天天看点
返回

(一)、Spring Security OAuth2 五种授权方式介绍更多相关文章请见:Spring Security文章目录1、简介2、请求说明

更多相关文章请见:Spring Security文章目录

1、简介

OAuth 2.0定义了五种授权方式。

RFC规范链接

  • authorization_code:授权码类型,授权系统针对登录用户下发code,应用系统拿着code去授权系统换取token。
  • implicit:隐式授权类型。authorization_code的简化类型,授权系统针对登录系统直接下发token,302 跳转到应用系统url。
  • password:资源所有者(即用户)密码类型。应用系统采集到用户名密码,调用授权系统获取token。
  • client_credentials:客户端凭据(客户端ID以及Key)类型。没有用户参与,应用系统单纯的使用授权系统分配的凭证访问授权系统。
  • refresh_token:通过授权获得的刷新令牌 来获取 新的令牌。

2、请求说明

2.1、相关配置

2.1.1、授权服务支持客户端

自动授权client

client_id=client_id

client_secret=client_secret

非自动授权client

client_id=client2

client_secret=client2

2.1.2、相关属性说明

  1. clientId:(必须的)用来标识客户的Id。
  2. secret:(需要值得信任的客户端)客户端安全码,如果有的话。
  3. scope:用来限制客户端的访问范围,如果为空(默认)的话,那么客户端拥有全部的访问范围。
  4. authorizedGrantTypes:此客户端可以使用的授权类型,默认为空。
  5. authorities:此客户端可以使用的权限(基于Spring Security authorities)。
  6. jti:TOKEN_ID ,refreshToken标识
  7. ati:ACCESS_TOKEN_ID,accessToken 标识

2.1.3、相关接口说明:

  1. /oauth/authorize:授权端点。
  2. /oauth/token:令牌端点,获取token。
  3. /oauth/confirm_access:用户确认授权提交端点。
  4. /oauth/error:授权服务错误信息端点。
  5. /oauth/check_token:用于资源服务访问的令牌解析端点。
  6. /oauth/token_key:提供公有密匙的端点,如果你使用JWT(RSA)令牌的话。

2.1.4、demo参考:

github代码地址

2.2、授权码模式(authorization_code)

1、请求授权: 
请求:
GET http://localhost:8080/uaa/oauth/authorize?client_id=client_id&redirect_uri=http://localhost:9999/dashboard/login&response_type=code&state=OVUbDY

跳转到uaa登录页面,采集用户信息。

登录成功之后:
1、如果是非自动授权client,跳转,进行授权:
http://localhost:8080/uaa/oauth/authorize?client_id=client2&redirect_uri=http://localhost:9999/dashboard/login&response_type=code&state=OVUbDY
授权之后,然后进入下一步。

2、如果是自动授权client,则跳过上一步,直接跳转:
http://localhost:9999/dashboard/login?code=d7MgkJ&state=OVUbDY
2、使用code换取token: 
请求:
POST http://localhost:8080/uaa/oauth/token?grant_type=authorization_code&code=d7MgkJ&redirect_uri=http%3A%2F%2Flocalhost%3A9999%2Fdashboard%2Flogin

Authorization:Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=  (配置的授权客户端)


返回:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDg5NDIyMzAsInVzZXJfbmFtZSI6InVzZXIiLCJhdXRob3JpdGllcyI6WyJST0xFX1VTRVIiXSwianRpIjoiOWYzNDdkZDgtMTU3NC00ODg2LWE3MDctMmJjZmM0OWQwZjQzIiwiY2xpZW50X2lkIjoiY2xpZW50X2lkIiwic2NvcGUiOlsib3BlbmlkIl19.FXDbopN4Bjae61DHNqdOQTlygtnNI8ys7cZItCU_Ken3wWNH2SahjVZjuGU7oLqoG3lWvWuvlJfYiApvMvMuLUE9Zsj_7qr3A9LWzaedkCROd3EHNP-zFfmg2PxKVpTWIgPMKxjvMS-1Crbf4DUFQiYPuqYVWANHnlqnP9LsrF7xFxrNSnyO73KHIs0703STAaOO2pPaXq2Nm97o9PUs9822vmUatSliherEQM3ZcQrJ5D_Pcjz2nKQO4wuYEqwDlO63cqnGRIytXhAcfGy85gnRyMPr_hGmxEVhgnUhsrlcJTZea9g5-R4OTgO9eymLUVKHyaBVPkvSd6OOV6qbfw",
"token_type": "bearer",
"refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJ1c2VyIiwic2NvcGUiOlsib3BlbmlkIl0sImF0aSI6IjlmMzQ3ZGQ4LTE1NzQtNDg4Ni1hNzA3LTJiY2ZjNDlkMGY0MyIsImV4cCI6MTU1MTQ5MTAzMCwiYXV0aG9yaXRpZXMiOlsiUk9MRV9VU0VSIl0sImp0aSI6IjU5YjljOWEzLWI3MTktNGExNi1iOWRlLTdkNTRkOTUwOTJhZiIsImNsaWVudF9pZCI6ImNsaWVudF9pZCJ9.W-zTUM6C4URSGJWAFU03WnkdCkyUoO6T_lL-uOITZw5wR75lKD9VsE9NecQe19564kNCFflNIBnI5vlejT3DYEzHChXyYLR38cXNk2QJU28udDU8Xnhd4AWcFTbSDQCiX9jeOlEupMgAoMgFZHCzgvL4A4a4jYEcFyJ6IuJ5IjXzlRI_-PNY8oQvXUGioDO9GFjbhcGoh_IigtuvqGQ9rz5dkbmh5nd23StMAO8wWEkXSCCXhidrKfXJ2s8dJSuHvQ7JwEtv4DA5D89yheL9GagjYfQxNj7eGOjiBhZZR7UrqyoZb2-mFdeyOVfj_zzb0VYg_CHkqdixuPWb0jIpgA",
"expires_in": 43199,
"scope": "openid",
"jti": "9f347dd8-1574-4886-a707-2bcfc49d0f43"
}

2.3、客户端模式(client credentials)

获取token: 
请求:
POST http://localhost:8080/uaa/oauth/token?grant_type=client_credentials&scope=openid

Authorization:Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=  (配置的授权客户端)

返回:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6WyJvcGVuaWQiXSwiZXhwIjoxNTQ4OTQyNzU3LCJqdGkiOiJlMGNkY2I2ZS03MzdlLTRjNzYtOGVmYi03MTNlNWVkMzZmMmUiLCJjbGllbnRfaWQiOiJjbGllbnRfaWQifQ.VJJ-4ZXWBVQ7UuK3euI5pd_ixciXPzzltXeM6DAI9i72nX5s0KtiJwJifxDg21f1MMUEu8723Oicer7C8WSWx5jGIEKthji-TJT-IGU5fBXwB5l0J1XR9Ssi0OW7-PL1hzK8_l-CP4VLjstVAs0MjLuHPfmZtLojKcHIzDpXMnvouTITRmz55wCAEc5lI3zzkSY2ACTsEPNDW_mCAzVWDqaXdPURE9cUPLF7Xv8XNJj4c934TkOf0fNimA3JLAcMPUem4C2Q796GGzVsbx7x508iTy8pQ7wlIfhjRVWcsmO4BUeRm8LvT-Bju_mr8qebbbMqMOPzNZ26Bkg-RrqjKw",
"token_type": "bearer",
"expires_in": 43199,
"scope": "openid",
"jti": "e0cdcb6e-737e-4c76-8efb-713e5ed36f2e"
}

2.4、密码模式(password)

根据用户名、密码换取token 
请求:
POST http://localhost:8080/uaa/oauth/token?grant_type=password&username=admin&password=123456

Authorization:Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=  (配置的授权客户端)

返回:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDg5NDI5ODcsInVzZXJfbmFtZSI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiL2FkbWluL2luZGV4Il0sImp0aSI6IjRkN2YyMzRjLTc4MGMtNDVlNC1iYjViLWZmYWJlNmI2YzQ5ZiIsImNsaWVudF9pZCI6ImNsaWVudF9pZCIsInNjb3BlIjpbIm9wZW5pZCJdfQ.BFipbmjUpnD8fdbg3lF8t0f65uPWycqBKYnwGLgUd3FdMctDISHQmuq341E9fP8uOWOvqLoBioPhBSALMfBK2AWYPtr7P442TH-GxbiNOPDuppwDKR9vEn5ELGwvFGwMfE6s-P5yWFULD78Q65EujuWURLJYwi03kpyvUBLeI_vGIIjqMbTFA7HnGYriQew5IpWzxaDv4JVy1LmWYQi--8eDMeOlr4HQZIqQdUp09x4vN2CrQRZ6lWxhdgTe8LOwW9xG5yrWrBDdYbPF4vnqt_S8inVzUP06mlEb_ZRwP4riHwAq-JS95yAdZQaZ5OY37Hx5yR3odLqiNMc-gN5VVA",
"token_type": "bearer",
"refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbIm9wZW5pZCJdLCJhdGkiOiI0ZDdmMjM0Yy03ODBjLTQ1ZTQtYmI1Yi1mZmFiZTZiNmM0OWYiLCJleHAiOjE1NTE0OTE3ODcsImF1dGhvcml0aWVzIjpbIi9hZG1pbi9pbmRleCJdLCJqdGkiOiI3OGI3ZjlkMi1mNmQ2LTQwZTctOGRlYS0yOTllYzBmYzI3YjUiLCJjbGllbnRfaWQiOiJjbGllbnRfaWQifQ.L8N7HE1pLolFPrWFxfy892ngnYWdpq9BOnZaSXX-7YQs2g6lFRfelHvn7TDd-qI34_8rkNOhn_OkrPMADf-2AqJejoSDpcj3YvUym9Jj7vTvcmgeXVlhneBb5Ma75t0AwSeTcYbRhMgJh7Th2bNtH4TmMWqghYUrx4qyrJIr_NQ26nPt_uE-2Hj9UhFgM46PjbmY3T8G4WfOlUDxcZCR2iEBqPiQA2mkH1HJq4--3b4oY4ZmqTT-sbx7JWq_1TePteLVx86NGwK7s9-J9zWLk3fUTo8cQIzG51ZR6JpQcoOiuJFyoyKhpNXKTnlbyJEtj1RI2H8Zq6aSR-TTez4J1A",
"expires_in": 43199,
"scope": "openid",
"jti": "4d7f234c-780c-45e4-bb5b-ffabe6b6c49f"
}

2.5、简化模式(implicit)

请求获取token 
请求:
GET http://localhost:8080/uaa/oauth/authorize?client_id=client_id&redirect_uri=http://localhost:9999/dashboard/login&response_type=token

跳转到uaa登录页面,采集用户信息。

登录成功之后跳转:
http://localhost:9999/dashboard/login#access_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDg5NDMxODcsInVzZXJfbmFtZSI6InVzZXIiLCJhdXRob3JpdGllcyI6WyJST0xFX1VTRVIiXSwianRpIjoiYWQ4M2UyMTQtMmE0Mi00ZTEzLTkzYTgtZDY2ZmVhMmZiMGI0IiwiY2xpZW50X2lkIjoiY2xpZW50X2lkIiwic2NvcGUiOlsib3BlbmlkIl19.FBNgVZSG8AkpxRvmU0q-_sFnUGlTmuESAIQ_nHGDD5DaUPSlMsTEQjAvbbCfKu5r9glsu7TVkisg-tepm6a0CMbOB_3tkaFja8bHCpM2MsbQcof9eo3sfSwzR0qqO6vjg2Ptcb7i9JoThkTZBna-iOMqXGgUKbWrQr40ZrWeT-JMq2j8S1-D8HBMHwZCMRADHyHh05jBD6sFppVR4tRrRhYyhZADdsNi8mXhdcerdRGLfo5COHcLjjC0T_IcliCorXw7StmzBUMjG6O9SuhPf5aRQNqSnwxddIZ_NpOT7_6YZo6n3D3mOGxzKCsHfNVCEJsu2_CaU9Cxh7BuS1yOnA&token_type=bearer&expires_in=43199&scope=openid&jti=ad83e214-2a42-4e13-93a8-d66fea2fb0b4

2.6、刷新令牌(refresh_token) 

请求:
POST:
curl -u client_id:client_secret http://localhost:8080/uaa/oauth/token -d grant_type=refresh_token -d refresh_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbIm9wZW5pZCJdLCJhdGkiOiI0ZDdmMjM0Yy03ODBjLTQ1ZTQtYmI1Yi1mZmFiZTZiNmM0OWYiLCJleHAiOjE1NTE0OTE3ODcsImF1dGhvcml0aWVzIjpbIi9hZG1pbi9pbmRleCJdLCJqdGkiOiI3OGI3ZjlkMi1mNmQ2LTQwZTctOGRlYS0yOTllYzBmYzI3YjUiLCJjbGllbnRfaWQiOiJjbGllbnRfaWQifQ.L8N7HE1pLolFPrWFxfy892ngnYWdpq9BOnZaSXX-7YQs2g6lFRfelHvn7TDd-qI34_8rkNOhn_OkrPMADf-2AqJejoSDpcj3YvUym9Jj7vTvcmgeXVlhneBb5Ma75t0AwSeTcYbRhMgJh7Th2bNtH4TmMWqghYUrx4qyrJIr_NQ26nPt_uE-2Hj9UhFgM46PjbmY3T8G4WfOlUDxcZCR2iEBqPiQA2mkH1HJq4--3b4oY4ZmqTT-sbx7JWq_1TePteLVx86NGwK7s9-J9zWLk3fUTo8cQIzG51ZR6JpQcoOiuJFyoyKhpNXKTnlbyJEtj1RI2H8Zq6aSR-TTez4J1A


-u client_id:client_secret 等同于 
Authorization:Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ= (配置的授权客户端)

返回:
{
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDg5NDQzMzIsInVzZXJfbmFtZSI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiL2FkbWluL2luZGV4Il0sImp0aSI6ImU1ZjVmZjRlLTJhMmUtNDA1My1iNzhlLTIxZjVjZTQwOWQ3MCIsImNsaWVudF9pZCI6ImNsaWVudF9pZCIsInNjb3BlIjpbIm9wZW5pZCJdfQ.m57JmhzjrleR-bL302yarKqHSQOn4-smW99Yp1epn_SbGW29sfhwgKR8r9HtvIoGETbc4kSpMKySsGtzmDCE2_CuEE9WPp6KomSFFtPaM-rh17lSXphJu3hvLli_Od3gx4Q_9AdrYMP6eM4pl90GYgPFpceCb7-MMpWqyIkpqK0Ldrd04SpRZTqf4wsZdPDO_EhWUfvRHVRv-F1ftdfw801GqVVahDYpWVj4TBKMGePb7bkDtM3w37jX_stvhvUpwRZHdW_5RoWbuG1oLE8oTDyVPtBiQVqjsv3adFp1tplMEghtQ_Q42qQNtbN5IuM8VpfqoUxcnyGIVev8ZS1Buw",
"token_type":"bearer",
"refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbIm9wZW5pZCJdLCJhdGkiOiJlNWY1ZmY0ZS0yYTJlLTQwNTMtYjc4ZS0yMWY1Y2U0MDlkNzAiLCJleHAiOjE1NTE0OTE3ODcsImF1dGhvcml0aWVzIjpbIi9hZG1pbi9pbmRleCJdLCJqdGkiOiI3OGI3ZjlkMi1mNmQ2LTQwZTctOGRlYS0yOTllYzBmYzI3YjUiLCJjbGllbnRfaWQiOiJjbGllbnRfaWQifQ.d2eQVxhylXSuaMQneUf3cvtT2Zstw9GRbhPkYkC1zFn55QLyY-HvgWxwPZXYJbLCi1kisnyF6v86oi3mzG9wgXF1Re6-jlPphjJOqG7ur8Q6-8I1PEZwNIS0wWjZ0LK6fcg763eMgLk200BSU23yO3n3CM7B_KxW4s7Xu7H4fk7le3FjWT6l42TXWxtQ92YTrw_hIpMaKt1neH2bZq1l55_bFap0s0kdqQaviMSLMIgILz_qseld3D9bZkjFHZuZU5WqE1pfnMRB5Xl3C8R8DlQunmUfCMoOLVNNZ_wDLxACq8mtd2dXIV9ANgGzvFlrjtiDKt84f8iGTYg4qUMJDQ",
"expires_in":43199,
"scope":"openid",
"jti":"e5f5ff4e-2a2e-4053-b78e-21f5ce409d70"
}
查看token 
请求:
POST:
curl -u client_id:client_secret http://localhost:8080/uaa/oauth/check_token  -d token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NDg5NDQzMzIsInVzZXJfbmFtZSI6ImFkbWluIiwiYXV0aG9yaXRpZXMiOlsiL2FkbWluL2luZGV4Il0sImp0aSI6ImU1ZjVmZjRlLTJhMmUtNDA1My1iNzhlLTIxZjVjZTQwOWQ3MCIsImNsaWVudF9pZCI6ImNsaWVudF9pZCIsInNjb3BlIjpbIm9wZW5pZCJdfQ.m57JmhzjrleR-bL302yarKqHSQOn4-smW99Yp1epn_SbGW29sfhwgKR8r9HtvIoGETbc4kSpMKySsGtzmDCE2_CuEE9WPp6KomSFFtPaM-rh17lSXphJu3hvLli_Od3gx4Q_9AdrYMP6eM4pl90GYgPFpceCb7-MMpWqyIkpqK0Ldrd04SpRZTqf4wsZdPDO_EhWUfvRHVRv-F1ftdfw801GqVVahDYpWVj4TBKMGePb7bkDtM3w37jX_stvhvUpwRZHdW_5RoWbuG1oLE8oTDyVPtBiQVqjsv3adFp1tplMEghtQ_Q42qQNtbN5IuM8VpfqoUxcnyGIVev8ZS1Buw

返回:
{
"exp":1548944332,
"user_name":"admin",
"authorities":["/admin/index"],
"jti":"e5f5ff4e-2a2e-4053-b78e-21f5ce409d70",
"client_id":"client_id",
"scope":["openid"]
}
Spring Security OAuth2 程序人生 Spring Cloud OAuth2 security
上一篇: Spring Security oAuth2 开放平台Spring Security oAuth2 开放平台
下一篇: 基于spring-security-oauth2认证授权服务介绍与使用(一)

继续阅读