Spring Security OAuth2.0笔记

2020-11-20 14:27:07 101 收藏
分类专栏: springboot 文章标签: oauth2
最后发布:2020-11-20 14:27:07首次发布:2020-11-20 14:27:07
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/hknaruto/article/details/109810375
版权 
请求命中filter:
spring-security-oauth2-client:5.3.5.RELEASE
org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter
@Override
	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
			throws ServletException, IOException {

		try {
			OAuth2AuthorizationRequest authorizationRequest = this.authorizationRequestResolver.resolve(request);
			if (authorizationRequest != null) {
				this.sendRedirectForAuthorization(request, response, authorizationRequest);
				return;
			}
		} catch (Exception failed) {
			this.unsuccessfulRedirectForAuthorization(request, response, failed);
			return;
		}
org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver
	private String resolveRegistrationId(HttpServletRequest request) {
		if (this.authorizationRequestMatcher.matches(request)) {
			return this.authorizationRequestMatcher
					.matcher(request).getVariables().get(REGISTRATION_ID_URI_VARIABLE_NAME);
		}
		return null;
	}
	@Override
	public OAuth2AuthorizationRequest resolve(HttpServletRequest request) {
		String registrationId = this.resolveRegistrationId(request);
		String redirectUriAction = getAction(request, "login");
		return resolve(request, registrationId, redirectUriAction);
	}

默认的redirectUriAction="login"

 

开始解析出OAuth2AuthorizationRequest对象

private OAuth2AuthorizationRequest resolve(HttpServletRequest request, String registrationId, String redirectUriAction) {
		if (registrationId == null) {
			return null;
		}

		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(registrationId);
		if (clientRegistration == null) {
			throw new IllegalArgumentException("Invalid Client Registration with Id: " + registrationId);
		}

		Map<String, Object> attributes = new HashMap<>();
		attributes.put(OAuth2ParameterNames.REGISTRATION_ID, clientRegistration.getRegistrationId());

		OAuth2AuthorizationRequest.Builder builder;
		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
			builder = OAuth2AuthorizationRequest.authorizationCode();
			Map<String, Object> additionalParameters = new HashMap<>();
			if (!CollectionUtils.isEmpty(clientRegistration.getScopes()) &&
					clientRegistration.getScopes().contains(OidcScopes.OPENID)) {
				// Section 3.1.2.1 Authentication Request - https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
				// scope
				// 		REQUIRED. OpenID Connect requests MUST contain the "openid" scope value.
				addNonceParameters(attributes, additionalParameters);
			}
			if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())) {
				addPkceParameters(attributes, additionalParameters);
			}
			builder.additionalParameters(additionalParameters);
		} else if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) {
			builder = OAuth2AuthorizationRequest.implicit();
		} else {
			throw new IllegalArgumentException("Invalid Authorization Grant Type ("  +
					clientRegistration.getAuthorizationGrantType().getValue() +
					") for Client Registration with Id: " + clientRegistration.getRegistrationId());
		}

		String redirectUriStr = expandRedirectUri(request, clientRegistration, redirectUriAction);

		builder
				.clientId(clientRegistration.getClientId())
				.authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri())
				.redirectUri(redirectUriStr)
				.scopes(clientRegistration.getScopes())
				.state(this.stateGenerator.generateKey())
				.attributes(attributes);

		this.authorizationRequestCustomizer.accept(builder);

		return builder.build();
	}

 

GrantType

public final class AuthorizationGrantType implements Serializable {
    private static final long serialVersionUID = 530L;
    public static final AuthorizationGrantType AUTHORIZATION_CODE = new AuthorizationGrantType("authorization_code");
    /** @deprecated */
    @Deprecated
    public static final AuthorizationGrantType IMPLICIT = new AuthorizationGrantType("implicit");
    public static final AuthorizationGrantType REFRESH_TOKEN = new AuthorizationGrantType("refresh_token");
    public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials");
    public static final AuthorizationGrantType PASSWORD = new AuthorizationGrantType("password");

 

spring-security-oauth2-client:5.3.5.RELEASE

org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter

public class OAuth2LoginAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
	/**
	 * The default {@code URI} where this {@code Filter} processes authentication requests.
	 */
	public static final String DEFAULT_FILTER_PROCESSES_URI = "/login/oauth2/code/*";
	private static final String AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE = "authorization_request_not_found";
	private static final String CLIENT_REGISTRATION_NOT_FOUND_ERROR_CODE = "client_registration_not_found";
	private ClientRegistrationRepository clientRegistrationRepository;
	private OAuth2AuthorizedClientRepository authorizedClientRepository;
	private AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository =
		new HttpSessionOAuth2AuthorizationRequestRepository();

 

源码:

spring-security-config:5.3.5.RELEASE
org.springframework.security.config.http.OAuth2LoginBeanDefinitionParser
final class OAuth2LoginBeanDefinitionParser implements BeanDefinitionParser {

	private static final String DEFAULT_AUTHORIZATION_REQUEST_BASE_URI = "/oauth2/authorization";
	private static final String DEFAULT_LOGIN_URI = DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL;

	private static final String ELT_CLIENT_REGISTRATION = "client-registration";
	private static final String ATT_REGISTRATION_ID = "registration-id";
	private static final String ATT_CLIENT_REGISTRATION_REPOSITORY_REF = "client-registration-repository-ref";
	private static final String ATT_AUTHORIZED_CLIENT_REPOSITORY_REF = "authorized-client-repository-ref";
	private static final String ATT_AUTHORIZED_CLIENT_SERVICE_REF = "authorized-client-service-ref";
	private static final String ATT_AUTHORIZATION_REQUEST_REPOSITORY_REF = "authorization-request-repository-ref";
	private static final String ATT_AUTHORIZATION_REQUEST_RESOLVER_REF = "authorization-request-resolver-ref";
	private static final String ATT_ACCESS_TOKEN_RESPONSE_CLIENT_REF = "access-token-response-client-ref";
	private static final String ATT_USER_AUTHORITIES_MAPPER_REF = "user-authorities-mapper-ref";
	private static final String ATT_USER_SERVICE_REF = "user-service-ref";
	private static final String ATT_OIDC_USER_SERVICE_REF = "oidc-user-service-ref";
	private static final String ATT_LOGIN_PROCESSING_URL = "login-processing-url";
	private static final String ATT_LOGIN_PAGE = "login-page";
	private static final String ATT_AUTHENTICATION_SUCCESS_HANDLER_REF = "authentication-success-handler-ref";
	private static final String ATT_AUTHENTICATION_FAILURE_HANDLER_REF = "authentication-failure-handler-ref";
	private static final String ATT_JWT_DECODER_FACTORY_REF = "jwt-decoder-factory-ref";

 

public Authentication authenticate(Authentication authentication)
			throws AuthenticationException {
		Class<? extends Authentication> toTest = authentication.getClass();
		AuthenticationException lastException = null;
		AuthenticationException parentException = null;
		Authentication result = null;
		Authentication parentResult = null;
		boolean debug = logger.isDebugEnabled();

		for (AuthenticationProvider provider : getProviders()) {
			if (!provider.supports(toTest)) {
				continue;
			}

			if (debug) {
				logger.debug("Authentication attempt using "
						+ provider.getClass().getName());
			}

 

 

@Override
	public OAuth2User loadUser(OAuth2UserRequest userRequest) throws OAuth2AuthenticationException {
		Assert.notNull(userRequest, "userRequest cannot be null");

		if (!StringUtils.hasText(userRequest.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUri())) {
			OAuth2Error oauth2Error = new OAuth2Error(
				MISSING_USER_INFO_URI_ERROR_CODE,
				"Missing required UserInfo Uri in UserInfoEndpoint for Client Registration: " +
					userRequest.getClientRegistration().getRegistrationId(),
				null
			);
			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
		}
		String userNameAttributeName = userRequest.getClientRegistration().getProviderDetails()
				.getUserInfoEndpoint().getUserNameAttributeName();
		if (!StringUtils.hasText(userNameAttributeName)) {
			OAuth2Error oauth2Error = new OAuth2Error(
				MISSING_USER_NAME_ATTRIBUTE_ERROR_CODE,
				"Missing required \"user name\" attribute name in UserInfoEndpoint for Client Registration: " +
					userRequest.getClientRegistration().getRegistrationId(),
				null
			);
			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
		}

		RequestEntity<?> request = this.requestEntityConverter.convert(userRequest);

		ResponseEntity<Map<String, Object>> response;
		try {
			response = this.restOperations.exchange(request, PARAMETERIZED_RESPONSE_TYPE);
		} catch (OAuth2AuthorizationException ex) {

 

 

https://docs.spring.io/spring-security/site/docs/5.3.5.RELEASE/reference/html5/#oauth2login-boot-property-mappings

12.1.2. Spring Boot 2.x Property Mappings

The following table outlines the mapping of the Spring Boot 2.x OAuth Client properties to the ClientRegistration properties.

Spring Boot 2.xClientRegistration

spring.security.oauth2.client.registration.[registrationId]

registrationId

spring.security.oauth2.client.registration.[registrationId].client-id

clientId

spring.security.oauth2.client.registration.[registrationId].client-secret

clientSecret

spring.security.oauth2.client.registration.[registrationId].client-authentication-method

clientAuthenticationMethod

spring.security.oauth2.client.registration.[registrationId].authorization-grant-type

authorizationGrantType

spring.security.oauth2.client.registration.[registrationId].redirect-uri

redirectUriTemplate

spring.security.oauth2.client.registration.[registrationId].scope

scopes

spring.security.oauth2.client.registration.[registrationId].client-name

clientName

spring.security.oauth2.client.provider.[providerId].authorization-uri

providerDetails.authorizationUri

spring.security.oauth2.client.provider.[providerId].token-uri

providerDetails.tokenUri

spring.security.oauth2.client.provider.[providerId].jwk-set-uri

providerDetails.jwkSetUri

spring.security.oauth2.client.provider.[providerId].user-info-uri

providerDetails.userInfoEndpoint.uri

spring.security.oauth2.client.provider.[providerId].user-info-authentication-method

providerDetails.userInfoEndpoint.authenticationMethod

spring.security.oauth2.client.provider.[providerId].user-name-attribute

providerDetails.userInfoEndpoint.userNameAttributeName

 

https://docs.spring.io/spring-security/site/docs/5.3.5.RELEASE/reference/html5/#oauth2login-register-clientregistrationrepository-bean

@Configuration
public class OAuth2LoginConfig {

    @Bean
    public ClientRegistrationRepository clientRegistrationRepository() {
        return new InMemoryClientRegistrationRepository(this.googleClientRegistration());
    }

    private ClientRegistration googleClientRegistration() {
        return ClientRegistration.withRegistrationId("google")
            .clientId("google-client-id")
            .clientSecret("google-client-secret")
            .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
            .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
            .redirectUriTemplate("{baseUrl}/login/oauth2/code/{registrationId}")
            .scope("openid", "profile", "email", "address", "phone")
            .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
            .tokenUri("https://www.googleapis.com/oauth2/v4/token")
            .userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
            .userNameAttributeName(IdTokenClaimNames.SUB)
            .jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
            .clientName("Google")
            .build();
    }
}
public interface StandardClaimNames {

	/**
	 * {@code sub} - the Subject identifier
	 */
	String SUB = "sub";

	/**
	 * {@code name} - the user's full name
	 */
	String NAME = "name";

 

已标记关键词 清除标记
Spring Cloud Security Oauth2.0 授权码模式
Tellsea
06-16 1517
Spring Cloud Security Oauth2.0 Spring 提供的 Spring Security oAuth2 能搭建一套验证授权及资源访问服务,帮助大家在实现企业微服务架构时能够有效的控制多个服务的统一登录、授权及资源保护工作。 这里只是一个简单的案例基础,我自己是参照 千峰李哥的博客 上面的笔记来学习的,通过自己的整理与案例学习,综合出了一个自己风格的项目 李哥视频教程 Sp...
表情包
插入表情
还能输入1000个字符
Spring Security OAuth笔记
weixin_34405557的博客
10-16 27
  因为工作需要,系统权限安全方面可能要用到Spring Security OAuth2.0,所以,近几天了解了一下OAuth相关的东西。目前好像还没有系统的学习资料,学习主要是通过博客,内容都是大同小异而且讲述的比较乱,可能还掺杂了一些个人不够全面的理解,所以有必要的话后面还得自己查看源码。   本来说写个demo先用起来试试,但是在用的时候遇到了一些问题暂时还没找到原因,因为Spring S...
使用Spring安全oauth,使用自定义OAuth提供程序,我得到[authorization_request_not_found],我应该自己处理回调方法吗?
09-12
使用Spring Security 5 oauth我使用Google作为OAuth提供程序成功完成了整个身份验证/授权周期,但如果我使用自己制作的OAuth提供程序,在不同的应用程序上运行,我就会陷入
Spring Boot OAuth 2.0 客户端
weixin_34176694的博客
06-28 139
在上一篇《OAuth 2.0 授权码请求》中我们已经可以获取到access_token了,本节将使用客户端来访问远程资源 配置资源服务器 授权服务器负责生成并发放访问令牌(access_token),客户端在访问受保护的资源时会带上访问令牌,资源服务器需要解析并验证客户端带的这个访问令牌。 如果你的资源服务器同时也是一个授权服务器(资源服务器和授权服务器在一起),那么资源服务器就不需要考虑令...
Spring Security Oauth2.0 学习笔记
逍遥绝情的博客
01-23 5357
基础说明 AbstractSecurityWebApplicationInitializer类: 为应用程序中的每个URL自动注册springSecurityFilterChain过滤器 添加一个ContextLoaderListener来加载WebSecurityConfig。 HttpSecurity: WebSecurityConfig只包含关于如何验证用户的信息 prote...
SpringCloud 学习笔记系列 06----Zuul 整合Config实现动态路由
逍遥绝情的博客
01-11 680
Zuul 整合Config实现动态路由 Zuul配置 pom.xml &lt;dependency&gt; &lt;groupId&gt;org.springframework.cloud&lt;/groupId&gt; &lt;artifactId&gt;spring-cloud-starter-config&lt;/artifa...
Amazon CloudFront 学习笔记--01
逍遥绝情的博客
02-27 1389
CloudFront配置步骤 1.配置您的原始服务器,CloudFront 将从这些服务器中获取您的文件,以便从遍布全球的 CloudFront 节点进行分发。 源服务器将存储您的对象的原始最终版本。 如果您通过 HTTP 提供内容,您的原始服务器将为 Amazon S3 存储桶或 HTTP 服务器,例如,Web 服务器。 您的 HTTP 服务器可在 Amazon Elastic Compu...
JAVA NIO 学习笔记——01
逍遥绝情的博客
01-29 144
NIO概况 1.Java NIO包含以下几个核心组件: 通道 Channels 缓冲区 Buffers 选择器 Selectors 2.NIO中有多种类型的Channel和Buffer,下面的列表是Java NIO中主要的通道实现类: FileChannel 用于文件读写操作 DatagramChannel 用于UDP协议中数据读写操作 SocketChannel 用于TCP协议中网络
SpringCloud 学习笔记系列02--Feign 客户端
逍遥绝情的博客
12-28 213
Feign 声明性REST客户端 Feign是一个声明式的WEB服务客户端。 Feign具有可插入注释支持: Feign注释 JAX-RS注释 可插拔编码器和解码器 SpringCloud 集成Ribbon和Eureka以在使用Feign时提供负载均衡的http客户端 引入Feign 开启Feign客户端注解:@EnableFeignClients 开启Feign客户端 @...
Spring Security4 学习笔记——01
逍遥绝情的博客
07-24 832
Spring Security4 学习笔记 Spring Security是什么? Spring Security提供了基于Java EE的企业应用软件全面的安全服务。 它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转Inversion of Control ,DI:Dependency Injection 依赖注入)和AOP(面向...
©️2020 CSDN 皮肤主题: 技术黑板 设计师:CSDN官方博客 返回首页