oauth2.0授权码模式详解

虚幻大学 xuhss 469℃ 0评论

Python微信订餐小程序课程视频

https://edu.csdn.net/course/detail/36074

Python实战量化交易理财系统

https://edu.csdn.net/course/detail/35475

oauth2.0授权码模式

欢迎关注博主公众号「Java大师」, 专注于分享Java领域干货文章http://www.javaman.cn/sb2/oauth-code

授权码(authorization code)方式,指的是第三方应用先申请一个授权码,然后再用该码获取令牌。

这种方式是最常用的流程,安全性也最高,它适用于那些有后端的 Web 应用。授权码通过前端传送,令牌则是储存在后端,而且所有与资源服务器的通信都在后端完成。这样的前后端分离,可以避免令牌泄漏。

1、授权码模式流程

第一步,A 网站提供一个链接,用户点击后就会跳转到 B 网站,授权用户数据给 A 网站使用。下面就是 A 网站跳转 B 网站的一个示意链接。

https://b.com/oauth/authorize?
  response_type=code&
  client_id=CLIENT\_ID&
  redirect_uri=CALLBACK\_URL&
  scope=read

上面 URL 中,response_type参数表示要求返回授权码(code),client_id参数让 B 知道是谁在请求,redirect_uri参数是 B 接受或拒绝请求后的跳转网址,scope参数表示要求的授权范围(这里是只读)。

d7c5ab15a07019508a73ebe218ccfbce - oauth2.0授权码模式详解

第二步,用户跳转后,B 网站会要求用户登录,然后询问是否同意给予 A 网站授权。用户表示同意,这时 B 网站就会跳回redirect_uri参数指定的网址。跳转时,会传回一个授权码,就像下面这样。

https://a.com/callback?code=AUTHORIZATION_CODE

上面 URL 中,code参数就是授权码。

b234c1ba1c73660794b92571d08c7952 - oauth2.0授权码模式详解

第三步,A 网站拿到授权码以后,就可以在后端,向 B 网站请求令牌。

https://b.com/oauth/token?
 client_id=CLIENT\_ID&
 client_secret=CLIENT\_SECRET&
 grant_type=authorization_code&
 code=AUTHORIZATION_CODE&
 redirect_uri=CALLBACK\_URL

上面 URL 中,client_id参数和client_secret参数用来让 B 确认 A 的身份(client_secret参数是保密的,因此只能在后端发请求),grant_type参数的值是AUTHORIZATION_CODE,表示采用的授权方式是授权码,code参数是上一步拿到的授权码,redirect_uri参数是令牌颁发后的回调网址。

4e2eb9d2272f5577ef390be19b26496a - oauth2.0授权码模式详解

第四步,B 网站收到请求以后,就会颁发令牌。具体做法是向redirect_uri指定的网址,发送一段 JSON 数据。

{    
  "access\_token":"ACCESS\_TOKEN",
  "token\_type":"bearer",
  "expires\_in":2592000,
  "refresh\_token":"REFRESH\_TOKEN",
  "scope":"read",
  "uid":100101,
  "info":{...}
}

上面 JSON 数据中,access_token字段就是令牌,A 网站在后端拿到了。

58f2d57ce072ef893626433060eb6ec8 - oauth2.0授权码模式详解

2、授权码模式实现代码

2.1 创建pom.xml

xml version="1.0" encoding="UTF-8"?
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0modelVersion>
    <parent>
        <groupId>org.springframework.bootgroupId>
        <artifactId>spring-boot-starter-parentartifactId>
        <version>2.2.6.RELEASEversion>
        <relativePath/> 
    parent>
    <groupId>com.dashigroupId>
    <artifactId>springsecurity-oauthartifactId>
    <version>0.0.1-SNAPSHOTversion>
    <name>springsecurity-oauthname>
    <description>Demo project for Spring Bootdescription>
    <properties>
        <java.version>1.8java.version>
        <spring-cloud.version>Greenwich.SR5spring-cloud.version>
    properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.cloudgroupId>
            <artifactId>spring-cloud-starter-oauth2artifactId>
        dependency>

        <dependency>
            <groupId>org.springframework.cloudgroupId>
            <artifactId>spring-cloud-starter-securityartifactId>
        dependency>

        <dependency>
            <groupId>org.springframework.bootgroupId>
            <artifactId>spring-boot-starterartifactId>
        dependency>

        <dependency>
            <groupId>org.springframework.bootgroupId>
            <artifactId>spring-boot-starter-webartifactId>
        dependency>

        <dependency>
            <groupId>org.springframework.bootgroupId>
            <artifactId>spring-boot-starter-testartifactId>
            <scope>testscope>
        dependency>
    dependencies>
    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.bootgroupId>
                <artifactId>spring-boot-maven-pluginartifactId>
            plugin>
        plugins>
    build>
    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloudgroupId>
                <artifactId>spring-cloud-dependenciesartifactId>
                <version>${spring-cloud.version}version>
                <type>pomtype>
                <scope>importscope>
            dependency>
        dependencies>
    dependencyManagement>

project>

2.2 创建springsecurity配置文件

package com.dashi.springsecurityoauth.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests()
                .antMatchers("/oauth/**","/login/**","/logout/**")
                .permitAll()
                .anyRequest()
                .authenticated()
                .and()
                .formLogin()
                .permitAll();
    }
}

2.3 创建UserService实现UserDetailService接口

package com.dashi.springsecurityoauth.model;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import java.util.Collection;
import java.util.List;

public class User implements UserDetails {
    private String username;
    private String password;
    private List authorities;

 public User(String username, String password, List authorities) {
 this.username = username;
 this.password = password;
 this.authorities = authorities;
 }

 @Override
 public Collection <span class="hljs-keyword"extends GrantedAuthority> getAuthorities() {
 return this.authorities;
 }

 @Override
 public String getPassword() {
 return this.password;
 }

 @Override
 public String getUsername() {
 return this.username;
 }

 @Override
 public boolean isAccountNonExpired() {
 return true;
 }

 @Override
 public boolean isAccountNonLocked() {
 return true;
 }

 @Override
 public boolean isCredentialsNonExpired() {
 return true;
 }

 @Override
 public boolean isEnabled() {
 return true;
 }
}

2.4 创建认证服务

package com.dashi.springsecurityoauth.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("admin")
                .secret(passwordEncoder.encode("654321"))
                .accessTokenValiditySeconds(3600)
                .redirectUris("http://www.baidu.com")
                .scopes("all")
                //配置grant\_type,表示授权码授权
                .authorizedGrantTypes("authorization\_code");
    }
}

2.5 创建资源服务

package com.dashi.springsecurityoauth.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest()
                .authenticated()
                .and()
                .requestMatchers()
                //以/user开头的地址根据token访问资源
                .antMatchers("/user/**");
    }
}

2.6启动服务访问地址

http://localhost:8080/oauth/authorize?response_type=code&client_id=admin&redirect_uri=http://www.baidu.com&scope=all

2.7上一步连接跳转到输入用户名和地址

watermark,type d3F5LXplbmhlaQ,shadow 50,text Q1NETiBAa2V0dGxl5pWZ56iL5a2m5Lmg,size 20,color FFFFFF,t 70,g se,x 16#pic center - oauth2.0授权码模式详解
watermark,type d3F5LXplbmhlaQ,shadow 50,text Q1NETiBAa2V0dGxl5pWZ56iL5a2m5Lmg,size 20,color FFFFFF,t 70,g se,x 16#pic center - oauth2.0授权码模式详解

2.8 点击允许受访问的资源,跳转到授权网站(http://www.baidu.com),获取授权码

watermark,type d3F5LXplbmhlaQ,shadow 50,text Q1NETiBAa2V0dGxl5pWZ56iL5a2m5Lmg,size 20,color FFFFFF,t 70,g se,x 16#pic center - oauth2.0授权码模式详解

2.9 打开postman,填入下面内容获取token
watermark,type d3F5LXplbmhlaQ,shadow 50,text Q1NETiBAa2V0dGxl5pWZ56iL5a2m5Lmg,size 20,color FFFFFF,t 70,g se,x 16#pic center - oauth2.0授权码模式详解

watermark,type d3F5LXplbmhlaQ,shadow 50,text Q1NETiBAa2V0dGxl5pWZ56iL5a2m5Lmg,size 20,color FFFFFF,t 70,g se,x 16#pic center - oauth2.0授权码模式详解

2.10 通过token访问授保护的资源
watermark,type d3F5LXplbmhlaQ,shadow 50,text Q1NETiBAa2V0dGxl5pWZ56iL5a2m5Lmg,size 20,color FFFFFF,t 70,g se,x 16#pic center - oauth2.0授权码模式详解

参考文档:OAuth 2.0 的四种方式 - 阮一峰的网络日志 (ruanyifeng.com)

转载请注明:xuhss » oauth2.0授权码模式详解

喜欢 (0)

您必须 登录 才能发表评论!