一、场景
三个角色:用户(user),web应用(client),资源服务器和授权服务器合为服务器(server)
用户登录登录后可查看自己的信息
二、准备
2.1 数据库
schema
drop table if exists oauth2_client;
drop table if exists oauth2_user;
create table oauth2_user (
id bigint auto_increment,
username varchar(100),
password varchar(100),
salt varchar(100),
constraint pk_oauth2_user primary key(id)
) charset=utf8 ENGINE=InnoDB;
create unique index idx_oauth2_user_username on oauth2_user(username);
create table oauth2_client (
id bigint auto_increment,
client_name varchar(100),
client_id varchar(100),
client_secret varchar(100),
constraint pk_oauth2_client primary key(id)
) charset=utf8 ENGINE=InnoDB;
create index idx_oauth2_client_client_id on oauth2_client(client_id);
data
DELIMITER ;
delete from oauth2_user;
delete from oauth2_client;
insert into oauth2_user values(1,'admin','d3c59d25033dbf980d29554025c23a75','8d78869f470951332959580424d4bf4f');
insert into oauth2_client values(1,'chapter17-client','c1ebe466-1cdc-4bd3-ab69-77c3561b9dee','d8346ea2-6017-43ed-ad68-19c0f971738b');
2.2 Server
修改数据库链接 resources.properties
#dataSource configure
connection.url=jdbc:mysql://mysql-server:3306/shiro
connection.username=r00t
connection.password=r00t
2.3 Client
三、过程分析
1)2)用户访问client首页,检测到用户未登录,重定向到login
3)4)点击授权登录,输入admin/123456后点击登录并授权按钮
// 3)授权请求 http://localhost:8080/zetark-oauth2-server/oauth2login
if (!isLogin && servletPath.startsWith("/login_authorize")) {
String authorizeUrl = ClientParams.OAUTH_SERVER_AUTHORIZE_URL;
authorizeUrl += "?client_id=c1ebe466-1cdc-4bd3-ab69-77c3561b9dee";
authorizeUrl += "&response_type=code";
authorizeUrl += "&&redirect_uri=" + ClientParams.OAUTH_SERVER_REDIRECT_URI;
response.sendRedirect(authorizeUrl);
return;
}
// 4)授权响应
if (!isLogin && servletPath.startsWith("/login_response")) {
String code = request.getParameter("code");
if (code != null) {
// 6)7)令牌请求及响应 http://localhost:8080/zetark-oauth2-server/accessToken
OAuthAccessTokenResponse tokenResponse = null;
try {
tokenResponse = OauthClient.makeTokenRequestWithAuthCode(code);
} catch (OAuthProblemException e) {
e.printStackTrace();
} catch (OAuthSystemException e) {
e.printStackTrace();
}
if (tokenResponse != null) {
session.setAttribute("isLogin", true);
session.setAttribute("token", tokenResponse.getAccessToken());
session.setMaxInactiveInterval(tokenResponse.getExpiresIn().intValue());
// 10)11) 根据token调用api
String userInfoJson = OauthClient.getAuthedService(tokenResponse.getAccessToken());
Map<String, Object> userInfo = new Gson().fromJson(userInfoJson, Map.class);
System.out.println(userInfo);
session.setAttribute("user", userInfo);
response.sendRedirect("index");
return;
}
} else {
String errorDesc = request.getParameter("error_description");
System.out.println("登录失败:" + errorDesc);
}
}
访问过程
client_uri:/
client_uri:/login
# 用户访问client首页/,由于未登录被重定向到/login页面
client_uri:/login_authorize
server_uri:/oauth2login
# 用户在/login页面点击授权登录后,向server发起授权请求,server返回登录页面/oauth2login
server_uri:/authorize
client_uri:/login_response
# 用户在/oauth2login填写用户名密码后点击授权登录后,server验证后重定向到/login_resposne
server_uri:/accessToken
server_uri:/checkAccessToken
# client在处理/login_response时接收code并再发起令牌请求,server返回令牌
server_uri:/v1/openapi/userInfo
# client根据令牌信息请求api服务
client_uri:/index
# 向用户返回/index页面