E-commerce platform source code please add penguin beg: 1038 7746 2626. I’ve written a lot about Spring Cloud, so today we’re going to take notes on how to integrate OAuth2.0. First of all, I found some basic knowledge about OAuth2.0 on the Internet to help you review the knowledge:
The role of oauth
Client: an application that invokes the resource server API
Oauth 2.0 Provider: includes Authorization Server and Resource Server
(1) Authorization Server: the Authorization Server for authentication and Authorization
(2) Resource Server: protects protected resources
User: indicates the owner of the resource
The Oauth 2.0 Provider will be introduced in detail
Authorization Server:
(1) AuthorizationEndpoint: Specifies the authorization service. Default URL: /oauth/authorize
(2) TokenEndpoint: obtains the token service. Default URL: /oauth/token
Resource Server:
OAuth2AuthenticationProcessingFilter: to request certification with the access token
Iii. Let’s introduce the Authorization Server in detail:
In general, create two configuration class, a AuthorizationServerConfigurerAdapter inheritance, an inheritance WebSecurityConfigurerAdapter, copy to the inside of the method.
Two main types of notes appear:
1, @ EnableAuthorizationServer: declare an authentication server, when using this annotation, apply after start-up will automatically generate a few Endpoint: (note: In fact, the implementation of a authentication server is so simple, add a note to fix, of course, the real use of the production environment or some configuration and copy work.
/ request/the authorize: validation
/oauth/token: Obtains the token
/oauth/confirm_access: user authorization
/oauth/error: authentication failed
/oauth/check_token: the resource server verifies the token
/oauth/token_key: This can be used to obtain the public key from the authentication server if JWT mode is used
These endpoints are in the source code of the endpoint package.
2, @ Beans: the need to implement AuthorizationServerConfigurer
AuthorizationServerConfigurer contains three configurations:
ClientDetailsServiceConfigurer: client configuration information for the client, client information, including: clientId, secret, scope, authorizedGrantTypes, authorities
(1) Scope: indicates the scope of permission, which can be selected when the user authorizes the page
(2) authorizedGrantTypes: There are four authorization types
Authorization Code: Use authentication to obtain Code, and then use Code to obtain token (the most used way, but also the most secure way)
Implicit: indicates the Implicit authorization mode
The Client Credentials (used to obtain App Access tokens)
Resource Owner Password Credentials
(3) Authorities
There are many specific implementations here, such as In-memory, JdbcClientDetailsService, JWT, etc.
AuthorizationServerSecurityConfigurer: declare security constraints, which allow access to, which are not allowed to access
AuthorizationServerEndpointsConfigurer: declaration authorization and some of the endpoint of token and token service configuration information, such as the storage model and the validity of the token
Read information from the client: configure in ClientDetailsServiceConfigurer class, can be in the memory, JDBC to read a variety of ways.
JDBC calls the JdbcClientDetailsService class, which passes in the corresponding DataSource.
Here’s how to manage tokens:
AuthorizationServerTokenServices interface: statement necessary about the operation of the token
(1) When a token is created, it is saved so that subsequent resources that receive the token can reference it.
(2) The access token is used to load authentication
DefaultTokenServices is the default implementation. It uses the default InMemoryTokenStore and does not persist tokens.
There are three storage modes for tokens: (1) InMemoryTokenStore: The token is stored in the memory and will not be persisted
(2) JdbcTokenStore: Store in the database
(3) Jwt: JSON Web token
Authorization Type:
Can be configured through AuthorizationServerEndpointsConfigurer, by default, support all except password authentication type. Some classes for related authorization types:
(1) authenticationManager: Directly inject an authenticationManager and automatically enable the password authorization type
(2) userDetailsService: If the userDetailsService is injected, the token authorization type will be refreshed to determine whether the user is still alive
(3) authorizationCodeServices: authorizationCodeServices instance, auth code authorization type of service
(4) implicitGrantService: IMlpicit Grant
(5) tokenGranter:
Endpoint URL configuration:
(1) AuthorizationServerEndpointsConfigurer pathMapping () method, which has two parameters, the first is the default URL path, the second is the path of the custom
(2) An instance of WebSecurityConfigurer that configures which paths do not need to be protected and which do. All protected by default.
Custom UI:
(1) Sometimes, we may need to customize the login page and authentication page. For the login page, just create a web page with the prefix login. In the code, set it to allow access, so that the system will automatically execute your login page. The action on this landing page must be the address to jump to for authentication.
(2) The other is the authorization page, which lets you check the options. This page can refer to the implementation of the source code, their own generation of a controller class, and then create a corresponding Web page to achieve custom functions.
The following is the process of obtaining tokens through authorization:
(1) Change the port number to your own authentication server, change the client_id to your own, and set response_type type to code.
localhost:8080/uaa/oauth/authorize? Client_id = client&Response _type=code&redirect_uri=http://www.baidu.com (2) At this point you will get a code value: www.baidu.com/?code=G0C20…
(3) Use this code value to obtain the final token:
Curl-x post-H “Cant-Type: Application/x – WWW – form – urlencoded “- d ‘grant_type=authorization_code&code=G0C20Z&redirect_uri=http://www.baidu.com’ “Http://client:secret@localhost:8080/uaa/oauth/token”
The return value:
{” access_token “:” b251b453 – cc08-4520-9 dd0-9 aedf58e6ca3 “, “token_type” : “bearer”, “expires_in:” 2591324, “scope” : “app”}
If the resource server and the authentication server are in the same application, then the resource server will resolve the token value by itself. If the authentication server is not in the same application, then you need to handle it yourself.
Curl-h “Authorization: Bearer of B251B453-CC08-4520-9DD0-9AEDF58E6CA3” “Localhost :8081/service2 (change your URL here)”
Resource Server: protects resources and requires a token to access them
Start by annotating @enableresourceserver on the configuration class. Use ResourceServerConfigurer to configure:
(1) tokenServices: ResourceServerTokenServices instance, declared the token service
(2) resourceId: indicates the resourceId, verified by the auth Server.
(3) Other extension points, such as tokenExtractor, which can extract tokens from requests
(4) Some custom resource protection configurations, set by HttpSecurity
There are also two ways to use tokens:
(1) Bearer Token: mainstream
(2) Mac (HTTP +sign)
How do I access the API in the resource server?
If the resource server and authorization server are in the same application, and you use DefaultTokenServices, you don’t have to worry too much about this because it implements all the necessary interfaces, so it’s automatically consistent. If your resource is a single application server, you must make sure that you match the function of the license server, and provide the know how to decode the token correctly ResourceServerTokenServices. As with licensing servers, you can often use DefaultTokenServices, and the options are mostly expressed through TokenStore (back-end storage or native encoding).
(1) When verifying the token in request, use RemoteTokenServices to call/Auth /check_token in AuthServer.
(2) Share the database and use Jdbc to store and verify tokens to avoid accessing the AuthServer.
(3) By using JWT signature, the resource server directly performs verification without any intermediary.
Five, the request of client
After the client obtains the token and wants to call the downstream service API, the RestTemplate can be used to pass the token. The restTemplate is then used to call the Api.
Note:
Scopes and authorities:
Scopes are client permissions. At least one scope permission is granted, otherwise an error will be reported.
Authorities is user authority.
The above is a good blog I found from the Internet, I hope to help you quickly understand OAuth2.0, the next article we formally introduce OAuth2.0 in the current framework of the use.
From now on, I will record the construction process and essence of spring Cloud micro-service cloud architecture recently developed, so as to help more friends who are interested in developing Spring Cloud framework to discuss the construction process of Spring Cloud architecture and how to apply it to enterprise projects.