关于spring-security-oauth2:Spring-Security-Oauth2协议扩展授权模式之通过自定义字段刷新accesstoken

30次阅读

共计 8803 个字符,预计需要花费 23 分钟才能阅读完成。

1、Spring Security 如何优雅的减少 OAuth2 协定受权模式?

以后教程是对于如何通过自定义字段刷新 access_token 的,要扩大受权模式请参考这位博主的教程:https://www.cnblogs.com/zlt20…

2、为什么要自定义刷新 access_token 的关键字段

Oauth2 协定默认的刷新 access_token 流程就是仅通过惟一 username 进行刷新 access_token 的。当咱们模拟 password 受权模式扩大出比方手机号 / 邮箱 + 明码登录的受权模式且前端不应用 username 字段或 username 字段容许反复时,此时咱们就不能通过 username 字段进行刷新 access_token,须要在 access_token 中携带一个惟一的字段比方 userId 或 mobile 提供给受权服务器刷新 token 应用。因为刷新 token 与生成 token 的流程仅有小局部不同。
对于 Spring Security Oauth2 认证(获取 token/ 刷新 token)流程(password 模式)剖析,请移步:https://blog.csdn.net/bluuuse…

3、实现过程

3.1 整个拷贝 UserDetailsByNameServiceWrapper 这个类的内容做如下扩大,次要批改 loadUserDetails()办法。

package com.nowenti.auth.security.service;

import cn.hutool.core.convert.Convert;
import com.nowenti.auth.security.exception.UserIdNotFoundException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.util.Assert;

/**
 * @Description: 自定义扩大的受权模式专用 ServiceWrapper
 * 通过用户 id 加载用户 details -> 用于通过 user_id 刷新 token
 * 自定义以后 ServiceWrapper 的目标是让刷新 token 时能够抉择通过用户名或用户 id 去加载 UserDetails
 * @version 1.0
 * @author owen
 * @email 975706304@qq.com
 * @date 2021/8/16 23:04
 */
public class UserDetailsByNameOrIdServiceWrapper<T extends Authentication> implements AuthenticationUserDetailsService<T> {

    // 结构器注入
    private ICustomUserDetailsService userDetailsService;

    public UserDetailsByNameOrIdServiceWrapper() {}

    public UserDetailsByNameOrIdServiceWrapper(ICustomUserDetailsService userDetailsService) {Assert.notNull(userDetailsService, "userDetailsService cannot be null.");
        this.userDetailsService = userDetailsService;
    }

    /**
     * 加载用户详情对象
     * authentication.getName()的值有两种状况,须要手动辨别
     *  1、user_name
     *  2、user_id
     *  3、任意自定义字段
     * @param authentication
     * @return
     * @throws UserIdNotFoundException
     */
    @Override
    public UserDetails loadUserDetails(T authentication) {
        // 从 PreAuthenticatedAuthenticationToken 获取 Principle
        // Principle 是 -> UsernamePasswordAuthenticationToken 对象
        // UsernamePasswordAuthenticationToken 对象的 Principle 就是 nameOrId
        String usernameOrUserId = authentication.getName();
        try {
            // 能正确转换成 Long 型用户 id -> 会员用户
            Long userId = Convert.toLong(usernameOrUserId);
            return this.userDetailsService.loadMemberUserById(userId);
        } catch (Exception e) {
            // 转换异样,usernameOrUserId 为用户名 -> 零碎用户
            return this.userDetailsService.loadUserByUsername(usernameOrUserId);
        }

    }

    public void setUserDetailsService(ICustomUserDetailsService aUserDetailsService) {this.userDetailsService = aUserDetailsService;}
}

3.2 整个拷贝 DefaultUserAuthenticationConverter 这个类的内容做如下扩大,次要批改 extractAuthentication()办法

//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//

package com.nowenti.auth.security.converter;

import java.util.Collection;
import java.util.LinkedHashMap;
import java.util.Map;

import com.nowenti.auth.security.service.ICustomUserDetailsService;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.oauth2.provider.token.UserAuthenticationConverter;
import org.springframework.util.StringUtils;

/**
 * @Description: 自定义的用户认证转换器
 * 自定义以后转换器的目标是为了让自定义的受权模式反对通过 user_id 刷新 token
 * @version 1.0
 * @author owen
 * @email 975706304@qq.com
 * @date 2021/8/19 10:06
 */
public class CustomUserAuthenticationConverter implements UserAuthenticationConverter {
    private Collection<? extends GrantedAuthority> defaultAuthorities;
    private ICustomUserDetailsService userDetailsService;

    public CustomUserAuthenticationConverter() {}

    /**
     * 结构器注入 userDetailsService
     * @param userDetailsService
     */
    public void setUserDetailsService(ICustomUserDetailsService userDetailsService) {this.userDetailsService = userDetailsService;}

    public void setDefaultAuthorities(String[] defaultAuthorities) {this.defaultAuthorities = AuthorityUtils.commaSeparatedStringToAuthorityList(StringUtils.arrayToCommaDelimitedString(defaultAuthorities));
    }

    /**
     * 将 UsernamePasswordAuthenticationToken 对象转换成一般 map
     * 该 map 的内容将被增加进 access_token 和 refresh_token
     * 该办法后于 extractAuthentication()执行
     * 该办法登录和刷新 token 都会执行
     * @param authentication
     * @return
     */
    @Override
    public Map<String, ?> convertUserAuthentication(Authentication authentication) {Map<String, Object> response = new LinkedHashMap<>();
        response.put("user_name", authentication.getName());
        if (authentication.getAuthorities() != null && !authentication.getAuthorities().isEmpty()) {response.put("authorities", AuthorityUtils.authorityListToSet(authentication.getAuthorities()));
        }

        return response;
    }

    /**
     * 将 token map 提取成 UsernamePasswordAuthenticationToken 对象
     * 该办法先于 convertUserAuthentication()执行
     * 该办法仅刷新 token 执行
     * @param map
     * @return
     */
    @Override
    public Authentication extractAuthentication(Map<String, ?> map) {
        // 先判断 token map 中是否蕴含 user_name 字段,蕴含示意是零碎用户刷新 token
        // 因为两种用户 token 中都有 user_id 字段,所以先判断用户名
        if (map.get("user_name") != null) {Object principal = map.get("user_name");
            Collection<? extends GrantedAuthority> authorities = this.getAuthorities(map);
            if (this.userDetailsService != null) {UserDetails user = this.userDetailsService.loadUserByUsername((String) map.get("user_name"));
                authorities = user.getAuthorities();
                principal = user;
            }
            return new UsernamePasswordAuthenticationToken(principal, "N/A", authorities);
        } else if (map.get("user_id") != null) {
            // token map 中蕴含不蕴含 user_name 字段,示意是会员用户刷新 token
            Object principal = map.get("user_id");
            Collection<? extends GrantedAuthority> authorities = this.getAuthorities(map);
            if (this.userDetailsService != null) {UserDetails user = this.userDetailsService.loadMemberUserById((Long) map.get("user_id"));
                authorities = user.getAuthorities();
                principal = user;
            }
            return new UsernamePasswordAuthenticationToken(principal, "N/A", authorities);
        } else {return null;}
    }

    private Collection<? extends GrantedAuthority> getAuthorities(Map<String, ?> map) {if (!map.containsKey("authorities")) {return this.defaultAuthorities;} else {Object authorities = map.get("authorities");
            if (authorities instanceof String) {return AuthorityUtils.commaSeparatedStringToAuthorityList((String) authorities);
            } else if (authorities instanceof Collection) {return AuthorityUtils.commaSeparatedStringToAuthorityList(StringUtils.collectionToCommaDelimitedString((Collection) authorities));
            } else {throw new IllegalArgumentException("Authorities must be either a String or a Collection");
            }
        }
    }
}

4、受权服务器 AuthorizationServerConfig 配置

4.1 注入自定义的 DefaultTokenServices 实现类 bean

/**
     * 注入自定义的 DefaultTokenServices 实现类对象
     * @param endpoints
     * @return
     */
    @Bean
    public DefaultTokenServices customTokenServices(AuthorizationServerEndpointsConfigurer endpoints) {DefaultTokenServices tokenServices = new DefaultTokenServices();
        tokenServices.setTokenStore(endpoints.getTokenStore());
        tokenServices.setSupportRefreshToken(true);
        tokenServices.setReuseRefreshToken(true);
        tokenServices.setClientDetailsService(clientDetailsService);
        tokenServices.setTokenEnhancer(endpoints.getTokenEnhancer());
        // access_token 有效期:2 个小时 -> 60*60*2
        tokenServices.setAccessTokenValiditySeconds(60 * 60 * 2);
        // refresh_token 有效期:12 个小时 -> 60*60*12
        tokenServices.setRefreshTokenValiditySeconds(60 * 60 * 12);
        // 设置自定义的 UserDetailsByNameOrIdServiceWrapper
        if (userDetailsService != null) {PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
            provider.setPreAuthenticatedUserDetailsService(new UserDetailsByNameOrIdServiceWrapper<>(userDetailsService));
            tokenServices.setAuthenticationManager(new ProviderManager(Collections.singletonList(provider)));
        }
        return tokenServices;
    }

4.2 注入自定义的 CustomUserAuthenticationConverter

/**
     * 注入自定义的 CustomUserAuthenticationConverter
     * @return
     */
    @Bean
    public DefaultAccessTokenConverter defaultAccessTokenConverter() {DefaultAccessTokenConverter defaultAccessTokenConverter = new DefaultAccessTokenConverter();
        defaultAccessTokenConverter.setUserTokenConverter(new CustomUserAuthenticationConverter());
        return defaultAccessTokenConverter;
    }

4.3 将所有批改配置进 configure(AuthorizationServerEndpointsConfigurer endpoints)

/**
     * 配置受权(authorization)以及令牌(token)的拜访端点和令牌服务(token services)
     */
    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
        List<TokenEnhancer> tokenEnhancers = new ArrayList<>();
        tokenEnhancers.add(tokenEnhancer());
        tokenEnhancers.add(jwtAccessTokenConverter());
        tokenEnhancerChain.setTokenEnhancers(tokenEnhancers);
        endpoints
                .authenticationManager(authenticationManager)
                .accessTokenConverter(jwtAccessTokenConverter())
                .tokenEnhancer(tokenEnhancerChain)
                .userDetailsService(userDetailsService)
                // refresh token 有两种应用形式:重复使用(true)、非重复使用(false),默认为 true
                //   1、重复使用:access token 过期刷新时,refresh token 过期工夫未扭转,仍以首次生成的工夫为准
                //   2、非重复使用:access token 过期刷新时,refresh token 过期工夫连续,在 refresh token 有效期内刷新便永不生效达到无需再次登录的目标
                .reuseRefreshTokens(true)
                // 将所有受权模式增加到配置中
                .tokenGranter(createTokenGranter(endpoints))
                // 配置自定义的 CustomTokenServices 实现类
                .tokenServices(customTokenServices(endpoints))
                // 配置自定义的用户认证转换器
                .accessTokenConverter(defaultAccessTokenConverter());
    }

5、刷新 token 的相干办法调用链

5.1 loadUserDetails()调用链

5.1 extractAuthentication() 调用链

6、打完出工

6.1 @author
wx : owen2505
email : 975706304@qq.com

正文完
 0