Spring Security OAuth 个性化token的使用

时间:2022-02-20 11:21:24

个性化token 目的

默认通过调用 /oauth/token 返回的报文格式包含以下参数

?
1
2
3
4
5
6
7
{
 "access_token": "e6669cdf-b6cd-43fe-af5c-f91a65041382",
 "token_type": "bearer",
 "refresh_token": "da91294d-446c-4a89-bdcf-88aee15a75e8",
 "expires_in": 43199,
 "scope": "server"
}

并没包含用户的业务信息比如用户信息、租户信息等。

扩展生成包含业务信息(如下),避免系统多次调用,直接可以通过认证接口获取到用户信息等,大大提高系统性能

?
1
2
3
4
5
6
7
8
9
10
11
12
{
 "access_token":"a6f3b6d6-93e6-4eb8-a97d-3ae72240a7b0",
 "token_type":"bearer",
 "refresh_token":"710ab162-a482-41cd-8bad-26456af38e4f",
 "expires_in":42396,
 "scope":"server",
 "tenant_id":1,
 "license":"made by pigx",
 "dept_id":1,
 "user_id":1,
 "username":"admin"
}

密码模式生成token 源码解析

Spring Security OAuth 个性化token的使用

​ 主页参考红框部分

resourceownerpasswordtokengranter (密码模式)根据用户的请求信息,进行认证得到当前用户上下文信息

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
protected oauth2authentication getoauth2authentication(clientdetails client, tokenrequest tokenrequest) {
 map<string, string> parameters = new linkedhashmap<string, string>(tokenrequest.getrequestparameters());
 string username = parameters.get("username");
 string password = parameters.get("password");
 // protect from downstream leaks of password
 parameters.remove("password");
 authentication userauth = new usernamepasswordauthenticationtoken(username, password);
 ((abstractauthenticationtoken) userauth).setdetails(parameters);
  
 userauth = authenticationmanager.authenticate(userauth);
 
 oauth2request storedoauth2request = getrequestfactory().createoauth2request(client, tokenrequest); 
  return new oauth2authentication(storedoauth2request, userauth);
}

然后调用abstracttokengranter.getaccesstoken() 获取oauth2accesstoken

?
1
2
3
protected oauth2accesstoken getaccesstoken(clientdetails client, tokenrequest tokenrequest) {
 return tokenservices.createaccesstoken(getoauth2authentication(client, tokenrequest));
}

默认使用defaulttokenservices来获取token

?
1
2
3
4
5
6
7
8
9
10
11
12
public oauth2accesstoken createaccesstoken(oauth2authentication authentication) throws authenticationexception {
 
 ... 一系列判断 ,合法性、是否过期等判断
 oauth2accesstoken accesstoken = createaccesstoken(authentication, refreshtoken);
  tokenstore.storeaccesstoken(accesstoken, authentication);
  // in case it was modified
  refreshtoken = accesstoken.getrefreshtoken();
  if (refreshtoken != null) {
   tokenstore.storerefreshtoken(refreshtoken, authentication);
  }
  return accesstoken;
}

createaccesstoken 核心逻辑

?
1
2
3
4
5
6
7
8
9
10
11
12
// 默认刷新token 的有效期
private int refreshtokenvalidityseconds = 60 * 60 * 24 * 30; // default 30 days.
// 默认token 的有效期
private int accesstokenvalidityseconds = 60 * 60 * 12; // default 12 hours.
 
private oauth2accesstoken createaccesstoken(oauth2authentication authentication, oauth2refreshtoken refreshtoken) {
 defaultoauth2accesstoken token = new defaultoauth2accesstoken(uuid);
 token.setexpiration(date)
 token.setrefreshtoken(refreshtoken);
 token.setscope(authentication.getoauth2request().getscope());
 return accesstokenenhancer != null ? accesstokenenhancer.enhance(token, authentication) : token;
}

如上代码,在拼装好token对象后会调用认证服务器配置tokenenhancer( 增强器) 来对默认的token进行增强。

tokenenhancer.enhance 通过上下文中的用户信息来个性化token

?
1
2
3
4
5
6
7
8
9
10
11
public oauth2accesstoken enhance(oauth2accesstoken accesstoken, oauth2authentication authentication) {
 final map<string, object> additionalinfo = new hashmap<>(8);
 pigxuser pigxuser = (pigxuser) authentication.getuserauthentication().getprincipal();
 additionalinfo.put("user_id", pigxuser.getid());
 additionalinfo.put("username", pigxuser.getusername());
 additionalinfo.put("dept_id", pigxuser.getdeptid());
 additionalinfo.put("tenant_id", pigxuser.gettenantid());
 additionalinfo.put("license", securityconstants.pigx_license);
 ((defaultoauth2accesstoken) accesstoken).setadditionalinformation(additionalinfo);
 return accesstoken;
}

基于pig 看下最终的实现效果

pig 基于spring cloud、oauth2.0开发基于vue前后分离的开发平台,支持账号、短信、sso等多种登录,提供配套视频开发教程。

https://gitee.com/log4j/pig

Spring Security OAuth 个性化token的使用

以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持服务器之家。

原文链接:https://segmentfault.com/a/1190000018187384