Shulou(Shulou.com)06/02 Report--

What is the introduction of OAuth2.0 in SpringBootSecurity? I believe many inexperienced people don't know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Login summary

Security itself has achieved a relatively perfect security processing, coupled with the authentication method of JWT, can achieve an ideal login function.

Let's take a look at login, give the user an account, verify that the login is valid, and log in successfully. This step is unavoidable for any system. Whether this account can only log in to one system or log in to multiple app like Alipay accounts, whether the account is user name and password, or mobile phone verification code, or mailbox and other forms, it can be said that the step of authentication is the most basic and unavoidable.

After the login is successful, authorization allows users to access some pages or interfaces that cannot be accessed before login, and both session and token are valid, and you need to log in again after the validity period. In this form, authorization includes more scenarios, not only for internally logged-in users, but also for third-party applications, or information exchange between the two systems, and so on. And under the development mode of micro-services, there are more and more services and more and more content that can be authorized. If there is no unified way to manage the authorization of these interface resources, it will be very troublesome. Therefore, the system needs a unified authentication and authorization mechanism for all access, and OAuth3.0 is a very good choice for us to achieve this unified authentication and authorization.

OAuth3.0 introduction

OAuth 2.0 is the most popular authorization mechanism at present, which is used to authorize third-party applications and obtain user data. The most classic scenario is that when we use QQ for third-party login, we choose which information of the user can be accessed. For an introduction to OAuth 2.0, it is recommended to read three articles by Ruan Yifeng at:

A simple explanation of OAuth 2.0

Four ways of OAuth 2.0

GitHub OAuth third Party Login sample tutorial

These three articles are a very good and detailed introduction to OAuth3.0.

With regard to the understanding of OAuth3.0, which is used to authorize third-party applications, the reason why I always failed to understand is that I did not analyze and think from a different point of view. For example, when using QQ for third-party login, the software we log in needs to obtain part of the user information of our qq account, so we need the authentication and authorization of Tencent. When we log in (authorization), log in to QQ and click agree.

And if we, as developers, design an OAuth3.0 authorization function, we need to think about which part of the function we want to complete from the developer's point of view, such as the above QQ third-party login, first of all, the QQ software is developed by our developers, the third-party application has a QQ account of our software, and third-party users want to display part of the user information of the third-party QQ account on their own software. Need to come to our authorization service application, agree to query the user information in the software we developed, so what we want to develop is a basic QQ service (resource service), an authorization service, and a third party can register an account with us, or assign an account to a third party.

With regard to third-party applications, it can be the systems of other companies or other services within the framework of our company. according to Ruan Yifeng's article, you can refer to what the developer's task belongs to in the article. In this way, there will be a clear distinction and understanding between developing OAuth3.0 and using OAuth3.0.

SSO single sign-on

Single sign-on (SingleSignOn,SSO) is an one-time authentication login by the user. When the user logs in once on the identity authentication server, he can gain access to other related systems and application software in the single sign-on system, and this implementation does not require the administrator to modify the user's login status or other information. this means that in multiple application systems, users can access all trusted applications with only one login. This method reduces the time consumption caused by login and assists user management, which is more popular at present.

When the user visits application system A for the first time, he will be directed to the authentication system to log in because he has not yet logged in. According to the login information provided by the user, the authentication system verifies the identity. If it passes the verification, the user should be returned with an authentication credential-ticket. When users visit other applications, they will bring this ticket with them as their own authentication credentials. After receiving the request, the application system will send the ticket to the authentication system for verification to check the validity of the ticket. If the verification is passed, the user can access application system B and application system C without logging in again.

From the above introduction, we can see that what single sign-on needs is a shared authorization and authentication system, that is to say, SSO can be designed and implemented using OAuth3.0 mechanism. However, there is also a difference between SSO and OAuth3.0. The difference between sso and oauth3.0 in application scenarios is that each system (sub-module) using sso trusts each other, usually each software product of one manufacturer, or different module systems of a product. Most of the applications that use oauth3.0 do not trust each other, usually sharing accounts between different manufacturers. OAuth3.0 solves the problem of service providers (Wechat, etc.) authorizing third-party applications, while SSO solves the problem of how various subsystems in large-scale systems share their login status (for example, if you log in to the Baidu home page, you don't have to log in again when you log in to Baidu encyclopedia, Baidu Tieba, Baidu Music and other services).

Spring Cloud Security

The Spring Cloud Security component can be understood as the integration of springboot security and OAuth3.0, which can realize the sso single sign-on function and the third-party authorization function in the micro-service system. The official documentation on the security component of springcloud used for the springboot2.1.x version is as follows:

Https://cloud.spring.io/spring-cloud-static/spring-cloud-security/2.1.4.RELEASE/single/spring-cloud-security.html

The directory of the document is as follows:

From the directory point of view, the main function of the Spring Cloud Security component is also sso and resource authentication authorization, and the following content is mainly used to learn Spring Cloud Security.

After reading the above, have you mastered the method of introducing OAuth2.0 in SpringBootSecurity? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.