# spring-security-oauth2 **Repository Path**: baipengayn/spring-security-oauth2 ## Basic Information - **Project Name**: spring-security-oauth2 - **Description**: 基于Spring Security Oauth2 Authorization Server完成oauth2授权 - **Primary Language**: Java - **License**: Apache-2.0 - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 8 - **Created**: 2024-08-07 - **Last Updated**: 2024-08-07 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README ### 不再更新,请移步至微服务项目参考micro-auth项目实现 Spring Security Oauth2 Authorization Server - github仓库地址: https://github.com/spring-projects/spring-authorization-server/ - 官方示例代码地址: https://github1s.com/spring-projects/spring-authorization-server/blob/main/samples/ - oauth2文档地址:http://www.rfcreader.com/#rfc6749 ```java // 令牌管理服务 OAuth2AuthorizationService oAuth2AuthorizationService; // 默认sql脚本路径 // org/springframework/security/oauth2/server/authorization/oauth2-authorization-schema.sql // 客户端id、用户名与权限关联关系管理 OAuth2AuthorizationConsentService oAuth2AuthorizationConsentService; // 默认sql脚本路径 // org/springframework/security/oauth2/server/authorization/oauth2-authorization-consent-schema.sql // 客户端管理服务 RegisteredClientRepository registeredClientRepository; // 默认sql脚本路径 // org/springframework/security/oauth2/server/authorization/client/oauth2-registered-client-schema.sql ``` #### 端点 参见auth-server/test/java/test.http ##### 根据用户名密码获取令牌 ```http ### # 根据用户名密码获取令牌 POST http://localhost:9000/oauth2/token Authorization: Basic bWVzc2FnaW5nLWNsaWVudDpzZWNyZXQ= Accept-Language: zh_CN Content-Type: application/x-www-form-urlencoded grant_type=password&username=admin&password=123456 ``` ##### 使用访问令牌访问资源服务器 ```http ### # 访问资源服务器 GET http://localhost:8090/messages Authorization: Bearer eyJraWQiOiIzOTIzMzQyNy02Zjc3LTRmODAtYWY1YS1kMGY1ZDFlZGZmMDkiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJtZXNzYWdpbmctY2xpZW50IiwiYXVkIjoibWVzc2FnaW5nLWNsaWVudCIsIm5iZiI6MTY0MTM2NjYyNSwic2NvcGUiOlsib3BlbmlkIiwibWVzc2FnZS5yZWFkIiwibWVzc2FnZS53cml0ZSJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3Q6OTAwMCIsImV4cCI6MTY0MTM2NjkyNSwiaWF0IjoxNjQxMzY2NjI1fQ.PfY2EC55as3Kboem6Dn5NaIaBxdiBmW63riIFBILEGD6WUf85jVJVblNYyf9_TSkoXpGqrOqbQppWOAfQrQQsQJF_3SxFcn9_uPrtFujGeuwSvc9U2Zc6ZfoUBEqI67Emu2gJtjvjXJZuc0PSXrekFYZOUM3VzbYsoC1Ey8jjM-jD9lBxDFjyt1Um2v0pCCPyJfOJB_vXE4pgiUzZQaEwrJVGIZWXWwyGb72J4OuWeCQZCXs6hlIVMvvvNROJKVNaBg3_En__9lI7VAPa5b17YWAz-6qQxtjFcBbXoWBvDWffoGU2mbegMxiYS9R_BVeNCJidTPT0C7TaVozbLngAA ``` ##### 获取授权码 ```http ### # 获取授权码 scope参数可以为空,不为空且consentAuthorization时则需要跳转至授权同意页面 http://localhost:9000/oauth2/authorize?client_id=messaging-client&client_secret=secret&response_type=code&scope=message.write&redirect_uri=http://127.0.0.1:8080/login/oauth2/code/messaging-client-oidc ``` 是否需要授权同意判断逻辑源码 ```java // OAuth2AuthorizationCodeRequestAuthenticationProvider.requireAuthorizationConsent() private static boolean requireAuthorizationConsent(RegisteredClient registeredClient, OAuth2AuthorizationRequest authorizationRequest, OAuth2AuthorizationConsent authorizationConsent) { // 客户端不需要授权同意则直接false if (!registeredClient.getClientSettings().isRequireAuthorizationConsent()) { return false; } // 'openid' scope does not require consent if (authorizationRequest.getScopes().contains(OidcScopes.OPENID) && authorizationRequest.getScopes().size() == 1) { return false; } // 如果授权同意不为空,并且当前请求的scope在其授权范围内 // todo scope参数为空 if (authorizationConsent != null && authorizationConsent.getScopes().containsAll(authorizationRequest.getScopes())) { return false; } return true; } ``` ##### 根据授权码获取令牌 ```http ### # 根据授权码获取刷新令牌 POST http://localhost:9000/oauth2/token Authorization: Basic bWVzc2FnaW5nLWNsaWVudDpzZWNyZXQ= Accept-Language: zh_CN Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=KIhCcynyLhWFFAaKFOlda_Cs3HxJW_okrJxhB0BgtKziDk3Hc_J2dLcAnPs7h2NaWYfs0-fQQCs9D0_vWYf9OJ7Lxlmc5RScbNCzrtKKDeIrBiNsQlz8Kw7vWpsau47Y&redirect_uri=http://127.0.0.1:8080/login/oauth2/code/messaging-client-oidc ``` ##### 根据刷新令牌重置访问与刷新令牌 ```http ### # 根据刷新令牌重置访问与刷新令牌 POST http://localhost:9000/oauth2/token Authorization: Basic bWVzc2FnaW5nLWNsaWVudDpzZWNyZXQ= Accept-Language: zh_CN Content-Type: application/x-www-form-urlencoded grant_type=refresh_token&refresh_token=gvSnvJbpBbxT-FP70ROrwRDxADasERy1ps010LTvaoA2_tiQoWT6SekfbXjLnQmjofe9be-OfKAJPlku37hQT4jd3RlxbiSwLpyEJFfF_JselGf_y-NTwv7iGWaQaRFm ``` ##### 撤销令牌 ```http POST http://localhost:9000/oauth2/revoke Authorization: Basic bWVzc2FnaW5nLWNsaWVudDpzZWNyZXQ= Accept-Language: zh_CN Content-Type: application/x-www-form-urlencoded # token_type_hint 参数可选 token_type_hint=access_token&token=xxx 或 token_type_hint=refresh_token&token=xxx ``` ##### 获取令牌信息 ```http ### # 获取访问/刷新令牌信息 POST http://localhost:9000/oauth2/introspect Authorization: Basic bWVzc2FnaW5nLWNsaWVudDpzZWNyZXQ= Accept-Language: zh_CN Content-Type: application/x-www-form-urlencoded # token_type_hint 参数可选 token_type_hint=access_token&token=xxx 或 token_type_hint=refresh_token&token=xxx ``` #### 授权客户端使用流程 ``` 授权代码流程经过以下步骤。 客户端准备一个包含所需请求参数的身份验证请求。 客户端将请求发送到授权服务器。 授权服务器对最终用户进行身份验证。 授权服务器获得最终用户同意/授权。 授权服务器使用授权码将最终用户发送回客户端。 客户端使用令牌端点处的授权码请求响应。 客户端收到响应正文中包含 ID Token 和 Access Token 的响应。 客户端验证 ID 令牌并检索最终用户的主题标识符。 # 访问 http:localhost:8080 跳转至index页面 点击 Authorization Code 发起授权码登陆流程 1.由OAuth2AuthorizedClientArgumentResolver#resolveArgument 解析 @RegisteredOAuth2AuthorizedClient注解 组装 OAuth2AuthorizeRequest 2.OAuth2AuthorizedClientManager#authorize 将 OAuth2AuthorizeRequest 转换为 OAuth2AuthorizationContext 3.OAuth2AuthorizedClientProvider#authorize 调用 OAuth2AccessTokenResponseClient#getTokenResponse 向授权服务器发起请求 `http://localhost:9000/oauth2/token`获取 OAuth2AccessTokenResponse 并将OAuth2AccessTokenResponse 回填至 OAuth2AuthorizedClient参数中 4.然后使用webclient将获取到的OAuth2AuthorizedClient作为请求参数调用资源服务器 ```