Spring Cloud OAuth 2.0实现四种授权方式

àì夳堔傛蜴生んèń 2022-05-14 00:43 156阅读 0赞

基于Spring Boot 2.0.3，Spring Cloud OAuth 2.0实现四种授权方式，实现后的验证交互步骤

--------------------

OAuth 2.0定义了四种授权方式。

1.授权码模式（authorization code）

2.简化模式（implicit）

3.密码模式（resource owner password credentials）

4.客户端模式（client credentials）

# **客户端模式（client credentials）** #

client\_id=unity-client

client\_secret=unity

[http://localhost:8080/oauth/token?grant\_type=client\_credentials&scope=read&client\_id=unity-client&client\_secret=unity][http_localhost_8080_oauth_token_grant_type_client_credentials_scope_read_client_id_unity-client_client_secret_unity]

"access\_token": "32f044cd-48ef-4382-9a77-7ee35bd9a824",

"token\_type": "bearer",

"expires\_in": 41413,

"scope": "read write"

访问资源服务器

http://localhost:8080/api/order/11?access\_token=32f044cd-48ef-4382-9a77-7ee35bd9a824

order id : 11

表oauth\_client\_details 字段 resource\_ids 内容要和资源服务器配置的一样

@Configuration

@EnableResourceServer

@EnableOAuth2Client

public class ResourceServerConfig extends ResourceServerConfigurerAdapter \{

@Override

public void configure(HttpSecurity http) throws Exception \{

http.csrf().disable();

http.requestMatchers().antMatchers("/api/\*\*").and().authorizeRequests().anyRequest().authenticated();

private static final String DEMO\_RESOURCE\_ID = "api";

@Override

public void configure(ResourceServerSecurityConfigurer resources) \{

resources.resourceId(DEMO\_RESOURCE\_ID).stateless(true);

BCryptPasswordEncoder

http://localhost:8080/oauth/token?grant\_type=client\_credentials&scope=read&client\_id=clients&client\_secret=$08$MU/8V8maXM/fldSLnat1Re7VFgE8wd1XxH5q/iSz7CHOQ7RXaHVre

# **授权码模式（authorization code） ** #

http://localhost:8080/oauth/authorize?client\_id=unity-client&response\_type=code&redirect\_uri=http://www.baidu.com

[http://localhost:8080/oauth/authorize?response\_type=code&client\_id=client&redirect\_uri=http://www.baidu.com][http_localhost_8080_oauth_authorize_response_type_code_client_id_client_redirect_uri_http_www.baidu.com]

输入用户的用户，密码

[https://www.baidu.com/?code=uX6fl0][https_www.baidu.com_code_uX6fl0]

根据code换取access\_code，注意使用post方法

[http://localhost:8080/oauth/token?client\_id=client&grant\_type=authorization\_code&redirect\_uri=http://www.baidu.com&code=][http_localhost_8080_oauth_token_client_id_client_grant_type_authorization_code_redirect_uri_http_www.baidu.com_code][uX6fl0][https_www.baidu.com_code_uX6fl0]

注意这个code要和上个步骤中获得的code保持一致

输入客户端的用户，密码

用户名输入client，密码是secret,点击确定

\{"access\_token":"2f695ad8-0e64-478e-a5c4-b13597dc0df2","token\_type":"bearer","refresh\_token":"c67241bd-1c0f-4b9f-bd61-6948b788e12d","expires\_in":43199,"scope":"app"\}

访问资源服务器

http://localhost:8080/api/order/11?access\_token=2f695ad8-0e64-478e-a5c4-b13597dc0df2

order id : 11

[http://localhost:8080/oauth/token?grant\_type=refresh\_token&refresh\_token=c67241bd-1c0f-4b9f-bd61-6948b788e12d][http_localhost_8080_oauth_token_grant_type_refresh_token_refresh_token_c67241bd-1c0f-4b9f-bd61-6948b788e12d]

\{"access\_token":"ec4b4d6c-3dfe-48fe-93b3-e3e335e6637b","token\_type":"bearer","refresh\_token":"c67241bd-1c0f-4b9f-bd61-6948b788e12d","expires\_in":43199,"scope":"app"\}

\{"access\_token":"8be81c35-641f-4997-ac34-ede545ced3d5","token\_type":"bearer","refresh\_token":"c67241bd-1c0f-4b9f-bd61-6948b788e12d","expires\_in":43199,"scope":"app"\}

refresh\_token必须在过期之前调用才能换新的token

只要refresh\_token有效，就可以直接用它来换新的access\_token

# **密码模式（resource owner password credentials）**  #

[http://localhost:8080/oauth/token?grant\_type=password&username=admin&password=123][http_localhost_8080_oauth_token_grant_type_password_username_admin_password_123]

\{"access\_token":"8be81c35-641f-4997-ac34-ede545ced3d5","token\_type":"bearer","refresh\_token":"c67241bd-1c0f-4b9f-bd61-6948b788e12d","expires\_in":42630,"scope":"app"\}

![WEBRESOURCE184869c52c009735ae69f9f8d0cced44][]

![WEBRESOURCE1de0e2cd72e0883b3b6f9ec936f25d98][]

# **简化模式（implicit）** #

该模式直接在浏览器中向认证服务器申请令牌，无需经过client端的服务器，跳过了"授权码"这个步骤，所有步骤在浏览器中完成，直接在回调url中传递令牌。

适合直接在前端应用获取token的应用

步骤跟authorization code类似，只不过少了授权码：

在浏览器向认证服务器请求token

用户登录(如果之前没有登陆的话)

用户授权

授权完直接跳转到redirectUri并在url中携带token

需要开启表单验证

@Override

protected void configure(HttpSecurity http) throws Exception \{

// \[1\]

// http.httpBasic().and().csrf().disable();

// \[2\]

// http.authorizeRequests().anyRequest().authenticated().and().formLogin().and().httpBasic();

http.csrf().disable();

http.requestMatchers().antMatchers("/oauth/\*\*", "/login/\*\*", "/logout/\*\*").and().authorizeRequests()

.antMatchers("/oauth/\*\*").authenticated().and().formLogin().permitAll();

[http://localhost:8080/oauth/authorize?response\_type=token&client\_id=client&redirect\_uri=http://www.baidu.com][http_localhost_8080_oauth_authorize_response_type_token_client_id_client_redirect_uri_http_www.baidu.com]

[https://www.baidu.com/\#access\_token=8be81c35-641f-4997-ac34-ede545ced3d5&token\_type=bearer&expires\_in=38324&scope=app][https_www.baidu.com_access_token_8be81c35-641f-4997-ac34-ede545ced3d5_token_type_bearer_expires_in_38324_scope_app]

--------------------

<?xml version="1.0" encoding="UTF-8"?>  
<project xmlns="http://maven.apache.org/POM/4.0.0"  
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">  
    <modelVersion>4.0.0</modelVersion>

<groupId>com.example</groupId>  
    <artifactId>auth-service</artifactId>  
    <version>0.0.1-SNAPSHOT</version>  
    <packaging>jar</packaging>

<name>auth-service</name>  
    <description>Demo project for Spring Boot</description>

<parent>  
        <groupId>org.springframework.boot</groupId>  
        <artifactId>spring-boot-starter-parent</artifactId>  
        <version>2.0.3.RELEASE</version>  
        <relativePath />   
    </parent>

<properties>  
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>  
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>  
        <java.version>1.8</java.version>  
        <spring-cloud.version>Finchley.SR1</spring-cloud.version>  
    </properties>

<dependencies>  
        <dependency>  
            <groupId>org.springframework.boot</groupId>  
            <artifactId>spring-boot-starter-data-jpa</artifactId>  
        </dependency>  
        <dependency>  
            <groupId>org.springframework.boot</groupId>  
            <artifactId>spring-boot-starter-data-redis</artifactId>  
        </dependency>  
        <dependency>  
            <groupId>org.springframework.boot</groupId>  
            <artifactId>spring-boot-starter-jdbc</artifactId>  
        </dependency>  
        <dependency>  
            <groupId>org.springframework.boot</groupId>  
            <artifactId>spring-boot-starter-web</artifactId>  
        </dependency>  
        <dependency>  
            <groupId>org.springframework.cloud</groupId>  
            <artifactId>spring-cloud-starter-oauth2</artifactId>  
        </dependency>  
        <dependency>  
            <groupId>org.springframework.cloud</groupId>  
            <artifactId>spring-cloud-starter-security</artifactId>  
        </dependency>  
          
        <dependency>  
            <groupId>com.alibaba</groupId>  
            <artifactId>druid</artifactId>  
            <version>1.1.10</version>  
        </dependency>  
          
        <dependency>  
            <groupId>mysql</groupId>  
            <artifactId>mysql-connector-java</artifactId>  
            <version>8.0.12</version>  
        </dependency>  
        <dependency>  
            <groupId>org.springframework.boot</groupId>  
            <artifactId>spring-boot-starter-test</artifactId>  
            <scope>test</scope>  
        </dependency>  
    </dependencies>

<dependencyManagement>  
        <dependencies>  
            <dependency>  
                <groupId>org.springframework.cloud</groupId>  
                <artifactId>spring-cloud-dependencies</artifactId>  
                <version>$\{spring-cloud.version\}</version>  
                <type>pom</type>  
                <scope>import</scope>  
            </dependency>  
        </dependencies>  
    </dependencyManagement>

<build>  
        <plugins>  
            <plugin>  
                <groupId>org.springframework.boot</groupId>  
                <artifactId>spring-boot-maven-plugin</artifactId>  
            </plugin>  
        </plugins>  
    </build>

</project>

[http_localhost_8080_oauth_token_grant_type_client_credentials_scope_read_client_id_unity-client_client_secret_unity]: http://localhost:8080/oauth/token?grant_type=client_credentials&scope=read&client_id=unity-client&client_secret=unity
[http_localhost_8080_oauth_authorize_response_type_code_client_id_client_redirect_uri_http_www.baidu.com]: http://localhost:8080/oauth/authorize?response_type=code&client_id=client&redirect_uri=http://www.baidu.com
[https_www.baidu.com_code_uX6fl0]: https://www.baidu.com/?code=uX6fl0
[http_localhost_8080_oauth_token_client_id_client_grant_type_authorization_code_redirect_uri_http_www.baidu.com_code]: http://localhost:8888/oauth/token?client_id=client&grant_type=authorization_code&redirect_uri=http://baidu.com&code=wfazuG
[http_localhost_8080_oauth_token_grant_type_refresh_token_refresh_token_c67241bd-1c0f-4b9f-bd61-6948b788e12d]: http://localhost:8080/oauth/token?grant_type=refresh_token&refresh_token=c67241bd-1c0f-4b9f-bd61-6948b788e12d
[http_localhost_8080_oauth_token_grant_type_password_username_admin_password_123]: http://localhost:8080/oauth/token?grant_type=password&username=admin&password=123
[WEBRESOURCE184869c52c009735ae69f9f8d0cced44]: http://note.youdao.com/yws/res/4768/WEBRESOURCE184869c52c009735ae69f9f8d0cced44
[WEBRESOURCE1de0e2cd72e0883b3b6f9ec936f25d98]: http://note.youdao.com/yws/res/4770/WEBRESOURCE1de0e2cd72e0883b3b6f9ec936f25d98
[http_localhost_8080_oauth_authorize_response_type_token_client_id_client_redirect_uri_http_www.baidu.com]: http://localhost:8080/oauth/authorize?response_type=token&client_id=client&redirect_uri=http://www.baidu.com
[https_www.baidu.com_access_token_8be81c35-641f-4997-ac34-ede545ced3d5_token_type_bearer_expires_in_38324_scope_app]: https://www.baidu.com/#access_token=8be81c35-641f-4997-ac34-ede545ced3d5&token_type=bearer&expires_in=38324&scope=app