In the previous article we introduced to you OAuth2 authorization criteria, and highlighted the OAuth2 authorization code authentication mode. At present, most social media platforms are OAuth2 authorization code by opening up the interface authentication mode (login authentication and user interface information). However, we also see OAuth2 has a certain complexity, if all the code developed by ourselves, or have a certain workload. Therefore, we can use Spring Social to help us, Spring Social OAuth2 standards for full-friendly package.
In this paper, by Spring Social look at the source code be resolved, so that when the login authentication features we follow the development of third-party media platforms can be more clear.
A, Spring Social structural angle-resolved source
Spring Social is a social media platform to help us to connect, facilitate the development of third-party login authentication and other functions of the Spring library on our own applications. The more the core classes and interfaces, as shown below, we look at each resolution.
First, we briefly review OAuth2, OAuth2 mainly consists of two parts: authentication and authorization.
- Certification is the process by user authorization, access authorization code, the final exchange of AccessToken process. This process is the standard OAuth2 certification process, follow all platforms, can be considered consistent.
- The authentication process is to carry AccessToken access social media platform API interface. Of course, users of different platforms, different services, so the interface provided is not the same.
If you're part of this, it is not very familiar with, first look back at my last article. Please understand this picture conjunction with the following text after.
1.1.OAuth2 certification Source
First, in the process of implementing OAuth2 login authentication, there are multiple requests and responses between the development of our own applications and social media platforms. So we need to encapsulate a class to handle standard HTTP-specific OAuth2 authentication tools, this is arguably the most important job, Spring Security has helped us provide OAuth2Operations interface, the default implementation class is OAuth2Template, depending on platform the implementation differences we may need to do it yourself (fine tuning). Certification process all interactions with OAuth2 authentication server to work on the whole OAuth2Operations, and finally returned to us a AccessToken.
For developers, as long as the value of the four properties above tells OAuth2Operations. As long as the service provider is in strict accordance with standards developed OAuth2 authentication service, the rest of the process and the authentication server interaction, we do not need to deal with.
1.2. Authentication interface resources
When we get the AccessToken, you have permission to request OAuth2 server resources inside the resource. According to various social media platforms and user interfaces to provide different services is completely different, then we need to use RestTemplate, generic tools handle HTTP requests and responses. Can be seen from the figure, the processing of various data formats JSON, XML library, which of itself would RestTemplate a determination depending on the environment.
Since that each platform service interfaces vary, of course we want to customize different development interface APIImpl. At this point we should take a unified parent class, and contains accessToken RestTemplate, so our custom interface on this class can obtain and use accessToken and RestTemplate through inheritance. This unified parent class called AbstractOAuth2Binding. It also helps us achieve HTTP request parameters to carry, as well as the results of a request to de-serialization of objects and other work.
So far, OAuth2Operations and custom interface APIImpl, a responsible response to a request certification process, a responsible resource request response. Both are packaged as ServiceProvider- unified service provider.
1.3 Identify customer relationship
通过实现上面的代码中的接口,我们自己的应用与社交媒体平台(服务提供商)的HTTP交互过程就已经可以被全部支持了。但是开发社交媒体登陆还有一个很重要的步骤就是:判定社交媒体平台响应的用户信息与我们自己的应用用户之间的关系。我们用一张数据库表来表示这个关系,而且必须是这张表(Spring Social专用,在spring-social-core包里面可以找到):
create table UserConnection (
userId varchar(255) not null,
providerId varchar(255) not null,
providerUserId varchar(255),
rank int not null,
displayName varchar(255),
profileUrl varchar(512),
imageUrl varchar(512),
accessToken varchar(512) not null,
secret varchar(512),
refreshToken varchar(512),
expireTime bigint,
primary key (userId, providerId, providerUserId));
create unique index UserConnectionRank on UserConnection(userId, providerId, rank);这张表中,最重要的三个字段就是userId(自开发应用的用户唯一标识),provider(服务提供商,社交媒体平台唯一标识),providerUserId (服务提供商用户的唯一标识)。通过这三个字段体现自开发应用的用户与服务提供商用户之间的关系,从而判定服务提供商的用户是否可以通过OAuth2认证登录我们的应用。(这张表里面的数据,是通过注册或者绑定操作加入进去的,与认证、鉴权过程无关)
- 通过1.2小节中的接口,我们可以获得社交媒体的用户的数据User,但是我们说过了这个User在不同的服务提供商平台上,其结构是完全不同的。而spring Social只认识一种用户的数据结构,那就是Connection(OAuth2Connection)。所以我们需要一个ApiAdapter帮我们将二者进行适配。ApiAdapter是一个接口,内容需要我们自行实现。
- 现在我们拿到了Spring Social认可的服务提供商用户信息Connection,然后使用Connection加载UserId(我们自己开发的平台的userid)。如果能够加载到userId(不为空),表示登录验证成功。
1.4.本地应用授权
通过实现上面代码中的接口,我们就可以拿到userId,我们自己开发的应用的用户的唯一标识。也表示利用社交媒体用户登录我们自己开发的应用成功了。但是,还有一个问题没有解决,你是登陆成功了,但是不意味着你可以访问本地应用中的所有资源。所以,我们根据userId查找当前用户,并为他赋权。
在我们之前的使用用户名密码登陆的案例中,是通过实现UserDetailsService和UserDetails接口来实现的。在社交媒体登录过程中,我们需要实现的接口是SocialUserDetailsService和SocialUserDetails。其实实现原理是一样的,就是用用户的唯一标识userId,加载该用户角色的权限信息。至此,Spring Security就知道了该用户的权限信息,可以有效的控制其访问权限。
二、Spring Social流程角度解析源码
Spring Social自动配置会在过滤器链中加入一个SocialAuthenticationFilter过滤器,该过滤器拦截社交媒体登录请求。
SocialAuthenticationFilter过滤器拦截的社交媒体登录请求的地址是{filterProcessesUrl}/{providerId}。filterProcessesUrl的默认值是“/auth”,如果你的服务提供商providerId(自定义)是github,那么你的社交媒体登录按钮请求的地址就应该是“/auth/github”,当然这两个值我们都可以修改。
要说明的是{filterProcessesUrl}/{providerId}在Spring Social既是认证请求的地址,也是服务提供商回调的地址。当用户点击"github登录"按钮,此时访问/{filterProcessesUrl}/{providerId}被拦截,此时用户没有被认证通过,所以跳转到GitHub授权页面(authorizeUrl)上,用户输入用户密码授权,在浏览器跳回到本地应用,仍然回到/{filterProcessesUrl}/{providerId}再次被拦截。
First to detect whether the user is authorized to use a third-party platform, user information, if not authorized to directly throw an exception. If the user is authorized, performed OAuth2 went a series of request-response, obtaining authorization code, AccessToken, Connection user information. This process is defined in the code of OAuth2AuthenticationService.
doAuthentication in the authorization process, refer to Section 1.3, 1.4 content. If the authorization fails (the social platform users do not have corresponding user in the local application), then jump to signUpUrl. That relationship binding the user to perform a registered business logic.
Note: OAuth2 Spring Social certification authentication process implemented using the the session (such as the figure above sessionStrategy code). So when your application is a stateless applications, the need for a certain degree of Spring Social transformation. But I've never done it before. The approach is simple: use the session to develop stateful application and session state information to save redis centralized management; before or stateless application development, social media does not need to determine the application sign-on functionality, such as a corporate intranet applications.
Look forward to your attention
- Bloggers to recommend a series of documents: "Hands touch hands teaches you SpringBoot series chapter 97 section -16"
- This article is reproduced indicate the source (en must not turn only the text): letters Gebo off .