OAuth 协议
OAuth协议要解决的问题
解决传统模式的授权(授权协议),认证资源访问问题
OAuth协议中的各种角色
Privider 服务提供商(提供令牌) (如微信)
Authorization Server 认证服务器
ResourceServer 资源服务器
Resource Owner 资源所有者 (用户)
Client 第三方应用
OAuth协议运行流程
0访问Client
1将用户导向认证服务器
2用户同意授权
3返回Client并携带授权码
4申请令牌
5发放令牌 (1-5是OAuth标准流程)
6获取用户信息 (每个服务商提供返回的字段不一样)
7根据用户信息构建Authentictioin并放入SecurityContext
OAuth协议授权模式
授权码模式 (authorization code)
认证授权在服务器提供商认证服务器完成,更安全
密码模式(Resource owner password credentials)
客户端模式(client credentials)
简化模式(implicit)
SpringSocial 基本原理 (就是封装了OAuth2的基本流程 SocialAuthenticationFilter加入到过滤器链中)
ServiceProvider (AbstractOAuth2ServiceProvider服务提供商的抽象实现)
OAuth2Operations (OAuth2Template 封装1-5 会帮你去完成OAuth的认证流程)
Api(AbstractOAuth2ApiBinding获取用户信息抽象实现 6)
第7步是在第三方应用上操作
Connection(OAuth2Connection服务提供商的信息) 是由 ConnectionFactory(OAuth2ConnectionFactory) 创建的
ConnectionFactory 中是包含(ServiceProvider 的)
ApiAdapter (在Aip 和 Connection之间做一个适配,因为Connection字段是固定的,服务商是个性化的)
用户和第三方用户有个关联表,UserConnection
UserConnection 表是由 JdbcUsersConnectionRepository(UsersConnectionRepository) 这个类进行操作CRUD
第一步: 根据图2 先 构建ServiceProvider
(6获取用户信息): 根据OAuth2Operations (OAuth2Template),Api(AbstractOAuth2ApiBinding) 构建 ServiceProvider
创建API 获取用户信息接口
package com.imooc.security.core.social.qq.api;
/**
* @Title: QQ
* @ProjectName spring-security-main
* @date 2020/12/710:21
*/
public interface QQ {
QQUserInfo getUserInfo();
}
实现
package com.imooc.security.core.social.qq.api;
import com.fasterxml.jackson.databind.ObjectMapper;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang.StringUtils;
import org.springframework.social.oauth2.AbstractOAuth2ApiBinding;
import org.springframework.social.oauth2.TokenStrategy;
/**
* @Title: QQImpl
* @ProjectName spring-security-main
* @date 2020/12/710:22
*/
@Slf4j
public class QQImpl extends AbstractOAuth2ApiBinding implements QQ {
// 获取openId
private static final String URL_GET_OPENID = "https://graph.qq.com/oauth2.0/me?access_token=%s";
// 获取用户信息 accessToken 父类会处理,这里不用拼接参数了
private static final String URL_GET_USERINFO = "https://graph.qq.com/user/get_user_info?oauth_consumer_key=%s&openid=%s";
private String appId;
private String openId;
private ObjectMapper objectMapper = new ObjectMapper();
public QQImpl(String accessToken, String appId) {
super(accessToken,TokenStrategy.ACCESS_TOKEN_PARAMETER); // 默认父类是放在header中,这里要放在参数里
this.appId = appId;
// 获取openId
String url = String.format(URL_GET_OPENID, accessToken);
String result = getRestTemplate().getForObject(url, String.class);
log.info(result);
// 截取一下openId
this.openId = StringUtils.substringBetween(result, ""openid":"", ""}");
}
@Override
public QQUserInfo getUserInfo() {
String url = String.format(URL_GET_USERINFO, appId, openId);
String result = getRestTemplate().getForObject(url, String.class);
log.info(result);
QQUserInfo userInfo = null;
try {
userInfo = objectMapper.readValue(result, QQUserInfo.class);
userInfo.setOpenId(openId);
return userInfo;
} catch (Exception e) {
throw new RuntimeException("获取用户信息失败", e);
}
}
}
QQUserInfo 实体类
package com.imooc.security.core.social.qq.api;
import lombok.Data;
@Data
public class QQUserInfo {
/**
* 返回码
*/
private String ret;
/**
* 如果ret<0,会有相应的错误信息提示,返回数据全部用UTF-8编码。
*/
private String msg;
/**
*
*/
private String openId;
/**
* 不知道什么东西,文档上没写,但是实际api返回里有。
*/
private String is_lost;
/**
* 省(直辖市)
*/
private String province;
/**
* 市(直辖市区)
*/
private String city;
/**
* 出生年月
*/
private String year;
/**
* 用户在QQ空间的昵称。
*/
private String nickname;
/**
* 大小为30×30像素的QQ空间头像URL。
*/
private String figureurl;
/**
* 大小为50×50像素的QQ空间头像URL。
*/
private String figureurl_1;
/**
* 大小为100×100像素的QQ空间头像URL。
*/
private String figureurl_2;
/**
* 大小为40×40像素的QQ头像URL。
*/
private String figureurl_qq_1;
/**
* 大小为100×100像素的QQ头像URL。需要注意,不是所有的用户都拥有QQ的100×100的头像,但40×40像素则是一定会有。
*/
private String figureurl_qq_2;
/**
* 性别。 如果获取不到则默认返回”男”
*/
private String gender;
private String gender_type;
private String constellation;
/**
* 标识用户是否为黄钻用户(0:不是;1:是)。
*/
private String is_yellow_vip;
/**
* 标识用户是否为黄钻用户(0:不是;1:是)
*/
private String vip;
/**
* 黄钻等级
*/
private String yellow_vip_level;
/**
* 黄钻等级
*/
private String level;
/**
* 标识是否为年费黄钻用户(0:不是; 1:是)
*/
private String is_yellow_year_vip;
private String figureurl_qq;
private String figureurl_type;
}
创建QQOAuth2Template
package com.imooc.security.core.social.qq.connet;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang.StringUtils;
import org.springframework.http.converter.StringHttpMessageConverter;
import org.springframework.social.oauth2.AccessGrant;
import org.springframework.social.oauth2.OAuth2Template;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.RestTemplate;
import java.nio.charset.Charset;
@Slf4j
public class QQOAuth2Template extends OAuth2Template {
public QQOAuth2Template(String clientId, String clientSecret, String authorizeUrl, String accessTokenUrl) {
super(clientId, clientSecret, authorizeUrl, accessTokenUrl);
setUseParametersForClientAuthentication(true); // 设置true client_secret client_id才会带上这两个参数
}
@Override
protected AccessGrant postForAccessGrant(String accessTokenUrl, MultiValueMap<String, String> parameters) {
String responseStr = getRestTemplate().postForObject(accessTokenUrl, parameters, String.class);
// 因为qq返回的是 用&拼接的字符串 需要自己处理一下
log.info("获取accessToke的响应:"+responseStr);
String[] items = StringUtils.splitByWholeSeparatorPreserveAllTokens(responseStr, "&");
String accessToken = StringUtils.substringAfterLast(items[0], "=");
Long expiresIn = new Long(StringUtils.substringAfterLast(items[1], "="));
String refreshToken = StringUtils.substringAfterLast(items[2], "=");
return new AccessGrant(accessToken, null, refreshToken, expiresIn);
}
@Override
protected RestTemplate createRestTemplate() {
RestTemplate restTemplate = super.createRestTemplate();
// qq返回的是text/html 默认的template没有添加处理这样的类型,自己添加一个
restTemplate.getMessageConverters().add(new StringHttpMessageConverter(Charset.forName("UTF-8")));
return restTemplate;
}
}
根据 QQOAuth2Template ,QQImpl 创建 QQServiceProvider
package com.imooc.security.core.social.qq.connet;
import com.imooc.security.core.social.qq.api.QQ;
import com.imooc.security.core.social.qq.api.QQImpl;
import org.springframework.social.oauth2.AbstractOAuth2ServiceProvider;
import org.springframework.social.oauth2.OAuth2Template;
/**
* @Title: QQServiceProvider
* @ProjectName spring-security-main
* @date 2020/12/711:01
*/
public class QQServiceProvider extends AbstractOAuth2ServiceProvider<QQ> {
private String appId;
// 1.导向认证服务器rul
private static final String URL_AUTHORIZE = "https://graph.qq.com/oauth2.0/authorize";
// 4.用户同意授权,返回授权码去申请令牌的url
private static final String URL_ACCESS_TOKEN = "https://graph.qq.com/oauth2.0/token";
public QQServiceProvider(String appId, String appSecret) {
// super(oauth2Operations);
// OAuth2Template 用系统默认的
// super(new OAuth2Template(appId, appSecret, URL_AUTHORIZE, URL_ACCESS_TOKEN));
// 默认Template不能满足使用
super(new QQOAuth2Template(appId, appSecret, URL_AUTHORIZE, URL_ACCESS_TOKEN));
this.appId = appId;
}
@Override
public QQ getApi(String accessToken) {
return new QQImpl(accessToken, appId);
}
}
图2右边的代码已经完成
图2 左边开发
创建QQAdapter
package com.imooc.security.core.social.qq.connet;
import com.imooc.security.core.social.qq.api.QQ;
import com.imooc.security.core.social.qq.api.QQUserInfo;
import org.springframework.social.connect.ApiAdapter;
import org.springframework.social.connect.ConnectionValues;
import org.springframework.social.connect.UserProfile;
/**
* 服务商和第三方应用之间做适配的,适配的类型就是QQ
*/
public class QQAdapter implements ApiAdapter<QQ> {
/**
* 测试方法
* @param api
* @return
*/
@Override
public boolean test(QQ api) {
return true;
}
/**
* 主要方法, qq api的信息设置到connectionValues
* @param api
* @param values
*/
@Override
public void setConnectionValues(QQ api, ConnectionValues values) {
QQUserInfo userInfo = api.getUserInfo();
values.setDisplayName(userInfo.getNickname());
// 头像
values.setImageUrl(userInfo.getFigureurl_qq_1());
// 个人主页
values.setProfileUrl(null);
values.setProviderUserId(userInfo.getOpenId());
}
@Override
public UserProfile fetchUserProfile(QQ api) {
return null;
}
@Override
public void updateStatus(QQ api, String message) {
}
}
根据 QQAdapter 和 QQServiceProvider 可以构建QQConnectionFactory
package com.imooc.security.core.social.qq.connet;
import com.imooc.security.core.social.qq.api.QQ;
import org.springframework.social.connect.support.OAuth2ConnectionFactory;
public class QQConnectionFactory extends OAuth2ConnectionFactory<QQ> {
/**
* 根据 QQAdapter 和 QQServiceProvider 可以构建QQConnectionFactory
* @param providerId 服务商Id
* @param appId
* @param appSecret
*/
public QQConnectionFactory(String providerId, String appId, String appSecret) {
super(providerId, new QQServiceProvider(appId, appSecret), new QQAdapter());
}
}
建表 查找 JdbcUsersConnectionRepository.sql
创建 SocialConfig 配置类,启用Social
package com.imooc.security.core.social;
import com.imooc.security.core.properties.SecurityProperties;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.security.crypto.encrypt.Encryptors;
import org.springframework.social.config.annotation.EnableSocial;
import org.springframework.social.config.annotation.SocialConfigurerAdapter;
import org.springframework.social.connect.ConnectionFactoryLocator;
import org.springframework.social.connect.ConnectionSignUp;
import org.springframework.social.connect.UsersConnectionRepository;
import org.springframework.social.connect.jdbc.JdbcUsersConnectionRepository;
import org.springframework.social.connect.web.ProviderSignInUtils;
import org.springframework.social.security.SpringSocialConfigurer;
import javax.sql.DataSource;
/**
* @Title: SocialConfig
* @ProjectName spring-security-main
* @date 2020/12/713:57
*/
@Configuration
@EnableSocial
@Slf4j
public class SocialConfig extends SocialConfigurerAdapter {
@Autowired
private SecurityProperties securityProperties;
// 数据源
@Autowired
private DataSource dataSource;
@Autowired(required = false)
private ConnectionSignUp connectionSignUp;
/**
* 默认使用InMemoryUsersConnectionRepository类 , Primary 候选bean中优先使用,Bean 添加这两个注解
* @param connectionFactoryLocator 作用就是查找ConnectionFactory
* @return
*/
@Primary
@Bean
@Override
public UsersConnectionRepository getUsersConnectionRepository(ConnectionFactoryLocator connectionFactoryLocator) {
JdbcUsersConnectionRepository repository = new JdbcUsersConnectionRepository(dataSource,
connectionFactoryLocator, Encryptors.noOpText());
// 配置数据库前缀
// repository.setTablePrefix("imooc_");
if(connectionSignUp != null) {
repository.setConnectionSignUp(connectionSignUp);
}
return repository;
}
/**
* 配置自定义路径 默认是auth
*需要 把SpringSocialConfigure 加入到过滤器链上
* @return
*/
@Bean
public SpringSocialConfigurer imoocSocialSecurityConfig() {
String filterProcessesUrl = securityProperties.getSocial().getFilterProcessesUrl();
log.info(filterProcessesUrl);
ImoocSpringSocialConfigurer imoocSpringSocialConfigurer = new ImoocSpringSocialConfigurer(filterProcessesUrl);
// 登录成功 回调的url
imoocSpringSocialConfigurer.signupUrl(securityProperties.getBrowser().getSignUpUrl());
return imoocSpringSocialConfigurer;
// return new SpringSocialConfigurer();
}
@Bean
public ProviderSignInUtils providerSignInUtils(ConnectionFactoryLocator connectionFactoryLocator) {
return new ProviderSignInUtils(connectionFactoryLocator,
getUsersConnectionRepository(connectionFactoryLocator)) {
};
}
}
创建 ImoocSpringSocialConfigurer
package com.imooc.security.core.social;
import org.springframework.social.security.SocialAuthenticationFilter;
import org.springframework.social.security.SpringSocialConfigurer;
public class ImoocSpringSocialConfigurer extends SpringSocialConfigurer {
/**
* 修改默认的路由auth 可配置,默认是auth,自定义回调地址, 要和备案的一致
*/
private String filterProcessesUrl;
public ImoocSpringSocialConfigurer(String filterProcessesUrl) {
this.filterProcessesUrl = filterProcessesUrl;
}
@Override
protected <T> T postProcess(T object) {
SocialAuthenticationFilter filter = (SocialAuthenticationFilter) super.postProcess(object);
filter.setFilterProcessesUrl(filterProcessesUrl);
return (T) filter;
}
}
创建 QQAutoConfig
package com.imooc.security.core.social.qq.config;
import com.imooc.security.core.properties.QQProperties;
import com.imooc.security.core.properties.SecurityProperties;
import com.imooc.security.core.social.qq.connet.QQConnectionFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.social.SocialAutoConfigurerAdapter;
import org.springframework.context.annotation.Configuration;
import org.springframework.social.connect.ConnectionFactory;
@Configuration
@ConditionalOnProperty(prefix = "imooc.security.social.qq", name = "app-id") // 当配置文件中,有配置属性才会生效
public class QQAutoConfig extends SocialAutoConfigurerAdapter {
@Autowired
private SecurityProperties securityProperties;
@Override
protected ConnectionFactory<?> createConnectionFactory() {
QQProperties qqConfig = securityProperties.getSocial().getQq();
return new QQConnectionFactory(qqConfig.getProviderId(), qqConfig.getAppId(), qqConfig.getAppSecret());
}
}
把SpringSocialConfigurer 加入到过滤器链上
@Autowired private SpringSocialConfigurer imoocSocialSecurityConfig; .apply(imoocSocialSecurityConfig)
imooc-signIn.html
<!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>登录</title> </head> <body> <h2>标准登录页面</h2> <h3>表单登录</h3> <form action="/authentication/form" method="post"> <table> <tr> <td>用户名:</td> <td><input type="text" name="username"></td> </tr> <tr> <td>密码:</td> <td><input type="password" name="password"></td> </tr> <tr> <td>图形验证码:</td> <td> <input type="text" name="imageCode"> <img src="/code/image?width=200"> </td> </tr> <tr> <td colspan='2'><input name="remember-me" type="checkbox" value="true" />记住我</td> </tr> <tr> <td colspan="2"><button type="submit">登录</button></td> </tr> </table> </form> <h3>短信登录</h3> <form action="/authentication/mobile" method="post"> <table> <tr> <td>手机号:</td> <td><input type="text" name="mobile" value="13012345678"></td> </tr> <tr> <td>短信验证码:</td> <td> <input type="text" name="smsCode"> <a href="/code/sms?mobile=13012345678">发送验证码</a> </td> </tr> <tr> <td colspan="2"><button type="submit">登录</button></td> </tr> </table> </form> <br> <h3>社交登录</h3> <a href="/qqLogin/callback.do">QQ登录2</a> <a href="/auth/qq">QQ登录1</a> <a href="/qqLogin/weixin">微信登录</a> </body> </html>
注册问题 SocialConfig
首次登录自动注册
DemoConnectionSignUp
package com.imooc.security;
import org.springframework.social.connect.Connection;
import org.springframework.social.connect.ConnectionSignUp;
import org.springframework.stereotype.Component;
@Component
public class DemoConnectionSignUp implements ConnectionSignUp {
@Override
public String execute(Connection<?> connection) {
//根据社交用户信息默认创建用户并返回用户唯一标识
return connection.getDisplayName();
}
}
点击按钮进行手动注册
@Autowired
private ProviderSignInUtils providerSignInUtils;
@PostMapping("/regist")
public void regist(User user, HttpServletRequest request) {
//不管是注册用户还是绑定用户,都会拿到一个用户唯一标识。
String userId = user.getUsername();
providerSignInUtils.doPostSignUp(userId, new ServletWebRequest(request));
}
获取当前用户信息
/**
* 前端可以显示 当前登录的用户信息
* @param request
* @return
*/
@GetMapping("/social/user")
public SocialUserInfo getSocialUserInfo(HttpServletRequest request) {
SocialUserInfo userInfo = new SocialUserInfo();
// 在session中取出用户信息
Connection<?> connection = providerSignInUtils.getConnectionFromSession(new ServletWebRequest(request));
userInfo.setProviderId(connection.getKey().getProviderId());
userInfo.setProviderUserId(connection.getKey().getProviderUserId());
userInfo.setNickname(connection.getDisplayName());
userInfo.setHeadimg(connection.getImageUrl());
return userInfo;
}