Spring AuthorizationServer 新版

Spring Oauth3-Authorization-Server 介绍

基于 spring-security-oauth2-authorization-server 0.2.3

序言

由于 spring-security-oauth 这个工程已经被废弃了， oauth-client, oauth-resource 的内容都被移进了 spring-security 工程，在社区的强烈要求下，由spring牵头，spring社区主导的 spring-security-oauth2-authorization-server 被开发

spring-security-oauth2-authorization-server 校之前的 spring-security-oauth 有了较大的变化，工程地址

spring-projects/spring-authorization-server

常用组件

oauth表

oauth2-registered-client-schema.sql

mysql> select * from oauth2_registered_client\G;
*************************** 1. row ***************************
                           id: c10f37cb-ae08-4fb7-9f4f-27b3c3298158
                    client_id: apple
          client_id_issued_at: 2022-05-02 09:31:47
                client_secret: $2a$10$Nlq7EjfwjiS6bAOsxF8fY.gBmSkJLDNJTOwxgQwwKKKRuFvalZQUK
     client_secret_expires_at: NULL
                  client_name: c10f37cb-ae08-4fb7-9f4f-27b3c3298158
client_authentication_methods: basic
    authorization_grant_types: refresh_token,client_credentials,password,authorization_code
                redirect_uris: https://www.baidu.com
                       scopes: user.photos,user.userInfo
              client_settings: {"@class":"java.util.Collections$UnmodifiableMap","settings.client.require-proof-key":false,"settings.client.require-authorization-consent":true}
               token_settings: {"@class":"java.util.Collections$UnmodifiableMap","settings.token.reuse-refresh-tokens":true,"settings.token.id-token-signature-algorithm":["org.springframework.security.oauth2.jose.jws.SignatureAlgorithm","RS256"],"settings.token.access-token-time-to-live":["java.time.Duration",3600.000000000],"settings.token.access-token-format":{"@class":"org.springframework.security.oauth2.core.OAuth2TokenFormat","value":"refrence"},"settings.token.refresh-token-time-to-live":["java.time.Duration",259200.000000000]}
1 row in set (0.00 sec)

oauth2-authorization-consent-schema.sql

mysql> desc oauth2_authorization_consent;
+----------------------+---------------+------+-----+---------+-------+
| Field                | Type          | Null | Key | Default | Extra |
+----------------------+---------------+------+-----+---------+-------+
| registered_client_id | varchar(100)  | NO   | PRI | NULL    |       |
| principal_name       | varchar(200)  | NO   | PRI | NULL    |       |
| authorities          | varchar(1000) | NO   |     | NULL    |       |
+----------------------+---------------+------+-----+---------+-------+
3 rows in set (0.00 sec)

oauth2-authorization-schema.sql

mysql> desc oauth2_authorization;
+-------------------------------+---------------+------+-----+---------+-------+
| Field                         | Type          | Null | Key | Default | Extra |
+-------------------------------+---------------+------+-----+---------+-------+
| id                            | varchar(100)  | NO   | PRI | NULL    |       |
| registered_client_id          | varchar(100)  | NO   |     | NULL    |       |
| principal_name                | varchar(200)  | NO   |     | NULL    |       |
| authorization_grant_type      | varchar(100)  | NO   |     | NULL    |       |
| attributes                    | varchar(4000) | YES  |     | NULL    |       |
| state                         | varchar(500)  | YES  |     | NULL    |       |
| authorization_code_value      | blob          | YES  |     | NULL    |       |
| authorization_code_issued_at  | timestamp     | YES  |     | NULL    |       |
| authorization_code_expires_at | timestamp     | YES  |     | NULL    |       |
| authorization_code_metadata   | varchar(2000) | YES  |     | NULL    |       |
| access_token_value            | blob          | YES  |     | NULL    |       |
| access_token_issued_at        | timestamp     | YES  |     | NULL    |       |
| access_token_expires_at       | timestamp     | YES  |     | NULL    |       |
| access_token_metadata         | varchar(2000) | YES  |     | NULL    |       |
| access_token_type             | varchar(100)  | YES  |     | NULL    |       |
| access_token_scopes           | varchar(1000) | YES  |     | NULL    |       |
| oidc_id_token_value           | blob          | YES  |     | NULL    |       |
| oidc_id_token_issued_at       | timestamp     | YES  |     | NULL    |       |
| oidc_id_token_expires_at      | timestamp     | YES  |     | NULL    |       |
| oidc_id_token_metadata        | varchar(2000) | YES  |     | NULL    |       |
| refresh_token_value           | blob          | YES  |     | NULL    |       |
| refresh_token_issued_at       | timestamp     | YES  |     | NULL    |       |
| refresh_token_expires_at      | timestamp     | YES  |     | NULL    |       |
| refresh_token_metadata        | varchar(2000) | YES  |     | NULL    |       |
+-------------------------------+---------------+------+-----+---------+-------+

操作oauth 表的 dao 层

RegisteredClientRepository: 操作客户端
OAuth2AuthorizationService
- save
- remove
- findById
- findByToken
OAuth2AuthorizationConsentService: 操作 OAuth2AuthorizationConsent
- save
- remove
- findById
OAuth2AuthorizationServerConfigurer: 配置类

filter

Filter名称	endpoint	说明
OAuth2AuthorizationEndpointFilter	GET/POST /oauth2/authorize	授权端点，即RP跳转到OP的认证入口，且EU认证通过后，OP重定向回RP，且附加code参数
OAuth2ClientAuthenticationFilter	POST /oauth2/token\|introspect	即RP向OP发送获取token请求、检查token、吊销token时，OP端提供的认证逻辑
OAuth2TokenEndpointFilter	POST /oauth2/token	Token端点，RP向OP请求Token（通过code换token、执行refresh_token流程）
OAuth2TokenIntrospectionEndpointFilter	POST /oauth2/introspect	校验Token端点，RP请求OP检测token有效性
OAuth2TokenRevocationEndpointFilter	POST /oauth2/revoke	吊销Token端点，RP请求OP吊销token
OidcProviderConfigurationEndpointFilter	GET /.well-known/openid-configuration	OIDC协议发现端点
OidcUserInfoEndpointFilter	GET /userinfo	用户信息端点，提供用户信息查询
OidcClientRegistrationEndpointFilter	POST /connect/register	客户端信息注册端点

支持的grant_type 类型

就目前的实现，
spring-security-oauth2-authorization-server 0.2.3
支持:

authorization_code
refresh_token
client_credentials
password (目前还没有实现)

附录

oauth2 网站