spring-oauthorization-server整合

Spring Authorization Server 是一个框架，它提供了 OAuth 2.1和 OpenID Connect 1.0规范以及其他相关规范的实现。它构建在 Spring Security 之上，为构建 OpenID Connect 1.0 Identity Provider 和 OAuth2 Authorization Server 产品提供安全、轻量级和可定制的基础。

操作流程

1. http://127.0.0.1:8080/oauth2/authorization/oidc-client
2. http://127.0.0.1:8080/oauth2/authorization/github-idp

登录流程：参考

1. 浏览器登录认证
   http://127.0.0.1:9000/oauth2/authorize?response_type=code&client_id=oidc-client&scope=openid&redirect_uri=http://127.0.0.1:8080/login/oauth2/code/oidc-client

2. 点击同意，然后携带code跳转backUrl，并记录下登录成功后的请求cookie
   https://www.baidu.com/?code=HUGjsssss

3. 使用携带的code获取jwt
   使用postman请求

   • 设置header
     • Authorization: Basic b2lkYy1jbGllbnQ6c2VjcmV0Mg==
   • 开始POST请求
     http://localhost:9000/oauth2/token?redirect_uri=http://www.baidu.com&grant_type=authorization_code&code=HUGjsssss
   • 说明：
     将 clientId 和 clientSecret 通过 ‘:’ 号拼接，（ clientId 和 clientSecret 都在上面配置中，）并使用 Base64 进行编码得到一串字符，再在前面加个 注意有个 Basic 前缀（Basic后有一个空格）， 即得到上面参数中的 Basic b2lkYy1jbGllbnQ6c2VjcmV0
   • 结果

   {
   "access_token": "eyJraWQiOiI1ZDAwYWY2Ny1iNmIzLTQ1MTctOGE3Ny0zMTZlNjdhMzZmYzIiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIwMDAwMDAwIiwiYXVkIjoib2lkYy1jbGllbnQiLCJuYmYiOjE2OTM5OTMyMDUsInNjb3BlIjpbIm9wZW5pZCIsIm1lc3NhZ2UucmVhZCJdLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjkwMDAiLCJleHAiOjE2OTM5OTY4MDUsImlhdCI6MTY5Mzk5MzIwNX0.GjtBALGt2UWsG4U364NyV7kML8fpHLAryl2Puji5N3JG1y-Z5jBptZKnOENgY_u18RtA1Pf5slPvPyU0ohZJKFM5rAW057OoC6wZ8X2F8ingNJtXU4cO5wie3S3f2XrY3kIkqkX2tSJZMa_YsmSq5JF-B8ERCpN1ajN-0x9kcsSSbNgV0PTGxckbLJ-t87vvsTBfMPT5eMXSQuMYWGsdZOEPajvTeVSI-eVp4rDS4pWjL5QQRWv7GM1soKcgAl-49us7eQ2xWk9Auf5Gq8_WH9HhD7sEvD34xQWdWVgBZQ9dyLpl0NnNDkTjZwvAXGW8TYPt2tW31Wc0j07QbE7pMw",
   "refresh_token": "L-OMlvSRDBxUHLg_qL4IJVr97KKlT3dCO4KXzPVk3cIpxb2yowiMge35G3RdMi0t8gwtkIvtU7OW4f-pUS6aVVvEdDLbufwOKeD7QQb96MOEDGg6JpAeVWY2st2Kw72B",
   "scope": "openid message.read",
   "id_token": "eyJraWQiOiI1ZDAwYWY2Ny1iNmIzLTQ1MTctOGE3Ny0zMTZlNjdhMzZmYzIiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIwMDAwMDAwIiwiYXVkIjoib2lkYy1jbGllbnQiLCJhenAiOiJvaWRjLWNsaWVudCIsImF1dGhfdGltZSI6MTY5Mzk5MjYxNywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo5MDAwIiwiZXhwIjoxNjkzOTk1MDA2LCJpYXQiOjE2OTM5OTMyMDYsInNpZCI6IkN3UjlSZWlvaVh6UkNvVW82ZHYwTEZhTHJSUk9VM0o5elpYLXF6NklVbFEifQ.MUbn7iblRGkwfQoUYYdLqbv1KDHZZBcTTE6FMkg3rs8pmBSkz6hYR9jA4cfc6bIwKucmiXuyypHxb2JXjSDxSLKhY2htP0SIHh3B182A7CvseY_3hzoO5fX6-HIrIaAFFKL1HP24XPc0r2Mj4GrFQhv_Cf9wn7sIPa35zVGNH_gR_6ooiYBnUd8uGFSueqQS_BsIbs_PSCJa5dfx0LoCy9JjMNZLulB7QiNNjx8XVKHlk0ZErW7HeT-K2bp5UQ7yryC8nCaIlS2M0mBJG6MTjyiBnGxlXul3Or42gH76nAagIKg7JwmLV2vafMRB1w2NRGjhRvVBxaryl7uAYruHkQ",
   "token_type": "Bearer",
   "expires_in": 3600
   }
   

4. 使用得到的token获取用户信息

   • 设置header
     • Authorization: Bearer ${access_token}
   • POST请求
     http://localhost:9000/userinfo
   • 结果

     {
     "sub": "0000000"
     }
   

服务端代码

server:
  port: 9000

    @Bean
    @Order(1)
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
        http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
                .oidc(Customizer.withDefaults());
        http.exceptionHandling(exception -> exception
                .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")));
        return http.build();
    }

    @Bean
    @Order(2)
    public SecurityFilterChain appSecurityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(auth -> auth
                        .anyRequest().authenticated()
                )
                .formLogin(Customizer.withDefaults());
        return http.build();
    }

    @Bean
    public UserDetailsService userDetailsService() {
        var user1 = User.withUsername("user")
                .password("password")
                .authorities("read")
                .build();
        return new InMemoryUserDetailsManager(user1);
    }

服务端代码

spring:
  security:
    oauth2:
      client:
        registration:
          myoauth2:
            provider: spring
            client-id: client
            client-secret: secret
            redirect-uri: http://127.0.0.1:8080/login/oauth2/code/myoauth2
            scope: openid
            authorization-grant-type: authorization_code
        provider:
          spring:
            issuer-uri: http://localhost:9000
server:
  port: 8080

    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(authorize -> authorize
                        .anyRequest().authenticated())
                .oauth2Login(oauth2Login ->
                        oauth2Login.loginPage("/oauth2/authorization/myoauth2"))
                .oauth2Client(withDefaults());
        return http.build();
    }

参考代码

https://github.com/shenshuxin01/grpc-springboot/tree/oauth2