8

本文就来讲述一下spring security oauth2使用redis来存储token的配置及在redis中的存储结构

maven

    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.security.oauth</groupId>
      <artifactId>spring-security-oauth2</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-data-redis</artifactId>
    </dependency>

配置

@Configuration
@EnableAuthorizationServer
public class OAuth2ServerConfig extends
        AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private RedisConnectionFactory connectionFactory;

    @Override
    public void configure(
        AuthorizationServerEndpointsConfigurer endpoints)
        throws Exception {
        endpoints
            .authenticationManager(authenticationManager)
            .tokenStore(tokenStore());
    }

    @Bean
    public TokenStore tokenStore() {
        RedisTokenStore redis = new RedisTokenStore(connectionFactory);
        return redis;
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients)
            throws Exception {
        clients.inMemory()
            .withClient("demoApp")
            .secret("123456")
            .authorizedGrantTypes("password", "authorization_code");
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.allowFormAuthenticationForClients();
    }

}

这里配置了redis token store

当然配置文件需要指定redis地址

spring.redis.url=redis://localhost:6379

redis中存储结构

keys *

root@d8bfc99e9e07:/data# redis-cli --raw
127.0.0.1:6379> keys *
auth_to_access:0ec8e677177b8eff1dc1c5f97a56836f
uname_to_access:demoApp:demoUser1
auth:8c1441db-6fac-4c57-9cc9-7c5adaafc18a
client_id_to_access:demoApp
access:8c1441db-6fac-4c57-9cc9-7c5adaafc18a

可以看到这里存了5个key

auth_to_access:0ec8e677177b8eff1dc1c5f97a56836f

127.0.0.1:6379> type auth_to_access:0ec8e677177b8eff1dc1c5f97a56836f
string
127.0.0.1:6379> get auth_to_access:0ec8e677177b8eff1dc1c5f97a56836f
��srCorg.springframework.security.oauth2.common.DefaultOAuth2AccessToken
                                                                        ��6��LadditionalInformationtLjava/util/Map;L
expirationtLjava/util/Date;L
                            refreshTokent?Lorg/springframework/security/oauth2/common/OAuth2RefreshToken;LscopetLjava/util/Set;L    tokenTypetLjava/lang/String;Lvalueq~xpsrjava.util.Collections$EmptyMapY6�Z���xpsrjava.util.Datehj�KYtx`3�}xpsr%java.util.Collections$UnmodifiableSet��я��Uxr,java.util.Collections$UnmodifiableCollectionB��^�LctLjava/util/Collection;xpsrjava.util.LinkedHashSet�l�Z��*xrjava.util.HashSet�D�����4xpw
                               ?@t
read_contactsxtbearert$8c1441db-6fac-4c57-9cc9-7c5adaafc18a

这个key的命名结构是auth_to_access:OAuth2Authentication相关信息的加密值,默认是md5加密
具体存储的是OAuth2AccessToken的序列化的值

uname_to_access:demoApp:demoUser1

127.0.0.1:6379> type uname_to_access:demoApp:demoUser1
list
127.0.0.1:6379> lrange uname_to_access:demoApp:demoUser1 0 -1
��srCorg.springframework.security.oauth2.common.DefaultOAuth2AccessToken
                                                                        ��6��LadditionalInformationtLjava/util/Map;L
expirationtLjava/util/Date;L
                            refreshTokent?Lorg/springframework/security/oauth2/common/OAuth2RefreshToken;LscopetLjava/util/Set;L    tokenTypetLjava/lang/String;Lvalueq~xpsrjava.util.Collections$EmptyMapY6�Z���xpsrjava.util.Datehj�KYtx`3�}xpsr%java.util.Collections$UnmodifiableSet��я��Uxr,java.util.Collections$UnmodifiableCollectionB��^�LctLjava/util/Collection;xpsrjava.util.LinkedHashSet�l�Z��*xrjava.util.HashSet�D�����4xpw
                               ?@t
read_contactsxtbearert$8c1441db-6fac-4c57-9cc9-7c5adaafc18a

这个key的命名是uname_to_access:clientId:userId
value的结构是list,存储token的序列化值

auth:8c1441db-6fac-4c57-9cc9-7c5adaafc18a

127.0.0.1:6379> type auth:8c1441db-6fac-4c57-9cc9-7c5adaafc18a
string
127.0.0.1:6379> get auth:8c1441db-6fac-4c57-9cc9-7c5adaafc18a
��srAorg.springframework.security.oauth2.provider.OAuth2Authentication�@
storedRequestt<Lorg/springframework/security/oauth2/provider/OAuth2Request;LuserAuthenticationt2Lorg/springframework/security/core/Authentication;xrGorg.springfauthenticatedLity.authentication.AbstractAuthenticationTokenӪ(~nGdZ
              authoritiestLjava/util/Collection;LdetailstLjava/lang/Object;xpsr&java.util.Collections$UnmodifiableList�%1��LlisttLjava/util/List;xr,java.util.Collections$UnmodifiableCollectionB��^�Lcq~xpsrjava.util.ArrayListx����a�IsizexpwsrBorg.springframework.security.core.authority.SimpleGrantedAuthority�LroletLjava/lang/String;xptUSERxq~
                       psr:org.springframework.security.oauth2.provider.OAuth2RequestapprovedL
              authoritiesq~L
extensionstLjava/util/Map;L
                           redirectUriq~Lrefresht;Lorg/springframework/security/oauth2/provider/TokenRequest;L
responseTypesq~xr8org.springframework.security.oauth2.provider.BaseRequest6(z>�qi�clientIdq~LrequestParametersq~Lscopeq~xptdemoAppsr%java.util.Collections$UnmodifiableMap��t�BLmq~xpsrjava.util.HashMap���`�F
loadFactorI    thresholdxp?@
                             tcodetbt4UxDt
response_typetcodetation_codet
client_secrett123456tdirclient_idtdemoAppxsr%java.util.Collections$UnmodifiableSet��я��Uxq~    srjava.util.LinkedHashSet�l�Z��*xrjava.util.HashSet�D�����4xpw
                                                                              ?@t
read_contactsxsq~+w
                   ?@xsq~?@xthttp://localhost:8081/callbackpsq~+w
                                                                 ?@xsq~+w
                                                                         ?@q~!xsrOorg.springframework.security.authentication.UsernamePasswordAuthenticationToken�L
   credentialsq~L    principalq~xq~sq~sq~
                                            wq~xq~7srHorg.springframework.securiremoteAddressq~Lation.WesessionIdq~xpt0:0:0:0:0:0:0:1t 1C57DE920EFB42EEC0387D162D91B30Apsr2org.springframework.security.core.userdetails.User�ZaccountNonExpiredZaccountNonLockedZcredentialsNonExpiredZenabledL
                                                authoritiesq~passwordq~usernameq~xpsq~(srjava.util.TreeSetݘP���[xpsrForg.springframework.security.core.userdetails.User$AuthorityComparator�xpwq~xpt    demoUser1

这个key的命名结构是auth:token值
value的结构是string,存储的是OAuth2Authentication的序列化值

client_id_to_access:demoApp

127.0.0.1:6379> type client_id_to_access:demoApp
list
127.0.0.1:6379> lrange client_id_to_access:demoApp 0 -1
��srCorg.springframework.security.oauth2.common.DefaultOAuth2AccessToken
                                                                        ��6��LadditionalInformationtLjava/util/Map;L
expirationtLjava/util/Date;L
                            refreshTokent?Lorg/springframework/security/oauth2/common/OAuth2RefreshToken;LscopetLjava/util/Set;L    tokenTypetLjava/lang/String;Lvalueq~xpsrjava.util.Collections$EmptyMapY6�Z���xpsrjava.util.Datehj�KYtx`3�}xpsr%java.util.Collections$UnmodifiableSet��я��Uxr,java.util.Collections$UnmodifiableCollectionB��^�LctLjava/util/Collection;xpsrjava.util.LinkedHashSet�l�Z��*xrjava.util.HashSet�D�����4xpw
                               ?@t
read_contactsxtbearert$8c1441db-6fac-4c57-9cc9-7c5adaafc18a

这个key命名结构是client_id_to_access:clientId
value结构是list,存储OAuth2AccessToken的序列化值

access:8c1441db-6fac-4c57-9cc9-7c5adaafc18a

127.0.0.1:6379> type access:8c1441db-6fac-4c57-9cc9-7c5adaafc18a
string
127.0.0.1:6379> get access:8c1441db-6fac-4c57-9cc9-7c5adaafc18a
��srCorg.springframework.security.oauth2.common.DefaultOAuth2AccessToken
                                                                        ��6��LadditionalInformationtLjava/util/Map;L
expirationtLjava/util/Date;L
                            refreshTokent?Lorg/springframework/security/oauth2/common/OAuth2RefreshToken;LscopetLjava/util/Set;L    tokenTypetLjava/lang/String;Lvalueq~xpsrjava.util.Collections$EmptyMapY6�Z���xpsrjava.util.Datehj�KYtx`3�}xpsr%java.util.Collections$UnmodifiableSet��я��Uxr,java.util.Collections$UnmodifiableCollectionB��^�LctLjava/util/Collection;xpsrjava.util.LinkedHashSet�l�Z��*xrjava.util.HashSet�D�����4xpw
                               ?@t
read_contactsxtbearert$8c1441db-6fac-4c57-9cc9-7c5adaafc18a

这个key的命名结构是access:token
value的结构是string,存储的是OAuth2AccessToken的序列化值

源码

spring-security-oauth2-2.0.14.RELEASE-sources.jar!/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java

public class RedisTokenStore implements TokenStore {

    private static final String ACCESS = "access:";
    private static final String AUTH_TO_ACCESS = "auth_to_access:";
    private static final String AUTH = "auth:";
    private static final String REFRESH_AUTH = "refresh_auth:";
    private static final String ACCESS_TO_REFRESH = "access_to_refresh:";
    private static final String REFRESH = "refresh:";
    private static final String REFRESH_TO_ACCESS = "refresh_to_access:";
    private static final String CLIENT_ID_TO_ACCESS = "client_id_to_access:";
    private static final String UNAME_TO_ACCESS = "uname_to_access:";

    @Override
    public void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) {
        byte[] serializedAccessToken = serialize(token);
        byte[] serializedAuth = serialize(authentication);
        byte[] accessKey = serializeKey(ACCESS + token.getValue());
        byte[] authKey = serializeKey(AUTH + token.getValue());
        byte[] authToAccessKey = serializeKey(AUTH_TO_ACCESS + authenticationKeyGenerator.extractKey(authentication));
        byte[] approvalKey = serializeKey(UNAME_TO_ACCESS + getApprovalKey(authentication));
        byte[] clientId = serializeKey(CLIENT_ID_TO_ACCESS + authentication.getOAuth2Request().getClientId());

        RedisConnection conn = getConnection();
        try {
            conn.openPipeline();
            conn.set(accessKey, serializedAccessToken);
            conn.set(authKey, serializedAuth);
            conn.set(authToAccessKey, serializedAccessToken);
            if (!authentication.isClientOnly()) {
                conn.rPush(approvalKey, serializedAccessToken);
            }
            conn.rPush(clientId, serializedAccessToken);
            if (token.getExpiration() != null) {
                int seconds = token.getExpiresIn();
                conn.expire(accessKey, seconds);
                conn.expire(authKey, seconds);
                conn.expire(authToAccessKey, seconds);
                conn.expire(clientId, seconds);
                conn.expire(approvalKey, seconds);
            }
            OAuth2RefreshToken refreshToken = token.getRefreshToken();
            if (refreshToken != null && refreshToken.getValue() != null) {
                byte[] refresh = serialize(token.getRefreshToken().getValue());
                byte[] auth = serialize(token.getValue());
                byte[] refreshToAccessKey = serializeKey(REFRESH_TO_ACCESS + token.getRefreshToken().getValue());
                conn.set(refreshToAccessKey, auth);
                byte[] accessToRefreshKey = serializeKey(ACCESS_TO_REFRESH + token.getValue());
                conn.set(accessToRefreshKey, refresh);
                if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
                    ExpiringOAuth2RefreshToken expiringRefreshToken = (ExpiringOAuth2RefreshToken) refreshToken;
                    Date expiration = expiringRefreshToken.getExpiration();
                    if (expiration != null) {
                        int seconds = Long.valueOf((expiration.getTime() - System.currentTimeMillis()) / 1000L)
                                .intValue();
                        conn.expire(refreshToAccessKey, seconds);
                        conn.expire(accessToRefreshKey, seconds);
                    }
                }
            }
            conn.closePipeline();
        } finally {
            conn.close();
        }
    }

    //......
}    

spring-security-oauth2-2.0.14.RELEASE-sources.jar!/org/springframework/security/oauth2/provider/token/DefaultAuthenticationKeyGenerator.java

    public String extractKey(OAuth2Authentication authentication) {
        Map<String, String> values = new LinkedHashMap<String, String>();
        OAuth2Request authorizationRequest = authentication.getOAuth2Request();
        if (!authentication.isClientOnly()) {
            values.put(USERNAME, authentication.getName());
        }
        values.put(CLIENT_ID, authorizationRequest.getClientId());
        if (authorizationRequest.getScope() != null) {
            values.put(SCOPE, OAuth2Utils.formatParameterList(new TreeSet<String>(authorizationRequest.getScope())));
        }
        return generateKey(values);
    }

    protected String generateKey(Map<String, String> values) {
        MessageDigest digest;
        try {
            digest = MessageDigest.getInstance("MD5");
            byte[] bytes = digest.digest(values.toString().getBytes("UTF-8"));
            return String.format("%032x", new BigInteger(1, bytes));
        } catch (NoSuchAlgorithmException nsae) {
            throw new IllegalStateException("MD5 algorithm not available.  Fatal (should be in the JDK).", nsae);
        } catch (UnsupportedEncodingException uee) {
            throw new IllegalStateException("UTF-8 encoding not available.  Fatal (should be in the JDK).", uee);
        }
    }

小结

好处

使用redis存储token可以利用redis的过期时间来自动处理token的过期时间,而使用数据库来存储的话,则需要根据expired date来判断。

缺点

但是redis不能像关系数据库那样直接关联查询,因此需要自己额外构造需要关联的key来处理,具体使用需要多次查询。

排除refresh_token,主要key如下:

  • auth_to_access:OAuth2Authentication相关信息加密后的值,value为string结构

这个主要是通过OAuth2Authentication来获取OAuth2AccessToken

  • auth:token值,value为string结构

这个主要用来获取token的OAuth2Authentication,用来获取相应的权限信息

  • client_id_to_access:clientId,value为list结构

这个主要是存储了每个clientId申请的OAuth2AccessToken的集合
方便用来审计和应急处理跟clientId相关的token

  • access:token值,value为string

这个主要是通过token值来获取OAuth2AccessToken

  • uname_to_access:clientId:userId,value的结构是list

存储OAuth2AccessToken的集合
主要是为了通过clientId,userId来获取OAuth2AccessToken集合,方便用来获取及revoke approval


codecraft
11.9k 声望2k 粉丝

当一个代码的工匠回首往事时,不因虚度年华而悔恨,也不因碌碌无为而羞愧,这样,当他老的时候,可以很自豪告诉世人,我曾经将代码注入生命去打造互联网的浪潮之巅,那是个很疯狂的时代,我在一波波的浪潮上留下...


引用和评论

0 条评论