Shulou(Shulou.com)06/02 Report--

SpringBootSecurity OAuth2.0 simple example is how, I believe that many inexperienced people are helpless about this, this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

OAuth3.0

OAuth introduces an authorization layer that separates two distinct roles: client and resource owner. After the client requests the resource and the resource owner agrees, the resource server can issue a token to the client. The client uses the token to request data. In other words, the core of OAuth is to issue tokens to third-party applications. Furthermore, OAuth 2.0 specifies four processes for obtaining tokens. You can choose the one that works best for you and issue tokens to third-party apps.

Below we use spring cloud security and spring cloud oauth3 two components to simply implement the authorization process.

authorized service

Let's implement an authorization service using spring cloud security, first introducing dependencies:

In addition to a web component, only a spring-cloud-starter-oauth3 is introduced, because the oauth3 component under spring cloud already contains security:

First write a normal login function, application configuration file and startup class do not need to add special configuration, mainly to configure the security configuration class:

There were basically no special configurations here. They were all familiar configurations that he had encountered before. With this configuration class, the basic login function is there. To have authorization function, you also need an authorization configuration class. The authorization configuration class needs to inherit the AuthorizationServerConfigurerAdapter class and introduce the @EnableAuthorizationServer annotation:

First configure a client:

Then configure the storage and management of tokens. Here, secret is used as the secret key. The way to use asymmetric encryption will be described later:

The token above is stored in memory, and the token can also be stored in a database or redis. Finally configure access control for authorized endpoints:

That's a quick answer to the licensing service.

resources service

The following is to set up a resource service. In fact, authorization and resource service can be combined into one. For clarity, they are separated here. Dependency and authorization services introduced in pom are the same, and configuration files and startup classes do not require special configuration. Let's start by writing two simple interfaces, one defined as protected and the other unprotected:

Then define a resource service configuration class that inherits the ResourceServerConfigurerAdapter class and introduces the @EnableResourceServer annotation:

First let's look at the configuration of token authentication:

Then look at the interception rules for interface resources:

Save can be accessed directly and will not be intercepted, and the/user/save interface will be verified.

Note that the clientId and secret configured above are both single configuration dead. If you need to be serious about multi-client dynamics, you need to rewrite them. The latter is to parse the access token by http call (mainly by parsing/oauth/check_token of the access authorization service).

test

Let's test according to the process mentioned above. First, we apply for an authorization code from the authorization service:

http://localhost:8015/oauth/authorize? client_id=clientId&response_type=code&redirect_uri=http://localhost:8015/

Visit will first jump to the login page:

Enter the default username and password in the configuration to log in, and then go to the next page:

This page is the real authorization page. Select Approve and click the button to approve authorization. The authorization code will be obtained by calling back the address, as shown below:

Then apply for an access token with the authorization code, and you need to visit the following address (post mode is required):

http://localhost:8015/oauth/token? grant_type=authorization_code&code= authorization code &redirect_uri=http://localhost:8015/&client_id=clientId&client_secret=secret

Replace the authorization code with the authorization code in the address above, and then access it in postman:

The returned result contains the access_token parameter, which is the access token we need. The token_type parameter describes the type of token. The general type is bearer or refresh_token. You can apply for a new token from the authorization service after the access token expires. The expires_in parameter is the validity time of the token, in seconds. The default is 12 hours as shown in the figure. Now that the token has been obtained, let's access the resource interface and first try unprotected resources:

You can see that you can directly access and then access the protected resource interface:

Getting this result means that the interface needs authentication. Let's use the token we got earlier to access it. First, choose the correct serious protocol:

Then fill in the access_token obtained earlier on the right:

Then access the interface and you'll see the protected resources accessed via tokens:

After reading the above, do you know how to use the OAuth2.0 simple example in Spring BootSecurity? If you still want to learn more skills or want to know more related content, welcome to pay attention to the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.