【Spring Security OAuth2】客户端授权模式(client credentials)~授权服务配置
本文以最简配置搭建一个授权服务,让大家初步了解授权服务及相关表。
token 存于数据库中
例子基于Spring Boot 2.1.7.RELEASE ,使用mysql数据库
参考资源: Authorization Server Configuration
- 添加一个实现了
AuthorizationServerConfigurer接口的实现类且使用@EnableAuthorizationServer注解进行标注
AuthorizationServerConfigurer接口的实现类是AuthorizationServerConfigurerAdapter ,这里我们继承AuthorizationServerConfigurerAdapter
/**
* Created by liuquan on 2019/8/11.
*/
@Configuration
@EnableAuthorizationServer
public class CustomAuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter {
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
}
}
@EnableAuthorizationServer注解会导入两个配置类AuthorizationServerEndpointsConfiguration、AuthorizationServerSecurityConfiguration
- 我们来看看
AuthorizationServerEndpointsConfiguration这个配置类
init()会调用AuthorizationServerConfigurer接口中的configure(AuthorizationServerEndpointsConfigurer endpoints)方法,稍后我们将重写该方法
这里可以看出,如果我们没有为AuthorizationServerEndpointsConfigurer设置tokenService属性,则默认使用DefaultTokenServices
从上图可以看到DefaultTokenServices中设置了TokenStore对象,那TokenStore是做什么用的呢?
Persistence interface for OAuth2 tokens.
从代码中的注释可以知道TokenStore是:OAuth2 令牌的持久化接口。其实现类有多个,如下图:
如果没有为AuthorizationServerEndpointsConfigurer对象设置tokenStore属性,则默认采用JwtTokenStore或InMemoryTokenStore,本例子采用数据库存储token,故重写AuthorizationServerConfigurer接口中的configure(AuthorizationServerEndpointsConfigurer endpoints)方法设置tokenStore
@Configuration
@EnableAuthorizationServer
public class CustomAuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Bean
public TokenStore tokenStore(){
return new JdbcTokenStore(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenStore(tokenStore());
}
}
- 我们来看看
AuthorizationServerSecurityConfiguration这个配置类
图上两个方法会调用AuthorizationServerConfigurer接口中的configure(ClientDetailsServiceConfigurer clients)方法和configure(AuthorizationServerSecurityConfigurer security)方法,稍后我们将重写这两个方法 - 我们来看看
ClientDetailsServiceConfiguration这个配置类
35行,创建一个ClientDetailServiceBuilder对象并通过构造函数传入ClientDetailServiceConfigurer对象,最终ClientDetailsServiceBuilder对象是存入到SecurityConfigurerAdapter类的securityBuilder属性中
ClientDetailsServiceConfigurer是SecurityConfigurerAdapter的子类,故46行中configurer.and()得到的是securityBuilder属性,也就是35行存入的ClientDetailsServiceBuilder对象
46行的configurer.and().build()实际调用的是ClientDetailsServiceBuilder.build()
上图中的82行抛出一个异常,也就是说我们不能直接使用ClientDetailsServiceBuilder对象,那应该使用哪个对象呢?
ClientDetailsServiceBuilder有两个子类,这里我们使用JdbcClientDetailsServiceBuilder
既然已经确定了替代类,那如何改变ClientDetailsServiceConfigurer对象中的builder对象呢
这时候就可以通过重写AuthorizationServerConfigurer接口中的configure(ClientDetailsServiceConfigurer clients)方法来改变builder对象
/**
* Created by liuquan on 2019/8/11.
*/
@Configuration
@EnableAuthorizationServer
public class CustomAuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
}
注:以上只是解决方式之一,还有其它方式可以解决相同问题
- 我们来看看
AuthorizationServerSecurityConfigurer这个配置类
AuthorizationServerSecurityConfigurer对象中需要注入一个PasswordEncoder,通过重写AuthorizationServerConfigurer接口中的configure(AuthorizationServerSecurityConfigurer security)方法来实现
/**
* Created by liuquan on 2019/8/11.
*/
@Configuration
@EnableAuthorizationServer
public class CustomAuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter {
@Bean
public PasswordEncoder passwordEncoder(){
return new CustomPasswordEncoder();
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.allowFormAuthenticationForClients()
.tokenKeyAccess("permitAll()")
.checkTokenAccess("permitAll()")
.passwordEncoder(passwordEncoder());//若不设置会报错
}
}
至此,授权服务最简配置完成。
此处涉及三张表分别是oauth_client_details、oauth_access_token、oauth_refresh_token,Spring Security OAuth2提供了表结构
https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/test/resources/schema.sql
这里提供mysql版本
DROP TABLE IF EXISTS `oauth_client_details`;
CREATE TABLE `oauth_client_details` (
`client_id` varchar(255) NOT NULL,
`resource_ids` varchar(255) DEFAULT NULL,
`client_secret` varchar(255) DEFAULT NULL,
`scope` varchar(255) DEFAULT NULL,
`authorized_grant_types` varchar(255) DEFAULT NULL,
`web_server_redirect_uri` varchar(255) DEFAULT NULL,
`authorities` varchar(255) DEFAULT NULL,
`access_token_validity` int(11) DEFAULT NULL,
`refresh_token_validity` int(11) DEFAULT NULL,
`additional_information` text,
`autoapprove` varchar(255) DEFAULT 'false',
PRIMARY KEY (`client_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
DROP TABLE IF EXISTS `oauth_access_token`;
CREATE TABLE `oauth_access_token` (
`token_id` varchar(255) DEFAULT NULL,
`token` blob,
`authentication_id` varchar(255) DEFAULT NULL,
`user_name` varchar(255) DEFAULT NULL,
`client_id` varchar(255) DEFAULT NULL,
`authentication` blob,
`refresh_token` varchar(255) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
DROP TABLE IF EXISTS `oauth_refresh_token`;
CREATE TABLE `oauth_refresh_token` (
`token_id` varchar(255) DEFAULT NULL,
`token` blob,
`authentication` blob
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
相应的类为:JdbcClientDetailsService、JdbcTokenStore
表oauth_client_details需要我们初始化
INSERT INTO `oauth_client_details` VALUES ('app', null, 'app', 'all', 'authorization_code,refresh_token,password,client_credentials', '', 'ADMIN', '60', '60', null, 'false');
oauth_client_details.resource_ids 为空可访问全部资源,多个资源ID用[,]分隔,限制可访问的资源
oauth_client_details.authorized_grant_types 可选值:
authorization_code、client_credentials、implicit、refresh_token、password
- Postman 获取 Token
请求结果
demo:spring-security-oauth2-authorization-server