image.png
1、OAuth 2.0简介
为了给用户更好的使用体验,一个互联网应用会请求用户授权获取另外一个应用,在获取授权之后就可以获取其他应用的资源,从而更好的为用户服务。
OAuth 2.0 就是帮助用户新型第三方应用授权的协议,基本上成为行业认证授权的标准,不管是用于第三方授权还是 当前 自身应用授权。
1.1、OAuth 2.0 执行流程
image.png
1.2、组件介绍
- Client:作为访问应用的客户端,也就是需要经过授权才能访问资源的应用程序
- Resource Owner:即资源所有者,例子中的用户,他可以授予应用,也就是 Client,对受保护资源的访问权限的实体。
- Authorization Server:即授权服务器,其作用是在 Resource Owner 验证并给予 Client 授权后,通过 Authorization Server 向 Client 颁发访问的令牌。
- Resource Server:即资源服务器,它是用来存放资源的,在例子中用来存放电子照片,当 Client 使用令牌访问它的时候,它会接受响应并返回 Resource Owner 所保护的资源。
1.3、4 种授权模式
这里列举 4 种授权模式,分别是:
客户端模式 :只对客户端 进行校验
密码模式:对用户+密码 校验
授权码模式 :用用户名+密码获取授权码,再在回调地址中利用 授权码 获取token
隐含授权模式:这里不讲,用得少。
2、SpringCloud集成oauth2.0之客户端模式搭建
指客户端以自己的名义,而不是以用户的名义,向授权服务器进行认证。在这种模式中,用户直接向客户端注册,客户端以自己的名义要求授权服务器提供服务,不存在授权问题。粒度较粗,只要是 认证过的 客户端即可, 用来 避免 来源不明的客户端 进行接口调用。
2.1、SpringCloud之oauth2.0 权限校验总体流程
不管是什么模式,只要是oauth2.0 基本上都是这个流程。只不过不同模式 校验的 资源所有者(客户端,用户名+密码, 用户名+密码+授权码)有所不同。
image.png
2.2、认证服务器服务 搭建
2.2.1、新建一个springboot子工程
pom依赖
org.springframework.cloud
spring-cloud-starter-netflix-eureka-client
org.springframework.boot
spring-boot-starter-data-redis
org.springframework.boot
spring-boot-starter-web
org.springframework.cloud
spring-cloud-starter-oauth2
org.springframework.cloud
spring-cloud-starter-security
org.springframework.security
spring-security-data
2.2.2、配置文件
# 注册到注册中心配置
spring.application.name=oauth-client-server
#spring.cloud.controller.uri= http://localhost:9009/
server.port=9051
#eureka.client.service-url.defaultZone=http://localhost:9001/eureka/
eureka.client.serviceUrl.defaultZone=http://admin:admin@localhost:9001/eureka/
# redis配置
spring.redis.database=1
spring.redis.host=maomaoyu.xyz
spring.redis.port=6379
spring.redis.password=123456
# 打印日志
logging.level.org.springframework.security=debug
2.2.3、代码配置
2.2.3.1、认证服务器配置
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private RedisConnectionFactory connectionFactory;
@Autowired
private UserDetailsService userDetailsService;
@Bean
public TokenStore tokenStore() {
return new MyRedisTokenStore(connectionFactory);
}
/*
* AuthorizationServerEndpointsConfigurer:用来配置授权(authorization)以及令牌(token)的访问端点和令牌服务(token services)。
* */
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints
.authenticationManager(authenticationManager)
.userDetailsService(userDetailsService)//若无,refresh_token会有UserDetailsService is required错误
.tokenStore(tokenStore()).
allowedTokenEndpointRequestMethods(HttpMethod.GET,HttpMethod.POST);
}
/*
* AuthorizationServerSecurityConfigurer 用来配置令牌端点(Token Endpoint)的安全约束
* */
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
// 允许表单认证
security.allowFormAuthenticationForClients().tokenKeyAccess("permitAll()")
.checkTokenAccess("isAuthenticated()");
}
/*
ClientDetailsServiceConfigurer:用来配置客户端详情服务(ClientDetailsService),客户端详情信息在这里进行初始化,你能够把客户端详情信息写死在这里或者是通过数据库来存储调取详情信息
* 1.授权码模式(authorization code)
2.简化模式(implicit)
3.密码模式(resource owner password credentials)
4.客户端模式(client credentials)
* */
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
String finalSecret = "{bcrypt}" + new BCryptPasswordEncoder().encode("123456");
// 可以采用数据库客户端信息,也可以采用内存。
clients.
// jdbc(dataSource).
inMemory().
withClient("micro-user")
.resourceIds("micro-user")
.authorizedGrantTypes("client_credentials", "refresh_token")
.scopes("all","read", "write","aa")
.authorities("client_credentials")
.secret(finalSecret)
.accessTokenValiditySeconds(1200)
.refreshTokenValiditySeconds(50000)
.and()
.withClient("micro-order")
.resourceIds("micro-order")
.authorizedGrantTypes("password", "refresh_token")
.scopes("server")
.authorities("password")
.secret(finalSecret)
.accessTokenValiditySeconds(1200)
.refreshTokenValiditySeconds(50000);
}
}
2.2.3.2、安全配置
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Bean
@Override
protected UserDetailsService userDetailsService() {
// 理论上 客户端 不需要配置用户
BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
String finalPassword = "{bcrypt}" + bCryptPasswordEncoder.encode("123456");
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("admin").password(finalPassword).authorities("USER").build());
manager.createUser(User.withUsername("liuben").password(finalPassword).authorities("123456").build());
return manager;
}
/*@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService()).passwordEncoder(new BCryptPasswordEncoder());;
}*/
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
AuthenticationManager manager = super.authenticationManagerBean();
return manager;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
// http.requestMatchers().anyRequest()
// .and()
// .authorizeRequests()
// .antMatchers("/oauth/**").permitAll();
// /oauth/** 用户获取token
// /actuator/** 服务监控接口也不用 拦截
http.authorizeRequests()
.antMatchers("/oauth/**","/actuator/**").permitAll()
.and()
.httpBasic().disable();
}
}
2.2.3.3、redis管理token配置
public class MyRedisTokenStore implements TokenStore {
private static final String ACCESS = "access:";
private static final String AUTH_TO_ACCESS = "auth_to_access:";
private static final String AUTH = "auth:";
private static final String REFRESH_AUTH = "refresh_auth:";
private static final String ACCESS_TO_REFRESH = "access_to_refresh:";
private static final String REFRESH = "refresh:";
private static final String REFRESH_TO_ACCESS = "refresh_to_access:";
private static final String CLIENT_ID_TO_ACCESS = "client_id_to_access:";
private static final String UNAME_TO_ACCESS = "uname_to_access:";
private final RedisConnectionFactory connectionFactory;
private AuthenticationKeyGenerator authenticationKeyGenerator = new DefaultAuthenticationKeyGenerator();
private RedisTokenStoreSerializationStrategy serializationStrategy = new JdkSerializationStrategy();
private String prefix = "";
public MyRedisTokenStore(RedisConnectionFactory connectionFactory) {
this.connectionFactory = connectionFactory;
}
public void setAuthenticationKeyGenerator(AuthenticationKeyGenerator authenticationKeyGenerator) {
this.authenticationKeyGenerator = authenticationKeyGenerator;
}
public void setSerializationStrategy(RedisTokenStoreSerializationStrategy serializationStrategy) {
this.serializationStrategy = serializationStrategy;
}
public void setPrefix(String prefix) {
this.prefix = prefix;
}
private RedisConnection getConnection() {
return connectionFactory.getConnection();
}
private byte[] serialize(Object object) {
return serializationStrategy.serialize(object);
}
private byte[] serializeKey(String object) {
return serialize(prefix + object);
}
private OAuth2AccessToken deserializeAccessToken(byte[] bytes) {
return serializationStrategy.deserialize(bytes, OAuth2AccessToken.class);
}
private OAuth2Authentication deserializeAuthentication(byte[] bytes) {
return serializationStrategy.deserialize(bytes, OAuth2Authentication.class);
}
private OAuth2RefreshToken deserializeRefreshToken(byte[] bytes) {
return serializationStrategy.deserialize(bytes, OAuth2RefreshToken.class);
}
private byte[] serialize(String string) {
return serializationStrategy.serialize(string);
}
private String deserializeString(byte[] bytes) {
return serializationStrategy.deserializeString(bytes);
}
@Override
public OAuth2AccessToken getAccessToken(OAuth2Authentication authentication) {
String key = authenticationKeyGenerator.extractKey(authentication);
byte[] serializedKey = serializeKey(AUTH_TO_ACCESS + key);
byte[] bytes = null;
RedisConnection conn = getConnection();
try {
bytes = conn.get(serializedKey);
} finally {
conn.close();
}
OAuth2AccessToken accessToken = deserializeAccessToken(bytes);
if (accessToken != null) {
OAuth2Authentication storedAuthentication = readAuthentication(accessToken.getValue());
if ((storedAuthentication == null || !key.equals(authenticationKeyGenerator.extractKey(storedAuthentication)))) {
// Keep the stores consistent (maybe the same user is
// represented by this authentication but the details have
// changed)
storeAccessToken(accessToken, authentication);
}
}
return accessToken;
}
@Override
public OAuth2Authentication readAuthentication(OAuth2AccessToken token) {
return readAuthentication(token.getValue());
}
@Override
public OAuth2Authentication readAuthentication(String token) {
byte[] bytes = null;
RedisConnection conn = getConnection();
try {
bytes = conn.get(serializeKey(AUTH + token));
} finally {
conn.close();
}
OAuth2Authentication auth = deserializeAuthentication(bytes);
return auth;
}
@Override
public OAuth2Authentication readAuthenticationForRefreshToken(OAuth2RefreshToken token) {
return readAuthenticationForRefreshToken(token.getValue());
}
public OAuth2Authentication readAuthenticationForRefreshToken(String token) {
RedisConnection conn = getConnection();
try {
byte[] bytes = conn.get(serializeKey(REFRESH_AUTH + token));
OAuth2Authentication auth = deserializeAuthentication(bytes);
return auth;
} finally {
conn.close();
}
}
@Override
public void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) {
byte[] serializedAccessToken = serialize(token);
byte[] serializedAuth = serialize(authentication);
byte[] accessKey = serializeKey(ACCESS + token.getValue());
byte[] authKey = serializeKey(AUTH + token.getValue());
byte[] authToAccessKey = serializeKey(AUTH_TO_ACCESS + authenticationKeyGenerator.extractKey(authentication));
byte[] approvalKey = serializeKey(UNAME_TO_ACCESS + getApprovalKey(authentication));
byte[] clientId = serializeKey(CLIENT_ID_TO_ACCESS + authentication.getOAuth2Request().getClientId());
RedisConnection conn = getConnection();
try {
conn.openPipeline();
conn.stringCommands().set(accessKey, serializedAccessToken);
conn.set(authKey, serializedAuth);
conn.set(authToAccessKey, serializedAccessToken);
if (!authentication.isClientOnly()) {
conn.rPush(approvalKey, serializedAccessToken);
}
conn.rPush(clientId, serializedAccessToken);
if (token.getExpiration() != null) {
int seconds = token.getExpiresIn();
conn.expire(accessKey, seconds);
conn.expire(authKey, seconds);
conn.expire(authToAccessKey, seconds);
conn.expire(clientId, seconds);
conn.expire(approvalKey, seconds);
}
OAuth2RefreshToken refreshToken = token.getRefreshToken();
if (refreshToken != null && refreshToken.getValue() != null) {
byte[] refresh = serialize(token.getRefreshToken().getValue());
byte[] auth = serialize(token.getValue());
byte[] refreshToAccessKey = serializeKey(REFRESH_TO_ACCESS + token.getRefreshToken().getValue());
conn.set(refreshToAccessKey, auth);
byte[] accessToRefreshKey = serializeKey(ACCESS_TO_REFRESH + token.getValue());
conn.set(accessToRefreshKey, refresh);
if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
ExpiringOAuth2RefreshToken expiringRefreshToken = (ExpiringOAuth2RefreshToken) refreshToken;
Date expiration = expiringRefreshToken.getExpiration();
if (expiration != null) {
int seconds = Long.valueOf((expiration.getTime() - System.currentTimeMillis()) / 1000L)
.intValue();
conn.expire(refreshToAccessKey, seconds);
conn.expire(accessToRefreshKey, seconds);
}
}
}
conn.closePipeline();
} finally {
conn.close();
}
}
private static String getApprovalKey(OAuth2Authentication authentication) {
String userName = authentication.getUserAuthentication() == null ? ""
: authentication.getUserAuthentication().getName();
return getApprovalKey(authentication.getOAuth2Request().getClientId(), userName);
}
private static String getApprovalKey(String clientId, String userName) {
return clientId + (userName == null ? "" : ":" + userName);
}
@Override
public void removeAccessToken(OAuth2AccessToken accessToken) {
removeAccessToken(accessToken.getValue());
}
@Override
public OAuth2AccessToken readAccessToken(String tokenValue) {
byte[] key = serializeKey(ACCESS + tokenValue);
byte[] bytes = null;
RedisConnection conn = getConnection();
try {
bytes = conn.get(key);
} finally {
conn.close();
}
OAuth2AccessToken accessToken = deserializeAccessToken(bytes);
return accessToken;
}
public void removeAccessToken(String tokenValue) {
byte[] accessKey = serializeKey(ACCESS + tokenValue);
byte[] authKey = serializeKey(AUTH + tokenValue);
byte[] accessToRefreshKey = serializeKey(ACCESS_TO_REFRESH + tokenValue);
RedisConnection conn = getConnection();
try {
conn.openPipeline();
conn.get(accessKey);
conn.get(authKey);
conn.del(accessKey);
conn.del(accessToRefreshKey);
// Don't remove the refresh token - it's up to the caller to do that
conn.del(authKey);
List2.2.3.4、提供 权限校验接口
这个接口 用于 下游服务 拿到token后,请求 认证服务器的该接口,用于 向认证服务器 校验该token 是否合法,合法的话会返回 认证信息。
@Slf4j
@RestController
@RequestMapping("/security")
public class SecurityController {
@RequestMapping(value = "/check", method = RequestMethod.GET)
public Principal getUser(Principal principal) {
log.info(principal.toString());
return principal;
}
}
2.2.4、获取token
调用 这个认证服务器的获取token接口 /oauth/token,并传入以下参数
- grant_type : 授权类型, client_credentials 为 客户端认证
- scope :权限范围 , 在代码中配置的客户端详情里有"all","read", "write","aa",随便传一种
- client_id :客户端id,代码里配置的
- client_secret : 客户端 密码 , 代码配置的
image.png
上述 客户端模式的配置, 调用接口,参数如下:
image.png
可以看到已经成功的返回的token。
2.3、资源服务器搭建
SpringCloud项目中的下游服务 就是 对应 oauth2.0的模型中, 受保护的资源服务(Resource Server),需要进行权限校验后才能 正常访问。
我们把之前的micro-user服务改成 资源服务器,让他的接口需要权限校验。(上面代码已经配置了clientId为 micro-user服务的客户端 是可以访问资源的)。
之后 调用micro-user服务 就需要传有效的token才能访问。
2.3.1、pom依赖
org.springframework.boot
spring-boot-starter-security
org.springframework.cloud
spring-cloud-starter-oauth2
2.3.2、启动类
加上 @EnableResourceServer, 表示该服务是 受保护的 资源服务。
@SpringBootApplication
@EnableFeignClients(clients = OrderService.class)
// 多加了这个注解
@EnableResourceServer
public class MicroUserApplication {
public static void main(String[] args) {
SpringApplication.run(MicroUserApplication.class);
}
}
2.3.3、配置文件
只需要配置 认证服务器 校验token的接口地址就行。
security.oauth2.resource.user-info-uri=http://127.0.0.1:9051/security/check
security.oauth2.resource.prefer-token-info=false
2.3.4、提供一个测试接口
@RequestMapping("/user")
@RestController
@RefreshScope
public class ConfigController {
@Value("${username}")
private String username;
@GetMapping("/getUsername")
public String getUsername() {
return username;
}
}
2.3.5、测试是否可以访问该服务下的接口
token的传递 必须放在 请求头Authorization,值为 前缀bearer(token的类型)+ 空格 + token
1、不传token,报401,未授权
image.png
2、传错误的token,报401,token不合法
image.png
3、传正确的token,鉴权成功,可以成功调用接口
image.png
认证服务器也会打印鉴权成功的日志
image.png
这就说明, 客户端模式下, 权限校验 已经搭建成功了。
3、网关配置
注意:网关只做路由的功能, 不需要权限校验。
上面我们是直接调用 micro-user 服务的接口,发现 权限校验是可以生效的,那么由网关路由到 micro-user服务的接口呢?
其实也是 可以生效的, 最重要的是 要把 token 传递到 下游的 micro-user 服务中去,不要被过滤掉了,不然就无法向认证服务器 鉴权。
那SpringCloud里的Zuul组件里 默认是会 过滤掉Cookie, Set-Cookie, Authorization 这三个包含敏感信息的 请求头, 需要配置下不过滤。
zuul.routes.micro-user.sensitive-headers=
# 这个配置视版本而定
zuul.routes.micro-user.customSensitiveHeaders=true