é´äº spring security ä¸ oauth2.0æ åè¿äºç¹çï¼ä¸ºæ¹ä¾¿ç解ä¸å®é å®ç°ï¼æ æåå ¶å®ç°ã
1ãoauth2.0ä»ç»
OAuth 2.0çè¿è¡æµç¨å¦ä¸å¾ï¼æèªRFC 6749ã
(A)ç¨æ·æå¼å®¢æ·ç«¯ä»¥åï¼å®¢æ·ç«¯è¦æ±ç¨æ·ç»äºææã
(B)ç¨æ·åæç»äºå®¢æ·ç«¯ææã
(C)客æ·ç«¯ä½¿ç¨ä¸ä¸æ¥è·å¾çææï¼å认è¯æå¡å¨ç³è¯·ä»¤çã
(D)认è¯æå¡å¨å¯¹å®¢æ·ç«¯è¿è¡è®¤è¯ä»¥åï¼ç¡®è®¤æ 误ï¼åæåæ¾ä»¤çã
(E)客æ·ç«¯ä½¿ç¨ä»¤çï¼åèµæºæå¡å¨ç³è¯·è·åèµæºã
(F)èµæºæå¡å¨ç¡®è®¤ä»¤çæ 误ï¼åæå客æ·ç«¯å¼æ¾èµæºã
1.1ãoauth2.0-ææç 模å¼ä»ç»
(A)ç¨æ·è®¿é®å®¢æ·ç«¯ï¼åè å°åè 导å认è¯æå¡å¨ã
(B)ç¨æ·éæ©æ¯å¦ç»äºå®¢æ·ç«¯ææã
(C)å设ç¨æ·ç»äºææï¼è®¤è¯æå¡å¨å°ç¨æ·å¯¼å客æ·ç«¯äºå æå®ç"éå®åURI"(redirection URI)ï¼åæ¶éä¸ä¸ä¸ªä¸´æ¶ææç ã
(D)客æ·ç«¯æ¶å°ä¸´æ¶ææç ï¼éä¸æ©å ç"éå®åURI"ï¼å认è¯æå¡å¨ç³è¯·ä»¤çãè¿ä¸æ¥æ¯å¨å®¢æ·ç«¯çåå°çæå¡å¨ä¸å®æçï¼å¯¹ç¨æ·ä¸å¯è§ã
(E)认è¯æå¡å¨æ ¸å¯¹äºä¸´æ¶ææç åéå®åURIï¼ç¡®è®¤æ 误åï¼å客æ·ç«¯åé访é®ä»¤ç(access token)ã
1.2ãoauth2.0-å¯ç 模å¼ä»ç»
(A)ç¨æ·å客æ·ç«¯æä¾ç¨æ·ååå¯ç ã
(B)客æ·ç«¯å°ç¨æ·ååå¯ç åç»è®¤è¯æå¡å¨ï¼ååè 请æ±ä»¤çã
(C)认è¯æå¡å¨ç¡®è®¤æ 误åï¼å客æ·ç«¯æä¾è®¿é®ä»¤çã
2ãé»è¾äº¤äº
以æ个**çæµæå¡(web端)**为ä¾ï¼å°è¯ç»éå ¬å¸çSSOè´¦æ·ã
2.1ãææç 模å¼å®ç°
2.1.1ã表ç»æ设计
DROP TABLE IF EXISTS `sys_oauth_client`;
CREATE TABLE `sys_oauth_client` (
`client_id` varchar(50) NOT NULL COMMENT '客æ·ç«¯id',
`client_name` varchar(256) DEFAULT NULL COMMENT 'åºç¨å',
`client_secret` varchar(256) DEFAULT NULL COMMENT 'åºç¨å¯é¥',
`client_redirect_uri_host` varchar(256) DEFAULT NULL COMMENT '对åºä¸»æºåå',
`status` int(1) DEFAULT NULL COMMENT 'ç¶æã0:æ£å¸¸ï¼1:å»ç»',
`create_time` timestamp NULL DEFAULT CURRENT_TIMESTAMP COMMENT 'å建æ¶é´',
`update_time` timestamp NULL DEFAULT NULL ON UPDATE CURRENT_TIMESTAMP COMMENT 'ä¿®æ¹æ¶é´',
PRIMARY KEY (`client_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COMMENT='åºç¨client表';
BEGIN;
INSERT INTO `sys_oauth_client` VALUES ('joe_monitoring', 'çæµæå¡(web端)', 'admin123', '','0', '2018-08-30 19:42:32', '2018-08-30 20:24:08');
COMMIT;
DROP TABLE IF EXISTS `sys_oauth_user_authorize`;
CREATE TABLE `sys_oauth_user_authorize` (
`id` int(20) NOT NULL AUTO_INCREMENT,
`client_id` varchar(50) NOT NULL COMMENT '客æ·ç«¯id',
`oauth_user_id` varchar(50) NOT NULL COMMENT 'ç»å®è´¦å·çidï¼ä¾å¦å¯¹åºwxæ¥è¯´ï¼å°±æ¯openId',
`user_id` int(11) NOT NULL COMMENT '对åºuser_id',
`oauth_user_name` varchar(50) DEFAULT '' COMMENT 'ç»å®è´¦å·çå称',
UNIQUE KEY `Unique_client_idAnduser_id` (`client_id`,`user_id`) USING BTREE,
UNIQUE KEY `Unique_client_idAndoauth_user_id` (`client_id`,`oauth_user_id`) USING BTREE,
KEY `id` (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC COMMENT='è´¦å·ææ表'
ææ¯éåä¸ï¼springcloud å ¨å®¶æ¡¶
2.1.2ãå个æå¡
认è¯ä¸æææå¡ï¼joe-ssoï¼å³SSOæå¡
ç¨æ·ãæé管çæå¡: joe-admin
apièµæºæå¡: joe-resource
éæææ¬èµæº(cssãjsãimgç)æå¡ï¼joe-file
çæµæå¡ï¼joe-client-monitoring
å¦ï¼
注åä¸å¿ï¼joe-eureka
ç½å ³ï¼joe-zuul
2.1.3ãåè¯è§£é
客æ·ç«¯ï¼è¿éæ代 çæµæå¡(web端); å ¶å¯¹åºçclient_idï¼å¨åºä¸ä¸ºjoe_monitoring
认è¯æå¡å¨: è¿éæ代 joe-oauthæå¡
éå®åURI: å³ä¸æä¸ç redirect_uriå段
临æ¶ææç ï¼å³ä¸æä¸ç temp_authorize_codeå段
访é®ä»¤çï¼å³ä¸æä¸ç accessTokenå段
3ãæ¥å£è¯·æ±
3.1ãçæµæå¡(web端)è·åèªèº«çclient_id
GET请æ±ï¼æ¥å£ï¼ joe-client-wechat/client/clientId è¿å示ä¾ï¼
{
"status": 0,
"msg": "æåã",
"data": "joe_monitoring"
}
3.2ãå端跳转å°ç»é页é¢ï¼å¹¶ä¼ éè¿æ¥åæ°
ä¼ éåæ°(以webæµè§å¨ä¸ºä¾ï¼å°å ¶ä»¥getä¼ åçå½¢å¼ï¼æ´é²å¨å°åæ ä¸)ï¼
åæ°
示ä¾
说æ
client_id
joe_monitoring
客æ·ç«¯id
eg:å®é ä¼ é请æ±uri
解éï¼
passport.joe.com ï¼joe-ssoæå¡å°å
/authorize/login: ææç 模å¼ç»éæ¥å£
æ£å¸¸æ åµä¸ï¼oauth2.0模å¼ä¸ï¼ææç 模å¼ï¼å段éä¹ï¼
response_typeï¼è¡¨ç¤ºææç±»åï¼å¿ é项ï¼æ¤å¤çå¼åºå®ä¸º"code"
client_idï¼è¡¨ç¤ºå®¢æ·ç«¯çIDï¼å¿ é项
redirect_uriï¼è¡¨ç¤ºéå®åURIï¼å¯é项
scopeï¼è¡¨ç¤ºç³è¯·çæéèå´ï¼å¯é项
stateï¼è¡¨ç¤ºå®¢æ·ç«¯çå½åç¶æï¼å¯ä»¥æå®ä»»æå¼ï¼è®¤è¯æå¡å¨ä¼åå°ä¸å¨å°è¿åè¿ä¸ªå¼ã
egï¼å¨æ°æµªå¾®åä¸ï¼éç¨360è´¦å·ç»éï¼è·³è½¬çurl为:
åæï¼ä¸è¿°uriï¼æ¾ç¶ä¸ºoauth2.0模å¼ä¸çææç ç»é模å¼ã
3.3ãç»é页é¢çç»é
GET请æ±ï¼æ¥å£ï¼ joe-sso/oauth/authorize/login
å³ SSOè´¦æ·ç³»ç»çç»éç³»ç»ä¸çâç»éâæé®
ä¼ éåæ°:
åæ°
示ä¾
说æ
client_id
joe_monitoring
客æ·ç«¯id
login_name
admin
ç¨æ·å
password
admin
å¯ç
è¥ç»éæåï¼è¿å temp_authorize_code临æ¶ææç ï¼
{
"status": 0,
"msg": "æåã该临æ¶ææç æææ为10åé",
"data": {
"temp_authorize_code": "joe_monitoring:28115fff54884bc0800442ffb51a3f98"
}
}
å ¶ä»é误æ åµï¼
{
"status": 20,
"msg": "失败ãjoe-sso认è¯å¤±è´¥ï¼è¯·æ£æ¥client_idçåç¡®æ§ï¼æ该client_id已被å»ç»",
"data": null
}
{
"status": 30,
"msg": "失败ãç»éåæå¯ç é误,ç¨æ·ä¸åå¨",
"data": null
}
è·åå° ä¸´æ¶ææç temp_authorize_codeåï¼ç»é页é¢å端跳转é¾æ¥åçæµæå¡(web端)(éè¿redirect_uri)
注æï¼è¯¥temp_authorize_codeåå¨å¨redisä¸ï¼è®¾ç½®å¥½è¿ææ¶é´ã
3.4ãçæµæå¡(web端)å°è¯åjoe_ssoè·åaccessToken
ä¸ä¸æ¥ï¼æ们è·åå°temp_authorize_codeãç°å¨ï¼å°temp_authorize_codeåéç»SSOæå¡ï¼ä»èè·åaccessTokenã
çæµæå¡(web端)å端éè¿è·³è½¬åçæµè§å¨å°åæ ï¼è·åå°å¯¹åºå°temp_authorize_codeåï¼åéGET请æ±å°çæµæå¡(web端)çå端ï¼æ¥å£ï¼ joe-client-monitoring/client/accessToken
çæµæå¡(web端)çå端ï¼å°ä¼æ·»å èªå·±çclient_idãclient_secretåæ°ï¼ä¸èµ·éè¿httpåéç»joe-ssoè´¦æ·æå¡ï¼è·åaccessTokenã
åæ°
示ä¾
说æ
client_id
joe_monitoring
客æ·ç«¯id
client_secret
admin123
客æ·ç«¯å¯é¥
temp_authorize_code
joe_monitoring:52d1595aeba64b4fa087c9c96ab42bb2
临æ¶ææç
eg:å®é ä¼ é请æ±uri
è¿åç»æï¼
{
"status":0,
"msg":"æåã该access_tokenæææ为120åé,ä¸æ¬¡è¯·æ±å°éç½®æææ",
"data":"joe_monitoring:d29d492c678640a6b3952c4fb0dc24be"
}
该accessTokenæææ120åéï¼åç»æ¯æ¬¡è¯·æ±ä¼éç½®æææ(类似sessionçåè½)ãåæèèæ·»å ï¼è¶ æ¶1天åï¼å¼ºå¶å¤±æéæ°ç»éçåè½ã
注æï¼
该è·åaccessTokenåå¨å¨redisä¸ï¼è®¾ç½®å¥½è¿ææ¶é´ã
çæµæå¡(web端)éè¦å°å¯¹åºç accessToken èªè¡åå¨èµ·æ¥(jvm cacheæ redisä¸åå¯)ã
注æï¼è¯¥è¯·æ±è¿ç¨ï¼å¯¹äºç¨æ·æ¥è¯´ï¼æ¯æ æç¥çã
è³æ¤ï¼æææå¡å·²åºæ¬å®æã
3.5ã微信客æ·ç«¯è·åç¨æ·ä¿¡æ¯ by accessToken
GET请æ±ï¼æ¥å£ï¼ joe-sso/oauth/userInfo
ä¼ éåæ°ï¼
httpçheaderä¸æ·»å joe_access_token,å³
åæ°
示ä¾
说æ
joe_access_token
joe_monitoring:52d1595aeba64b4fa087c9c96ab42bb2
å³ç¬¬3.4æ¥éª¤ä¸ï¼å¾®ä¿¡å®¢æ·ç«¯å°è¯è·åçaccessToken
è¿åç»æï¼
{
"status": 0,
"msg": "æåã",
"data": {
"create_time": "2018-09-11 10:16:12",
"user_id": 1,
"user_name": "admin",
"user_nick_name": "ææ¯ç¨æ·æµç§°joe",
"redirect_uri": "http://localhost:9000/callback"
}
}
å ¶ä»
æºç
æä¸æè¿°åè½åå·²å®ç°ãå ·ä½ä»£ç ï¼åæå°è§æ åµåå¸è³githubä¸ãå°å为ï¼githubä»åºå°å
åèé¾æ¥ï¼
![oauth 手寫_從0手寫springCloud項目(架構代碼詳解)[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)