11月8日,Spring官方强烈推荐使用SpringAuthorizationServer来替代过时的SpringSecurityOAuth2.0。距离SpringSecurityOAuth2.0的生命周期结束还有半年时间。是时候做出改变了。目前SpringAuthorizationServer已经进入生产就绪阶段。今天跟着胖哥的节奏搞一下SpringAuthorizationServer授权服务器框架。目前的SpringSecurity系统在目前的SpringSecurity5.x中模块化了OAuth2.0Client和OAuth2.0ResourceServer。必须引入SpringSecurity。org.springframework.bootspring-boot-starter-security如果要添加OAuth2.0Client支持,可以引入:org.springframework.bootspring-boot-starter-oauth2-client如果需要OAuth2.0ResourceServer支持,可以引入:org.springframework.bootspring-boot-oauth2-resource-server现在如果要添加OAuth2.0AuthorizationServer支持,可以添加如下依赖项:org.springframework.securityspring-security-oauth2-authorization-server0.2.0至此,OAuth2.0的三大模块都激活了SpringAuthorizationServer。我们的重点仍然放在Spring授权服务器上。目前,该项目已具备投产准备。经过几天的研究,做了一个简单的DEMO,帮助想学习框架的同学理解。DEMO流程本DEMO将演示OAuth2.0的授权码模式(authorization_code)。这里有两个项目;oauth2-client项目,顾名思义,作为一个OAuth2.0Client,向授权服务器发起请求授权。oauth2-server项目,基于SpringAuthorizationServer构建的授权服务器,提供授权服务。用户首先通过/oauth2/authorization/{registrationId}端点向oauth2-client发起请求:GET/oauth2/authorization/felordHTTP/1.1Host:127.0.0.1:8080被OAuth2AuthorizationRequestRedirectFilter拦截并组装成如下请求链接到授权服务器oauth2-server发起授权码授权:GET/oauth2/authorize?response_type=code&client_id=felord-client&scope=message.read%20message.write&state=0CI0ziUDEnqMgqW0nzRNRCzLrs-9IMHTTPbqJzGZ47Zb0gY%3D&redirect_uri=http://127.0.0.0.1:81.1Host:localhost:9000授权服务器oauth2-server拦截请求后,会先检查当前发起请求的用户是否通过认证。如果没有认证,则抛出401,跳转到授权服务器的登录页面,然后用户进行登录:POST/loginHTTP/1.1Host:localhost:9000Content-Type:application/x-www-form-urlencodedusername=felord&password=password&_csrf=301a7baf-9e9a-4b17-acd4-613c809bf7f5登录成功后做了302重定向,继续执行/oauth2/authorize授权请求。Atthistime,itwilljudgewhethertheauthorizationrequestneedstobeconfirmedbytheuser.InthisDEMO,theuserauthorizationneedstobeconfirmedtwice,anditwilljumptothefollowingpage:Afteragreeingtotheauthorization,theauthorizationserverwillcallredirect_uriandcarryacodeandstatetooauth2-client发起请求:GET/foo/bar?code=MCSJnvhXNyjilBaCyw1sCrrArWk1bzsEdxe5Z3EFbkdLwp8ASmum62n4M7Tz45VNpp_16IWboBnXlgG3LEfgN7MQqkf0-vVZufGrQpvRioRcBbesAiawMt4cspTk06ca&state=-fRunxjpG0aziPXnfcW1Iw1Fy_5_NwlUAgxABPOfAb8=HTTP/1.1Host:127.0.0.1:8080oauth2-client的OAuth2AuthorizationCodeGrantFilter拦截到redirect_uri后向授权服务器发起/oauth2/token请求:POST/oauth2/token?grant_type=authorization_code&code=MCSJnvhXNyjilBaCyw1sCrrArWk1bzsEdxe5Z3EFbkdLwp8ASmum62n4M7Tz45VNpp_16IWboBnXlgG3LEfgN7MQqkf0-vVZufGrQpvRioRcBbesAiawMt4cspTk06ca&redirect_uri=https://127.0.0.1:8080/foo/barHTTP/1.1Host:localhost:9000Authorization:BasicbWVzc2FnaW5nLWNsaWVudDpzZWNyZXQ=这里采用的认证方式是client-authentication-method:client_secret_basicFordetails,seetheOAuth2.0protocol.TheauthorizationserverreturnstheTokentotheclient,completestherequest,andauthenticatestheclientinformationasfollows:Atthispoint,theentireauthorizationcodeprocessbasedontheSpringAuthorizationServeriscompleted.ForthecompleteDEMO,pleasepayattentiontoGZH:Xiaopang,acodefarmer,repliedtooauthservertogetit.Originalityisnoteasy,pleaselike,repost,andwatchagain.Moredetailswillfollowuplater.关注公众号:Felordcn获取更多资讯个人博客:https://felord.cn
