Shulou(Shulou.com)06/02 Report--

In this issue, the editor will bring you about the process of getting started with oauth2. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

A quick launch 1 to add related dependencies to the project

You need to import two dependencies: easy water common components and spring-security-oauth3-autoconfigure.

Org.springframework.security.oauth.boot spring-security-oauth3-autoconfigure 2.2.0.RELEASE com.yishuifengxiao.common common-spring-boot-starter 4.1.22 add the following code @ Configuration public class CustomOauth3Config extends OAuth3Config {} 3 to the project plus an open comment

Add @ EnableResourceServer and @ EnableAuthorizationServer annotations

The sample code for full activation is as follows:

@ Configuration@EnableWebSecurity@EnableResourceServer@EnableAuthorizationServerpublic class SecurityConfig extends AbstractSecurityConfig {@ Override protected void configure (HttpSecurity http) throws Exception {/ / calls the default configuration applyAuthenticationConfig (http) in the parent class;} @ Configuration public class CustomOauth3Config extends OAuth3Config {}} 4 implements custom authentication logic

Implement UserDetailsService interface and UserDetailsService interface, complete your own authentication logic, and inject it into the context of spring

[special note] when users do not follow this step to configure their own authorization logic, the component will implement a default implementation by default. In the case of default implementation, the user can log in using any user name with a password (12345678)

It should be noted that in the following authorization methods, UserDetailsService is responsible for verifying that clientId and clientSecret are correct, and UserDetailsService is responsible for verifying that username and password are correct.

After completing the previous steps, a simple oauth3 authentication server is built.

Two and four authorization methods password mode POST / oauth/token HTTP/1.1 Host: oauth3.yishuifengxiao.com Authorization: Basic fdsfdsfdsfds Content-Type: application/x-www-form-urlencoded grant_type=password&username=johndoe&password=A3ddj3w

In the request, the meaning of each parameter is as follows

Grant_type: indicates the authorization type, where the value is fixed to "password", which is required.

Username: indicates the user name, required.

Password: indicates the user's password, required.

Scope: indicates the scope of permission and is optional.

Authorization: request header parameter. The value is the base64 encoded value of clientId:clientSecret.

Here is an example of a response

{"access_token": "BDF867DE69F05143C709", "token_type": "bearer", "refresh_token": "d7cda8fb15714209a9f9f3b039a0034f", "expires_in": 43199, "scope": "read write trust", "client_id": "yishui"} client mode POST / oauth/token HTTP/1.1 Host: oauth3.yishuifengxiao.com Authorization: Basic fdsfdsfdsfds Content-Type: application/x-www-form-urlencoded grant_type=client_credentials

In this request, the meaning of each parameter is as follows

Grant_type: indicates the authorization type, where the value is fixed to "client_credentials", which is required.

Authorization: request header parameter. The value is the base64 encoded value of clientId:clientSecret.

Here is an example of a response

{"access_token": "BDF867DE69F05143D3BF", "token_type": "bearer", "expires_in": 43199, "scope": "read write trust", "client_id": "yishui"}

Compared with password mode, the refresh_token parameter is missing in the response of client mode

Authorization code mode

The authorization code mode first needs to ensure that the login function of the spring security is available. Only when the login function of spring security is available, can the authorization code function be enabled.

Visit the request first.

GET / oauth/authorize?response_type=code&client_id=yishui&state=xyz&redirect_uri= http://demo.yishuifengxiao.com/demo HTTP/1.1Host: oauth3.yishuifengxiao.com

In this request, the meanings of the parameters are as follows:

Code: indicates the authorization code, which is required. The validity period of the code should be very short, usually set to 10 minutes, and the client can only use the code once, otherwise it will be rejected by the authorized server. This code corresponds to client ID and redirect URI one to one.

State: if the client's request contains this parameter, the authentication server's response must include this parameter exactly as well.

Client_id: user's client_id

When making this request, if the user is not logged in, spring security will block it, so the user is required to log in first.

Under normal circumstances, the request to access the above will be redirected to

Http://demo.yishuifengxiao.com/demo?code=fsfsdf & state=xyz

The server responds to the client's URI with the following parameters:

Code: indicates the authorization code, which is required. The validity period of the code should be very short, usually set to 10 minutes, and the client can only use the code once, otherwise it will be rejected by the authorized server. This code corresponds to client ID and redirect URI one to one.

State: if the client's request contains this parameter, the authentication server's response must include this parameter exactly as well.

After the code is obtained through the above request, the user needs to obtain the authorization code using the following request

POST / oauth/token HTTP/1.1Host: oauth3.yishuifengxiao.comAuthorization: Basic fdsfdsfdsfdsContent-Type: application/x-www-form-urlencodedgrant_type=authorization_code&code=fsfsdf&redirect_uri=demo.yishuifengxiao.com/demo

In this request, the meanings of the parameters are as follows:

Grant_type: indicates the authorization mode used, required, where the value is fixed as "authorization_code".

Code: indicates the authorization code obtained in the previous step, a required option.

Redirect_uri: indicates a redirect URI, a required option, and must be consistent with the parameter value in step A.

Client_id: indicates the client ID, required.

Simplified mode GET / oauth/authorize?response_type=token&client_id=yishui&state=xyz & redirect_uri= http://demo.com/demo HTTP/1.1 Host: server.example.com

In this request, the meanings of the parameters are as follows:

Response_type: indicates the authorization type, where the value is fixed to "token", which is required.

Client_id: indicates the ID of the client, required.

Redirect_uri: indicates the redirected URI, optional.

Scope: indicates the scope of permission and is optional.

State: indicates the current state of the client, any value can be specified, and the authentication server will return this value intact.

Refresh tokenPOST / oauth/token HTTP/1.1 Host: oauth3.yishuifengxiao.com Authorization: Basic fdsfdsfdsfds Content-Type: application/x-www-form-urlencoded grant_type=refresh_token&refresh_token=sdff

The meaning of the parameters in the request:

Granttype: indicates the authorization mode used, where the value is fixed to "refreshtoken", which is required.

Refresh_token: indicates an update token received earlier, a required option.

Scope: indicates that the authorization scope of the application cannot exceed the scope of the previous application. If this parameter is omitted, it is consistent with the previous application.

Three access_token use

After the access_token is obtained by the previous method, there are generally two ways to use it

Carry access_token as a request parameter on the url parameter

Access_token obtained by http://demo.yishuifengxiao.com/user/123?access_token=

Put access_token as a request parameter in the request header

The access_token obtained by the parameter Authorization=Bearer is carried in the request header of all requests requiring authorization.

In general-purpose components, due to the deep processing of access_token, users can access_token to parse the information contained in token through the DES tool meal in the easy Water Toolkit.

The key to be used during decryption is determined by the value of the yishuifengxiao.security.secret-key property set in Security Management.

The following is an example of a decrypted message from access_token

{"username": "yishui", "clientId": "admin", "roles": ["ROLE_USER", "admin"], "grantType": "password"}

Interpretation of the parameters of the decrypted information:

Username: the user name used when the user logs in (this value is empty in client mode)

ClientId: the clientId that the user uses when logging in (this value is empty in simplified mode)

Roles: the role owned by this logged-in user (that is, the authorities of this user)

Authorization type corresponding to grantType:access_token

The reverse parsing of user information by access_token is limited to this component. Native oauth3 access_token does not support this feature.

The above is what the quick start process for oauth2 is like. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.