上一篇文章我们讲了通过在Spring Security 添加过滤器实现自定义登录认证,可以实现比如手机验证码登录等其它方式登录,但是有时候我们想更灵活一点。比如对于小程序我们已经在微信认证过了,只需要到Spring Security直接生成token就可以了。
针对这类需求,虽然通过上一篇文章自定义登录方式也可以实现,但是我们希望把这件事做的简单点,只有傻子才把简单的事情复杂化。因此,我们在Spring Security实现了一个简单粗暴的API,即直接通过API获取JWT Tokn
上代码
代码很简单
@RequestMapping(value = "token", method = RequestMethod.POST)
public ResponseEntity<OAuth2AccessToken> getUserToken(Principal principal, @RequestBody Map<String, String> parameters) {
// 调用端需要被提供client_credentials
if (!(principal instanceof Authentication)) {
throw new InsufficientAuthenticationException("There is no client authentication. Try adding an appropriate authentication filter.");
}
// 保存请求参数
String clientId = this.getClientId(principal);
ClientDetails authenticatedClient = this.clientDetailsService.loadClientByClientId(clientId);
TokenRequest tokenRequest = this.oAuth2RequestFactory.createTokenRequest(parameters, authenticatedClient);
CustomAuthenticationToken authentication = customAuthenticationTokeService.createAuthenticationToken(clientId, parameters);
// 生成token
CustomTokenGranter tokenGranter = new CustomTokenGranter(
tokenServiceFactory.customJwtTokenService(), clientDetailsService, authentication);
OAuth2AccessToken token = tokenGranter.grant(tokenRequest.getGrantType(), tokenRequest);
if (token == null) {
throw new UnsupportedGrantTypeException("Unsupported grant type: " + tokenRequest.getGrantType());
} else {
return this.getResponse(token);
}
}
- 首先检查principal是否存在,调用端需要提供client_credentials,否则不可以调用
- 生成
CustomAuthenticationToken,CustomAuthenticationToken为我们自定义的数据类,用于保存请求参数 - 重点是通过
CustomTokenGranter生成token
CustomAuthenticationToken可以自行定义,只要能保存请求参数即可。本文我们沿用以前的CustomAuthenticationToken
public class CustomAuthenticationToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
private String authType;
private Map<String,String[]> authParams;
private Object principal;
private Object credentials;
}
不过我们在createAuthenticationToken中会做一些参数检查,如要求必须有principal和auth_type参数且要求auth_type=auth_finished"。如果有需要的话,还可以加一些自定义的内容到CustomAuthenticationToken中。
@Service
public class CustomAuthenticationTokenServiceImpl implements CustomAuthenticationTokeService {
@Override
public CustomAuthenticationToken createAuthenticationToken(String clientId, Map<String, String> params) {
if (!params.containsKey("principal") || !params.containsKey("auth_type")) {
return null;
}
if (params.get("auth_type").equals("auth_finished")) {
List<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority("user"));
Map<String, Object> detail = new HashMap<>(1);
detail.put("principal", params.get("principal"));
CustomAuthenticationToken token = new CustomAuthenticationToken(
params.get("auth_type"), params.get("username"), null, null, authorities);
token.setDetails(detail);
return token;
}
return null;
}
}
CustomTokenGranter用来生成token,最重要的不是grant方法,而是构造函数我们传递的用于生成token的 AuthorizationServerTokenServices类
public class CustomTokenGranter extends AbstractTokenGranter {
private static final String GRANT_TYPE = "mini_app";
private boolean allowRefresh;
private Authentication authentication;
public CustomTokenGranter(
AuthorizationServerTokenServices tokenServices,
ClientDetailsService clientDetailsService,
Authentication authentication) {
super(tokenServices, clientDetailsService, new DefaultOAuth2RequestFactory(clientDetailsService), GRANT_TYPE);
this.authentication = authentication;
}
@Override
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
OAuth2AccessToken token = super.grant(grantType, tokenRequest);
if (token != null) {
DefaultOAuth2AccessToken noRefresh = new DefaultOAuth2AccessToken(token);
if (!this.allowRefresh) {
noRefresh.setRefreshToken((null));
}
token = noRefresh;
}
return token;
}
@Override
protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
OAuth2Request storedOAuth2Request = this.getRequestFactory().createOAuth2Request(client, tokenRequest);
return new OAuth2Authentication(storedOAuth2Request, authentication);
}
public void setAuthentication(Authentication authentication) {
this.authentication = authentication;
}
public void setAllowRefresh(boolean allowRefresh) {
this.allowRefresh = allowRefresh;
}
}
AuthorizationServerTokenServices我们在上一篇文章有介绍过,不过在讲一遍加深印象。
- 首先要配置 Token
- 定义你需要定义的内容加入你的配置中
配置Token
token核心的生成逻辑defaultTokenService还是有Spring Security提供,但是我们其中加入了CustomTokenEnhancer用于在token内容中加入我们需要的内容,accessTokenConverter设置了我们token的密钥和公钥(密钥生成参考:https://www.jianshu.com/p/c9d5a2aa8648)
@Service
public class TokenServiceFactory {
private TokenKeyConfig tokenKeyConfig;
private ClientDetailsService clientDetailsService;
@Autowired
public TokenServiceFactory(
TokenKeyConfig tokenKeyConfig,
ClientDetailsService clientDetailsService) {
this.tokenKeyConfig = tokenKeyConfig;
this.clientDetailsService = clientDetailsService;
}
@Bean
public AuthorizationServerTokenServices customJwtTokenService() {
final TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(Arrays.asList(new CustomTokenEnhancer(), accessTokenConverter()));
return defaultTokenService(tokenEnhancerChain);
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setAccessTokenConverter(new CustomAccessTokenConverter());
final KeyStoreKeyFactory keyStoreKeyFactory = new KeyStoreKeyFactory(
new ClassPathResource(tokenKeyConfig.getPath()), tokenKeyConfig.getPassword().toCharArray());
converter.setKeyPair(keyStoreKeyFactory.getKeyPair(tokenKeyConfig.getAlias()));
return converter;
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public org.springframework.security.oauth2.provider.token.TokenEnhancer tokenEnhancer() {
return new TokenEnhancer();
}
private AuthorizationServerTokenServices defaultTokenService(TokenEnhancerChain tokenEnhancerChain) {
final DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
defaultTokenServices.setSupportRefreshToken(true);
defaultTokenServices.setTokenEnhancer(tokenEnhancerChain);
defaultTokenServices.setClientDetailsService(clientDetailsService);
return defaultTokenServices;
}
}
加入自定义内容
需要我们关心的内容在于CustomTokenEnhancer, 因为我们需要在token中加入我们自定义的内容,同时是加角色和用户信息
public class CustomTokenEnhancer implements TokenEnhancer {
@Override
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
final Map<String, Object> additionalInfo = new HashMap<>();
Set<GrantedAuthority> rolesInfo = new HashSet<>();
Authentication userAuthentication = authentication.getUserAuthentication();
// client credential认证,加入管理员角色
if (authentication.isClientOnly()) {
rolesInfo.add(new SimpleGrantedAuthority("admin"));
}
// 自定义认证,增加detail
if (CustomAuthenticationToken.class.isAssignableFrom(userAuthentication.getClass())) {
rolesInfo.addAll(userAuthentication.getAuthorities());
additionalInfo.put("userInfo", userAuthentication.getDetails());
}
// 加入角色
additionalInfo.put("authorities", rolesInfo.stream().map(auth -> auth.getAuthority()).toArray());
((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
return accessToken;
}
}
CustomAccessTokenConverter通常是把所有claims放到token 中
@Component
public class CustomAccessTokenConverter extends DefaultAccessTokenConverter {
@Override
public OAuth2Authentication extractAuthentication(Map<String, ?> claims) {
OAuth2Authentication authentication = super.extractAuthentication(claims);
authentication.setDetails(claims);
return authentication;
}
}
看效果
-
首先获取client_credential token
-
使用上述token作为header(不要忘记加bearer )获取用户的token
使用示例
我们有个后端服务,想帮助小程序获取token,在 Spring Cloud中那么它只要使用getUserToken方法即可获取token
@FeignClient(name = "auth", configuration = AuthFeignConfigInterceptor.class)
@Service
public interface AuthClient {
/**
* get user token
* @param parameters parameters
* @return token
*/
@RequestMapping(method = RequestMethod.POST, value = "/oauth/api/external/token")
ResponseEntity<OAuth2AccessToken> getUserToken(@RequestBody Map<String, String> parameters);
}
AuthFeignConfigInterceptor用户在getUserToken请求中加入client_credential的token
public class AuthFeignConfigInterceptor implements RequestInterceptor {
private static String TokenHeader = "authorization";
private static String AccessTokenPrefix = "bearer ";
private static Logger logger = LoggerFactory.getLogger(AuthFeignConfigInterceptor.class);
@Autowired
private ClientCredentialsResourceDetails clientCredentialsResourceDetails;
@Override
public void apply(RequestTemplate requestTemplate) {
requestTemplate.header(TokenHeader, AccessTokenPrefix + getAccessTokenValue());
}
private String getAccessTokenValue() {
try {
logger.info("auth服务中获取basic access token");
OAuth2AccessToken accessToken = this.getAccessTokenFromAuth();
return accessToken.getValue();
} catch (Exception e) {
logger.error(e.getMessage(), e);
return this.getAccessTokenFromAuth().getValue();
}
}
private OAuth2AccessToken getAccessTokenFromAuth() {
ClientCredentialsAccessTokenProvider provider = new ClientCredentialsAccessTokenProvider();
return provider.obtainAccessToken(clientCredentialsResourceDetails, new DefaultAccessTokenRequest());
}
}
application.yml中需配置
security:
oauth2:
client:
clientId: app
clientSecret: testpassword
accessTokenUri: http://localhost:5000/oauth/oauth/token
grant-type: client_credentials
scope: all
面向Copy&Paste编程
- awesome-admin源码
https://gitee.com/awesome-engineer/awesome-admin
