Spring Security: OAuth2 authorization callback handling mechanism

1. Introduction

On article focuses on how the user by a third party authorization requests is how to initialize OAuth2AuthorizationRequest authorization request object and how to through the filter are forwarded to the third party. Today we’ll continue the process to see what happens when the server receives an authorization request.

2. OAuth2 login authentication

When a third party receives an OAuth2 authorization request, the authorization receipt is passed to us via the callback request redirect_URI provided by us. Since the default callback path is /login/oauth2/code/*, we can see how Spring Security handles callbacks simply by finding the filter that intercepts them. Confirmed by searching OAuth2LoginAuthenticationFilter is handling callback filter.

OAuth2LoginAuthenticationFilter

Third-party certification server redirect_uri when additional code and state parameters of the call, after blocked by the Filter, to create a certification credentials OAuth2LoginAuthenticationToken, And delegated to the AuthenticationManager for authentication.

Once a successful validation, the generated authentication credentials OAuth2AuthenticationToken OAuth2AuthorizedClient and certification client object. Finally, OAuth2AuthenticationToken returns, and ultimately stored in SecurityContextRepository complete certification process; While OAuth2AuthorizedClient be saved to OAuth2AuthorizedClientRepository. The flow chart is as follows:

The filter and inherited AbstractAuthenticationProcessingFilter UsernamePasswordAuthenticationFilter, processes have a similar place.

3. Summary

The third party will notify the client through callback after authorization, and the client will authenticate the authorization result after receiving the callback notification to show that the process is in compliance. And this process is controlled by the filter OAuth2LoginAuthenticationFilter to. The whole process is illustrated today, and the specific certification process can be found in the next part of the series: code farmer Xiao Pang.

Follow our public id: Felordcn for more information

Personal blog: https://felord.cn