How are OAuth2 authorization requests built and executed

In Spring Security combat dry goods: The entrance of the client OAuth2 authorization request we found the intercept OAuth2 authorization request entry/OAuth2 authorization filters OAuth2AuthorizationRequestRedirectFilter, And find the real launch method sendRedirectForAuthorization OAuth2 authorization request. But this method is not explained in detail, so today we continue the last post to fill in the hole.

2. sendRedirectForAuthorization

This sendRedirectForAuthorization method isn’t much of a code, its main function is to redirect to the third-party platform access. It all logic and OAuth2AuthorizationRequest about, so we have to downplay OAuth2AuthorizationRequest are not enough, we must grasp the OAuth2AuthorizationRequest how to, For what?

OAuth2AuthorizationRequestResolver

This needs to analyze OAuth2AuthorizationRequestResolver parsing class, its core method has two overloaded, this analysis a is enough.

@Override
public OAuth2AuthorizationRequest resolve(HttpServletRequest request) {
    // registrationId is obtained with the URI path parameter /oauth2/authorization/{registrationId}
   String registrationId = this.resolveRegistrationId(request);
    // Select the action key from the request object. The default value is login
   String redirectUriAction = getAction(request, "login");
    // Then go to the underlying parsing method
   return resolve(request, registrationId, redirectUriAction);
}
Copy the code

The inside of the above methods resolve (request, registrationId redirectUriAction) method is finally extracted from/oauth2 authorization OAuth2AuthorizationRequest fundamental method. There’s too much code but I’ll try to make it as simple as possible. Resolve method according to the different way of authorization (AuthorizationGrantType) to assemble different OAuth2AuthorizationRequest.

3. OAuth2AuthorizationRequest

Next is the core of the OAuth2.0 protocol, perhaps later you customize the reference from here, this is circled to test the knowledge points. I’ll to OAuth2AuthorizationRequestResolver under various licensing OAuth2AuthorizationRequest object analysis for a fully summarized. It can be roughly divided into the following two parts:

3.1 Determined by AuthorizationGrantType

Under different AuthorizationGrantType OAuth2AuthorizationRequest combing. The member variables involved are:

• authorizationGrantType, from configurationspring.security.client.registration.{registrationId}.authorizationGrantType.
• responseTypeBy theauthorizationGrantTypeTo determine the value of, refer to JSON below.
• additionalParameterswhenauthorizationGrantTypeA value ofauthorization_codeAdditional parameters are required, as shown in JSON below.
• attributes, differentauthorizationGrantTypeThere are different properties.

Where {registrationId} -like forms indicate that {registrationId} is a variable, for example, registrationId=gitee.

In OAuth2 client configuration spring. Security. Client. Registration. {registrationId} prefix in the following five kinds of situations.

Scope does not contain openID and client-authentication-method is not None

{
  "authorizationGrantType": "authorization_code"."responseType": "code"."additionalParameters": {},
  "attributes": {
    "registration_id": "{registrationId}"}}Copy the code

If scope contains openID and client-authentication-method is not None

{
  "authorizationGrantType": "authorization_code"."responseType": "code"."additionalParameters": {
    "nonce": "{nonce} Hash value"
  },
  "attributes": {
    "registration_id": "{registrationId}"."nonce": "{nonce}"}}Copy the code

Scope does not contain openID and client-authentication-method is None

{
  "authorizationGrantType": "authorization_code"."responseType": "code"."additionalParameters": {
    "code_challenge": "{codeVerifier} Hash value".// code_challenge_method If not SHA256 may not have this key
    "code_challenge_method": "S256 (if it's SHA256)"
  },
  "attributes": {
    "registration_id": "{registrationId}"."code_verifier": "Base64 generated security {codeVerifier}"}}Copy the code

If scope contains openID and client-authentication-method is None

{
  "authorizationGrantType": "authorization_code"."responseType": "code"."additionalParameters": {
    "code_challenge": "{codeVerifier} Hash value".// code_challenge_method If not SHA256 may not have this key
    "code_challenge_method": "S256 (if it's SHA256)"."nonce": "{nonce} Hash value"
  },
  "attributes": {
    "registration_id": "{registrationId}"."code_verifier": "Base64 generated security {codeVerifier}"."nonce": "{nonce}"}}Copy the code

Implicit is much simpler:

{
  "authorizationGrantType": "implicit"."responseType": "token"."attributes": {}}Copy the code

3.2 Fixed rules

Above is all sorts of different AuthorizationGrantType OAuth2AuthorizationRequest member variable personalization strategy, values and rules of several parameters are fixed:

• clientIdIt comes from configuration and is a unique identifier given to us by third party platforms.
• authorizationUriFrom a configuration used to construct a request URL to a third party.
• scopesFrom the configuration, is the third party platform to give us authorization delimited scope, can be understood as a role.
• stateAutomatically generated to prevent CSRF attacks.
• authorizationRequestUriIf an authorization request is made to a third-party platform, the authorization request can be directly passedOAuth2AuthorizationRequestTo set or pass the aboveauthorizationUriAnd other parameters to generate, later will put the construction mechanism analysis of a wave.
• redirectUri 当OAuth2AuthorizationRequestUpon receipt by a third-party platform, the third-party platform will call back the URI to respond to the authorization request, and the mechanism will be analyzed later.

The build mechanism for authorizationRequestUri

If you do not explicitly provide authorizationRequestUri will pass in OAuth2AuthorizationRequest

• responseType
• clientId
• scopes
• state
• redirectUri
• additionalParameters

Concatenate the parameter string to authorizationUri as follows, with the key and value urI-encoded.

authorizationUri? Response_type ={responseType.getValue()}&client_id={clientId}&scope={scopes element a character interval}&state={state}&redirect_uri={redirect Uri}&{additionalParameter expand KV parameter string with the same rule}Copy the code

Then OAuth2AuthorizationRequestRedirectFilter redirected to authorizationRequestUri request authorization to a third party.

redirectUri

The third party calls redirectUri when it receives the response. The callback has a default rule, which follows the path parameter rule of {baseUrl}/{action}/oauth2/code/{registrationId}.

• baseUrlFrom our/oauth2/authorizationThe underlying request path extracted from the request.
• action, there are two default valueslogin,authorizewhen/oauth2/authorizationContained in the requestactionParameter will be based onactionIs populated with the value of.
• registrationIdI don’t need to say more about that.

4. To summarize

Through detailed analysis of rules and regulations will follow those OAuth2AuthorizationRequest request object, we should be able to know the filter OAuth2AuthorizationRequestRedirectFilter process roughly:

1. Build through client configurationClientRegistrationAnd can be persisted later.
2. intercept/oauth2/authorizationRequest and constructOAuth2AuthorizationRequestAnd then redirect toauthorizationRequestUriRequest authorization.
3. Third Party approvalredirect_uriDo the corresponding.

How does Spring Security OAuth2 handle third-party callbacks accordingly? Attention: The code farmer xiao Pang brother reveals the answer for you.

Follow our public id: Felordcn for more information

Personal blog: https://felord.cn