Personalized Token background

As mentioned in the previous article “Spring Security OAuth Personalized Token (1)”, the oAuth2.0 interface returns the following message format by default:

{  

    "access_token""e6669cdf-b6cd-43fe-af5c-f91a65041382".

    "token_type""bearer".

    "refresh_token""da91294d-446c-4a89-bdcf-88aee15a75e8".

    "expires_in"43199.

    "scope""server"  

}  

Copy the code

From the previous article we were able to extend and add some business fields.

{  

    "access_token":"a6f3b6d6-93e6-4eb8-a97d-3ae72240a7b0".

    "token_type":"bearer".

    "refresh_token":"710ab162-a482-41cd-8bad-26456af38e4f".

    "expires_in":42396.

    "scope":"server".

    "tenant_id":1.

    "license":"made by pigx".

    "dept_id":1.

    "user_id":1.

    "username":"admin"  

}  

Copy the code

“There are some scenarios where we need to customize the format of the return message. For example, pig returns an R object containing all code business code information.”

{  

    "code":1.

    "msg":"".

    "data": {

        "access_token":"e6669cdf-b6cd-43fe-af5c-f91a65041382".

        "token_type":"bearer".

        "refresh_token":"da91294d-446c-4a89-bdcf-88aee15a75e8".

        "expires_in":43199.

        "scope":"server"  

    }  

}  

Copy the code

Method one: HandlerMethodReturnValueHandler

  • As the name implies, this is the interface that Spring MVC provides to modify the return value of a method
public class FormatterToken implements HandlerMethodReturnValueHandler {  

  

 private static final String POST_ACCESS_TOKEN = "postAccessToken";  

  

 @Override  

 public boolean supportsReturnType(MethodParameter returnType) {  

// Check whether the method name is oauth2's token interface

  return POST_ACCESS_TOKEN.equals(Objects  

    .requireNonNull(returnType.getMethod()).getName());  

 }  

    

// Get the return value and wrap it with the R object

 @Override  

 public void handleReturnValue(Object returnValue, MethodParameter returnType, ModelAndViewContainer container, NativeWebRequest request) throws Exception {  

  ResponseEntity<OAuth2AccessToken> responseEntity = (ResponseEntity) returnValue;  

  OAuth2AccessToken body = responseEntity.getBody();  

  

  HttpServletResponse response = request.getNativeResponse(HttpServletResponse.class);  

assert response ! = null;

  WebUtils.renderJson(response, R.ok(body));  

 }  

}  

Copy the code
  • Inject FormatterToken, do not use MVCconfig injection directly, make sure this Handler executes before SpringMVC defaults.
public class FormatterTokenAutoConfiguration implements ApplicationContextAware, InitializingBean {  

 private ApplicationContext applicationContext;  

  

 @Override  

 public void afterPropertiesSet() {  

  RequestMappingHandlerAdapter handlerAdapter = applicationContext.getBean(RequestMappingHandlerAdapter.class);  

  List<HandlerMethodReturnValueHandler> returnValueHandlers = handlerAdapter.getReturnValueHandlers();  

  

  List<HandlerMethodReturnValueHandler> newHandlers = new ArrayList<>();  

  newHandlers.add(new FormatterToken());  

assert returnValueHandlers ! = null;

  newHandlers.addAll(returnValueHandlers);  

  handlerAdapter.setReturnValueHandlers(newHandlers);  

 }  

  

 @Override  

 public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {  

  this.applicationContext = applicationContext;  

 }  

}  

Copy the code

Method two: AOP interception enhancement/Oauth/Token interface

@Around("execution(* org.springframework.security.oauth2.provider.endpoint.TokenEndpoint.postAccessToken(..) )")  

public Object handlePostAccessTokenMethod(ProceedingJoinPoint joinPoint) throws Throwable {  

// Get the original value, wrap and return

      Object proceed = joinPoint.proceed();  

  

      ResponseEntity<OAuth2AccessToken> responseEntity = (ResponseEntity<OAuth2AccessToken>) proceed;  

        OAuth2AccessToken body = responseEntity.getBody();  

        return ResponseEntity  

                  .status(HttpStatus.OK)  

                  .body(R.ok(body));  

        }  

}  

Copy the code

conclusion

In actual projects, it is not recommended to change the access format of this interface. Other components cannot be used normally due to incompatibility with OAuth2 protocol

  • Swagger comes with certification and authorization

  • Oauth2 comes with other gateway components

https://docs.konghq.com/hub/kong-inc/oauth2/


  • Spring Security OAuth2 comes with SSO functionality

It’s going to fail to do more harm than good