org.springframework.security.oauth2.provider.endpoint.TokenEndpoint#postAccessTokenmethod
@RequestMapping(
value = {"/oauth/token"},
method = {RequestMethod.POST}
)
public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
...
}
Reading the source code can sort out the execution order of the core authentication logic code (password mode):
Core source code interpretation
-
TokenEndpoint#postAccessToken(...)Main entrance
OAuth2AccessToken token =
getTokenGranter().grant(tokenRequest.getGrantType(),
tokenRequest);
-
CompositeTokenGranter#grant(String grantType,TokenRequest tokenRequest )Responsible for finding the specific TokenGranter according to the authorization type from all TokenGranters
public class CompositeTokenGranter implements TokenGranter {
private final List<TokenGranter> tokenGranters;
...
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
for (TokenGranter granter : tokenGranters) {
OAuth2AccessToken grant = granter.grant(grantType, tokenRequest);
if (grant!=null) {
return grant;
}
}
return null;
}
...
}
So where did the tokenGranters come from? The answer is the oauth2 authentication server endpoint configuration classAuthorizationServerEndpointsConfigurer
public final class AuthorizationServerEndpointsConfigurer {
...
private TokenGranter tokenGranter;
public TokenGranter getTokenGranter() {
return tokenGranter();
}
//默认的四种授权模式+Refresh令牌模式
private List<TokenGranter> getDefaultTokenGranters() {
ClientDetailsService clientDetails = clientDetailsService();
AuthorizationServerTokenServices tokenServices = tokenServices();
AuthorizationCodeServices authorizationCodeServices = authorizationCodeServices();
OAuth2RequestFactory requestFactory = requestFactory();
List<TokenGranter> tokenGranters = new ArrayList<TokenGranter>();
tokenGranters.add(new AuthorizationCodeTokenGranter(tokenServices, authorizationCodeServices, clientDetails,
requestFactory));
tokenGranters.add(new RefreshTokenGranter(tokenServices, clientDetails, requestFactory));
ImplicitTokenGranter implicit = new ImplicitTokenGranter(tokenServices, clientDetails, requestFactory);
tokenGranters.add(implicit);
tokenGranters.add(new ClientCredentialsTokenGranter(tokenServices, clientDetails, requestFactory));
if (authenticationManager != null) {
tokenGranters.add(new ResourceOwnerPasswordTokenGranter(authenticationManager, tokenServices,
clientDetails, requestFactory));
}
return tokenGranters;
}
private TokenGranter tokenGranter() {
if (tokenGranter == null) {
tokenGranter = new TokenGranter() {
private CompositeTokenGranter delegate;
@Override
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
if (delegate == null) {
delegate = new CompositeTokenGranter(getDefaultTokenGranters());
}
return delegate.grant(grantType, tokenRequest);
}
};
}
return tokenGranter;
}
...
}
It can be seen that Spring has already written the configuration of the default four authorization modes + refresh token mode in the code. So how can Spring recognize our custom authorization mode?
We can override TokenGranter through the configuration class and inject our custom authorization mode into it!
-
ProviderManager#authenticate(Authentication authentication)This class provides the implementation logic and process of authentication. It is responsible for finding out the specific Provider from all AuthenticationProviders for authentication
public class ProviderManager implements AuthenticationManager, MessageSourceAware,
InitializingBean {
...
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
Class<? extends Authentication> toTest = authentication.getClass();
AuthenticationException lastException = null;
AuthenticationException parentException = null;
Authentication result = null;
Authentication parentResult = null;
boolean debug = logger.isDebugEnabled();
//遍历所有的providers使用supports方法判断该provider是否支持当前的认证类型
for (AuthenticationProvider provider : getProviders()) {
if (!provider.supports(toTest)) {
continue;
}
try {
//找到具体的provider进行认证
result = provider.authenticate(authentication);
if (result != null) {
copyDetails(authentication, result);
break;
}
}
catch (AccountStatusException | InternalAuthenticationServiceException e) {
prepareException(e, authentication);
throw e;
} catch (AuthenticationException e) {
lastException = e;
}
}
throw lastException;
}
...
}
Code implementation (core code)
When using the mobile phone number to log in, first enter the correct mobile phone number in the form and request the backend to obtain the verification code. (At this time, the background service generally associates the mobile phone number with the verification code, and sets a shorter validity period)
After the mobile phone obtains the verification code, enter it into the form to log in. The back-end framework associates the mobile phone number with the user for authentication.
SMS verification requires two basic form data: mobile phone number and SMS verification code.
This article does not implement the form login method, but uses the postman method for authentication. Using the above picture is just to give everyone an impression of the SMS authentication process.
”
SmsCodeAuthenticationToken
/**
* <p>
* <code>SmsAuthenticationToken</code>
* </p>
* Description:
* 实现手机号登录,参考org.springframework.security.authentication.UsernamePasswordAuthenticationToken
* @author javadaily
* @date 2020/7/13 8:44
*/
public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = 520L;
/**
* 账号主体信息,手机号验证码登录体系中代表 手机号码
*/
private final Object principal;
/**
* 构建未授权的 SmsCodeAuthenticationToken
* @param mobile 手机号码
*/
public SmsCodeAuthenticationToken(String mobile) {
super(null);
this.principal = mobile;
setAuthenticated(false);
}
/**
* 构建已经授权的 SmsCodeAuthenticationToken
*/
public SmsCodeAuthenticationToken(Object principal, Collection<? extends GrantedAuthority> authorities){
super(authorities);
this.principal = principal;
super.setAuthenticated(true);
}
@Override
public Object getCredentials() {
return null;
}
@Override
public Object getPrincipal() {
return this.principal;
}
@Override
public void setAuthenticated(boolean isAuthenticated) {
if(isAuthenticated){
throw new IllegalArgumentException("Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
}else{
super.setAuthenticated(false);
}
}
@Override
public void eraseCredentials() {
super.eraseCredentials();
}
}
SmsCodeAuthenticationProvider
/**
* Description:
* 短信登陆鉴权 Provider,要求实现 AuthenticationProvider 接口
* @author javadaily
* @date 2020/7/13 13:07
*/
@Log4j2
public class SmsCodeAuthenticationProvider implements AuthenticationProvider{
private IUserService userService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
SmsCodeAuthenticationToken smsCodeAuthenticationToken = (SmsCodeAuthenticationToken) authentication;
userService = SpringContextHolder.getBean(IUserService.class);
String mobile = (String) smsCodeAuthenticationToken.getPrincipal();
//校验手机号验证码
checkSmsCode(mobile);
User user = userService.getUserByMobile(mobile);
if(null == user){
throw new BadCredentialsException("Invalid mobile!");
}
//授权通过
UserDetails userDetails = buildUserDetails(user);
return new SmsCodeAuthenticationToken(userDetails, userDetails.getAuthorities());
}
/**
* 构建用户认证信息
* @param user 用户对象
* @return UserDetails
*/
private UserDetails buildUserDetails(User user) {
return new org.springframework.security.core.userdetails.User(
user.getUsername(),
user.getPassword(),
AuthorityUtils.createAuthorityList("ADMIN")) ;
}
/**
* 校验手机号与验证码的绑定关系是否正确
* todo 需要根据业务逻辑自行处理
* @author javadaily
* @date 2020/7/23 17:31
* @param mobile 手机号码
*/
private void checkSmsCode(String mobile) {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
//获取验证码
String smsCode = request.getParameter("smsCode");
if(StringUtils.isEmpty(smsCode) || !"666666".equals(smsCode)){
throw new BadCredentialsException("Incorrect sms code,please check !");
}
//todo 手机号与验证码是否匹配
}
/**
* ProviderManager 选择具体Provider时根据此方法判断
* 判断 authentication 是不是 SmsCodeAuthenticationToken 的子类或子接口
*/
@Override
public boolean supports(Class<?> authentication) {
return SmsCodeAuthenticationToken.class.isAssignableFrom(authentication);
}
}
Verification message authentication code mode implementation class, need to implement the AuthenticationProvider, by the supportsmethod will be selected to become the specific authentication ProviderManager implementation class. The association relationship between the mobile phone number and the short message needs to be realized according to your own business scenario, so it is directly written down here.
Configuration class SmsCodeSecurityConfig
@Component
public class SmsCodeSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
/**
* 短信验证码配置器
* 所有的配置都可以移步到WebSecurityConfig
* builder.authenticationProvider() 相当于 auth.authenticationProvider();
* 使用外部配置必须要在WebSecurityConfig中用http.apply(smsCodeSecurityConfig)将配置注入进去
* @param builder
* @throws Exception
*/
@Override
public void configure(HttpSecurity builder) throws Exception {
//注入SmsCodeAuthenticationProvider
SmsCodeAuthenticationProvider smsCodeAuthenticationProvider = new SmsCodeAuthenticationProvider();
builder.authenticationProvider(smsCodeAuthenticationProvider);
}
}
This class mainly implements the injection of SmsCodeAuthenticationProvider, otherwise ProviderManager cannot select SmsCodeAuthenticationProvider.
SmsCodeTokenGranter
/**
* 扩展认证模式
* @author javadaily
* @date 2020/7/14 8:31
*/
public class SmsCodeTokenGranter extends AbstractTokenGranter{
private static final String GRANT_TYPE = "sms_code";
private final AuthenticationManager authenticationManager;
public SmsCodeTokenGranter(AuthenticationManager authenticationManager, AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory) {
this(authenticationManager, tokenServices, clientDetailsService, requestFactory, GRANT_TYPE);
}
protected SmsCodeTokenGranter(AuthenticationManager authenticationManager, AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory, String grantType) {
super(tokenServices, clientDetailsService, requestFactory, grantType);
this.authenticationManager = authenticationManager;
}
@Override
protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
Map<String, String> parameters = new LinkedHashMap(tokenRequest.getRequestParameters());
String mobile = parameters.get("mobile");
Authentication userAuth = new SmsCodeAuthenticationToken(mobile);
((AbstractAuthenticationToken)userAuth).setDetails(parameters);
try {
userAuth = this.authenticationManager.authenticate(userAuth);
} catch (AccountStatusException ex) {
throw new InvalidGrantException(ex.getMessage());
} catch (BadCredentialsException ex) {
throw new InvalidGrantException(ex.getMessage());
}
if (userAuth != null && userAuth.isAuthenticated()) {
OAuth2Request storedOAuth2Request = this.getRequestFactory().createOAuth2Request(client, tokenRequest);
return new OAuth2Authentication(storedOAuth2Request, userAuth);
} else {
throw new InvalidGrantException("Could not authenticate mobile: " + mobile);
}
}
}
Inherit the AbstractTokenGranter extended authentication mode sms_code, which needs to be added to Spring and selected by grantType.
Configuration class TokenGranterConfig
Custom authentication underlying logic have been achieved by the previous steps, we need to add to our SMS authentication mode Spring, the main reference org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer#getDefaultTokenGranters()implementation.
/**
*参考实现:org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer#getDefaultTokenGranters()
* @author javadaily
* @date 2020/7/14 8:38
*/
@Configuration
public class TokenGranterConfig {
@Autowired
private ClientDetailsService clientDetailsService;
private TokenGranter tokenGranter;
@Autowired
private TokenStore tokenStore;
@Autowired
TokenEnhancer tokenEnhancer;
@Autowired
private AuthenticationManager authenticationManager;
private AuthorizationServerTokenServices tokenServices;
private boolean reuseRefreshToken = true;
private AuthorizationCodeServices authorizationCodeServices;
@Autowired
private UserDetailsService userDetailsService;
@Bean
public TokenGranter tokenGranter(){
if(null == tokenGranter){
tokenGranter = new TokenGranter() {
private CompositeTokenGranter delegate;
@Override
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
if(delegate == null){
delegate = new CompositeTokenGranter(getDefaultTokenGranters());
}
return delegate.grant(grantType,tokenRequest);
}
};
}
return tokenGranter;
}
private List<TokenGranter> getDefaultTokenGranters() {
AuthorizationServerTokenServices tokenServices = tokenServices();
AuthorizationCodeServices authorizationCodeServices = authorizationCodeServices();
OAuth2RequestFactory requestFactory = requestFactory();
List<TokenGranter> tokenGranters = new ArrayList();
//授权码模式
tokenGranters.add(new AuthorizationCodeTokenGranter(tokenServices, authorizationCodeServices, clientDetailsService, requestFactory));
//refresh模式
tokenGranters.add(new RefreshTokenGranter(tokenServices, clientDetailsService, requestFactory));
//简化模式
ImplicitTokenGranter implicit = new ImplicitTokenGranter(tokenServices, clientDetailsService, requestFactory);
tokenGranters.add(implicit);
//客户端模式
tokenGranters.add(new ClientCredentialsTokenGranter(tokenServices, clientDetailsService, requestFactory));
if (authenticationManager != null) {
//密码模式
tokenGranters.add(new ResourceOwnerPasswordTokenGranter(authenticationManager, tokenServices, clientDetailsService, requestFactory));
//短信验证码模式
tokenGranters.add(new SmsCodeTokenGranter(authenticationManager, tokenServices, clientDetailsService, requestFactory));
}
return tokenGranters;
}
private AuthorizationServerTokenServices tokenServices() {
if (tokenServices != null) {
return tokenServices;
}
this.tokenServices = createDefaultTokenServices();
return tokenServices;
}
private AuthorizationServerTokenServices createDefaultTokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setTokenStore(tokenStore);
tokenServices.setSupportRefreshToken(true);
tokenServices.setReuseRefreshToken(reuseRefreshToken);
tokenServices.setClientDetailsService(clientDetailsService);
tokenServices.setTokenEnhancer(tokenEnhancer);
addUserDetailsService(tokenServices, this.userDetailsService);
return tokenServices;
}
/**
* 添加预身份验证
* @param tokenServices
* @param userDetailsService
*/
private void addUserDetailsService(DefaultTokenServices tokenServices, UserDetailsService userDetailsService) {
if (userDetailsService != null) {
PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
provider.setPreAuthenticatedUserDetailsService(new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(userDetailsService));
tokenServices.setAuthenticationManager(new ProviderManager(Arrays.<AuthenticationProvider>asList(provider)));
}
}
/**
* OAuth2RequestFactory的默认实现,它初始化参数映射中的字段,
* 验证授权类型(grant_type)和范围(scope),并使用客户端的默认值填充范围(scope)(如果缺少这些值)。
*/
private OAuth2RequestFactory requestFactory() {
return new DefaultOAuth2RequestFactory(clientDetailsService);
}
/**
* 授权码API
* @return
*/
private AuthorizationCodeServices authorizationCodeServices() {
if (this.authorizationCodeServices == null) {
this.authorizationCodeServices = new InMemoryAuthorizationCodeServices();
}
return this.authorizationCodeServices;
}
}
Modify the authentication server configuration AuthorizationServerConfig
In the above TokenGranterConfig has been created AuthorizationServerTokenServices, so we can delete tokenServices function AuthorizationServerConfig, and then in the process of configure(AuthorizationServerEndpointsConfigurer endpoints)implantation tokenGrantercan be
@Configuration
@EnableAuthorizationServer
@RequiredArgsConstructor(onConstructor = @__(@Autowired))
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private TokenGranter tokenGranter;
...
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenGranter(tokenGranter);
}
...
}
test
-
Through the debug mode in the normal test, you can see that SmsCodeTokenGranter has been added to Spring, and the jwt token can be returned normally.
-
Enter the wrong phone number for verification
-
Enter the wrong SMS verification code for authentication
This article is the 20th article in the SpringCloud alibaba actual combat series. If you are interested in the previous articles, you can check out http://javadaily.cn/tags/SpringCloud !
If this article is helpful to you, don't forget to give me three links: like, forward, and comment.
See you next time!
Favorite equal to the white prostitute , thumbs up is the truth!
Here is a small gift for everyone, follow the official account, enter the following code, you can get the Baidu network disk address, no routines!
001: "A must-read book for programmers"
002: "Building back-end service architecture and operation and maintenance architecture for small and medium-sized Internet companies from scratch"
003: "High Concurrency Solutions for Internet Enterprises"
004: "Internet Architecture Teaching Video"
006: " SpringBoot Realization of
Ordering System" 007: "SpringSecurity actual combat video"
008: "Hadoop actual combat teaching video"
009: "Tencent 2019 Techo Developer Conference PPT"
010: WeChat exchange group