SpringSecurity+OAUTH2集成多种登录方式

一、目前OAUTH2的提供了四种授权类型

Authorization Code（授权码模式）：授权码模式， 通过授权码获取token进行资源访问。
Implicit（简化模式）：用于移动应用程序或 Web 应用程序，这种模式比授权码模式少了code环节，回调url直接附带token。
Resource Owner Password Credentials（密码模式）：资源所有者和客户端之间具有高度信任时（例如，客户端是设备的操作系统的一部分，或者是一个高度特权应用程序， 比如APP， 自研终端等），因为client可能存储用户密码。
Client Credentials（客户端模式）：该模式直接根据client端的id和密钥即可获取token， 不需要用户参与， 适合内部的API应用服务使用。

但是在应用开发过程中，还存在多种登录方式，比如手机验证码、二维码扫码、微信登录等，如何在OAUTH2中集成其他多种登录方式。我们拿手机验证码登录模式举例，其他类型登录模式可以按照这种方式改造。

二、WEB端手机验证码登录

首先创建一个filter命名PhoneNumberAuthenticationFilter，该filter继承AbstractAuthenticationProcessingFilter类，oauth2自带的授权模式都是继承的该类，可以仿照password授权模式的过滤器UsernamePasswordAuthenticationFilter修改，修改请求地址为/phone/login，修改自己的参数。

public class PhoneNumberAuthenticationFilter extends
        AbstractAuthenticationProcessingFilter {

    public static final String SPRING_SECURITY_FORM_PHONE_KEY = "phone";
    public static final String SPRING_SECURITY_FORM_CODE_KEY = "code";

    private String phoneParameter = SPRING_SECURITY_FORM_PHONE_KEY;
    private String codeParameter = SPRING_SECURITY_FORM_CODE_KEY;
    private boolean postOnly = true;

    public PhoneNumberAuthenticationFilter() {
        super(new AntPathRequestMatcher("/phone/login", "POST"));
    }

    public Authentication attemptAuthentication(HttpServletRequest request,
                                                HttpServletResponse response) throws AuthenticationException {
        if (postOnly && !request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException(
                    "Authentication method not supported: " + request.getMethod());
        }

        String phone = obtainPhone(request);
        if (phone == null) {
            phone = "";
        }
        phone = phone.trim();

        String code = obtainCode(request);

        PhoneNumAuthenticationToken authRequest = new PhoneNumAuthenticationToken(
                phone, code);

        setDetails(request, authRequest);

        return this.getAuthenticationManager().authenticate(authRequest);
    }

    protected String obtainPhone(HttpServletRequest request) {
        return request.getParameter(phoneParameter);
    }

    protected String obtainCode(HttpServletRequest request) {
        return request.getParameter(codeParameter);
    }

    protected void setDetails(HttpServletRequest request,
                              PhoneNumAuthenticationToken authRequest) {
        authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
    }

}

创建自己的token类PhoneNumAuthenticationToken。

public class PhoneNumAuthenticationToken extends AbstractAuthenticationToken {

    private static final long serialVersionUID = 420L;
    private final Object phone;
    private Object code;

    public PhoneNumAuthenticationToken(Object phone, Object code) {
        super(null);
        this.phone = phone;
        this.code = code;
        this.setAuthenticated(false);
    }

    public PhoneNumAuthenticationToken(Object phone, Object code, Collection authorities) {
        super(authorities);
        this.phone = phone;
        this.code = code;
        super.setAuthenticated(true);
    }

    public Object getCredentials() {
        return this.code;
    }

    public Object getPrincipal() {
        return this.phone;
    }

    public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
        if (isAuthenticated) {
            throw new IllegalArgumentException("Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
        } else {
            super.setAuthenticated(false);
        }
    }

    public void eraseCredentials() {
        super.eraseCredentials();
        this.code = null;
    }
}

filter中要执行

this.getAuthenticationManager().authenticate(authRequest);

所以还要新增一个provider类PhoneAuthenticationProvider。

@Component
public class PhoneAuthenticationProvider implements AuthenticationProvider {

    @Autowired
    private IDaaSUserDetailsManager iDaaSUserDetailsManager;
    @Autowired
    private ValidateCodeRepository validateCodeRepository;

    /**
     * 手机号、验证码的认证逻辑
     * @param authentication 其实就是我们封装的 PhoneNumAuthenticationToken
     * @return
     * @throws AuthenticationException
     */
    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        PhoneNumAuthenticationToken token = (PhoneNumAuthenticationToken) authentication;
        String phone = (String) authentication.getPrincipal();// 获取手机号
        String code = (String) authentication.getCredentials(); // 获取输入的验证码
        //从数据库获取验证码
        ValidateCode validateCode = validateCodeRepository.queryLastCodeByPhoneType(phone,"1");
        if(null == validateCode){
            throw new BadCredentialsException("不存在短信发送记录，请重新发送");
        }
        String phoneNum = validateCode.getCode();
        if (!phoneNum.equals(code)) {
            throw new PhoneNumBadCredentialsException("验证码不正确");
        }
        if(DateUtils.differenceSecond(new Date(),validateCode.getValidateTime())>0){
            throw new PhoneNumBadCredentialsException("该验证码已经失效，请重新发送，验证码有效期10分钟");
        }
        if(validateCode.getIfUse().equals("1")){
            throw new PhoneNumBadCredentialsException("该验证码已经使用，请重新发送");
        }
        // 2. 根据手机号查询用户信息
        UserDetails userDetails = (UserDetails) iDaaSUserDetailsManager.loadUserByUsername(phone);
        if (userDetails == null) {
            throw new PhoneNumBadCredentialsException("用户不存在，请联系管理员开通");
        }
        // 3. 把用户封装到 PhoneNumAuthenticationToken 中，
        // 后面就可以使用 SecurityContextHolder.getContext().getAuthentication(); 获取当前登陆用户信息
        PhoneNumAuthenticationToken authenticationResult = new PhoneNumAuthenticationToken(userDetails, code, userDetails.getAuthorities());
        authenticationResult.setDetails(token.getDetails());
        return authenticationResult;
    }


    /**
     * 判断是上面 authenticate 方法的 authentication 参数，是哪种类型
     * Authentication 是个接口，实现类有很多，目前我们最熟悉的就是 PhoneNumAuthenticationToken、UsernamePasswordAuthenticationToken
     * 很明显，我们只支持 PhoneNumAuthenticationToken，因为它封装的是手机号、验证码
     * @param authentication
     * @return
     */
    @Override
    public boolean supports(Class authentication) {
        // 如果参数是 PhoneNumAuthenticationToken 类型，返回true
        return (PhoneNumAuthenticationToken.class.isAssignableFrom(authentication));
    }
}

我们只需要做一个html页面，创建一个form请求，url为：/phone/login，参数用phone和code进行请求即可返回token。

三、移动端手机验证码登录

首先在oauth_client_details表authorized_grant_types增加新的授权方式，比如sms.

然后找到源码里面的AuthorizationServerEndpointsConfigurer类，在自己工程的相同目录下面创建相同类名的AuthorizationServerEndpointsConfigurer，并修改getDefaultTokenGranters方法下面添加自己的授权模式SmsTokenGranter。

public final class AuthorizationServerEndpointsConfigurer {

    private AuthorizationServerTokenServices tokenServices;

    private ConsumerTokenServices consumerTokenServices;

    private AuthorizationCodeServices authorizationCodeServices;

    private ResourceServerTokenServices resourceTokenServices;

    private TokenStore tokenStore;

    private TokenEnhancer tokenEnhancer;

    private AccessTokenConverter accessTokenConverter;

    private ApprovalStore approvalStore;

    private TokenGranter tokenGranter;

    private OAuth2RequestFactory requestFactory;

    private OAuth2RequestValidator requestValidator;

    private UserApprovalHandler userApprovalHandler;

    private AuthenticationManager authenticationManager;

    private ClientDetailsService clientDetailsService;

    private String prefix;

    private Map patternMap = new HashMap();

    private Set allowedTokenEndpointRequestMethods = new HashSet();

    private FrameworkEndpointHandlerMapping frameworkEndpointHandlerMapping;

    private boolean approvalStoreDisabled;

    private List