1. Introduction to OAuth2.0
OAuth2.0 is an authorization protocol that allows users to authorize third-party applications to obtain protected resources on their behalf, such as personal information or photos. It allows users to authorize access to resources they store on another service provider without sharing their credentials to third-party applications. The OAuth2.0 protocol is built on the OAuth1.0 protocol, adopting a simpler process and wider support, making it a widely used authorization protocol.
The core of the OAuth2.0 protocol is the authorization server and resource server. Authorization Server is a service that allows users to authorize third-party applications to access their resources. Resource servers are service providers that store resources, such as cloud storage or social media sites. The OAuth2.0 protocol defines four authorization methods: authorization code authorization, implicit authorization, password authorization, and client certificate authorization. Each authorization method has different use cases and security considerations.
The OAuth2.0 protocol has been widely adopted, for example, in various applications such as social media sites, email services, cloud storage, etc., in order to provide users with convenient authorization and secure access control.
OAuth2.0 defines four authorization modes, namely authorization code authorization, implicit authorization, password authorization and client certificate authorization.
(1) Authorization Code Grant
This authorization method is the most secure authorization method, and is suitable for clients who need to access the user's protected resources for a long time. The process is as follows:
- The client requests authorization from the authorization server, and the authorization server redirects the user to the login page.
- The user enters the user name and password, and after successful login, the authorization server sends the authorization code to the client.
- The client requests an access token from the authorization server using the authorization code.
- The authorization server verifies the authorization code and issues an access token and a refresh token to the client.
(2) Implicit Grant (Implicit Grant)
This authorization method is suitable for some clients that need to access the user's protected resources within a short period of time. The process is as follows:
- The client requests authorization from the authorization server, and the authorization server redirects the user to the login page.
- The user enters the user name and password, and after successful login, the authorization server sends the access token directly to the client.
(3) Password authorization (Resource Owner Password Credentials Grant)
This authorization method is suitable for a certain trust relationship between the user and the client, and the client can safely store user credentials. The process is as follows:
- The client requests an access token from the authorization server using the user credentials.
- The authorization server validates user credentials and issues access and refresh tokens to the client.
(4) Client Credentials Grant
This authorization method is suitable for situations where the client needs to access the resources it owns. The process is as follows:
- The client requests an access token from the authorization server using its own credentials.
- The authorization server verifies the client credentials and issues an access token to the client.
These four authorization methods have their own advantages and disadvantages. When choosing an authorization method, you need to choose according to the actual situation.
2. Introduction to Spring Security OAuth
Spring Security OAuth is an extension of the Spring Security framework that provides support for OAuth authentication and authorization. OAuth is an open standard authorization protocol that allows users to authorize third-party applications to access their resources without sharing their credentials (username and password).
Spring Security OAuth is a framework focusing on OAuth authentication, which completely covers the three modules of client, resource service and authentication service.
- The client module provides an implementation of an OAuth client that can interact with an OAuth authentication server to obtain an access token.
- The resource service module provides functions to protect resources protected by OAuth, it can verify the access token in the request, and check the validity and authority of the access token.
- The authentication service module provides the implementation of an OAuth authentication server, which can process OAuth authentication requests and provide access tokens to clients.
The OAuth client module is integrated in Spring Security, which contains three submodules, namely:
-
spring-security-oauth2-core: This submodule contains the core functions of OAuth2, including OAuth2 authorization and token request processes.
-
spring-security-oauth2-client: This submodule provides the implementation of the OAuth2 client, which can interact with the OAuth2 authentication server to obtain an access token.
-
spring-security-oauth2-jose: This submodule provides support for JSON Web Tokens (JWT), which can be used as an alternative to OAuth2 access tokens.
2. Use Spring Security OAuth to achieve GitHub quick login
(1) New construction
Create a new Spring Boot2.0 project, and the pom package depends on the following:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
</dependencies>(2) Register OAuth application
Register a new OAuth application on the GitHub official website at: New OAuth Application (github.com)
Click the Register application button to register clientId and clientSecret
When the user successfully logs in to GitHub through the browser, and the user authorizes the registered client side to access their own user data on the approval page, GitHub will pass the authorization code Code to the client application through redirection.
The default redirection template of Spring Security OAuth is {baseUrl}/login/oauth2/code/{registrationId}, registrationId is the unique ID of ClientRegistration, usually named after the abbreviation of the OAuth service provider connected, so set here for github.
(3) Configure application.yml
Add the corresponding configuration in the configuration file, client-id and client-secret are just obtained on github.
(4) New Controller
The principal object in the parameter is automatically injected by the Spring framework, indicating the currently logged in user
@RestController
public class SimpleController {
@GetMapping("/hello")
public String hello(Principal principal) {
String username = (String) ((OAuth2AuthenticationToken) principal).getPrincipal().getAttributes().get("login");
return "hello, " + username;
}
}
(5) Effect demonstration
Start the new OAuth project, visit: http://localhost:8080/hello
Click the Authorize zy19970116 button to allow the OAuth client application to access the GitHub user data. At this time, the OAuth client application will call the user data interface to create an authentication object. The browser will eventually automatically redirect to the original access address: http://localhost:8080/hello, and print the string "hello,XXX"
Summarize:
GitHub represents the role of an OAuth service provider, which provides the implementation of the OAuth 2.0 authorization process and allows third-party applications to communicate with GitHub using the OAuth 2.0 protocol to obtain user authorization information and resources.