On November 8th, Spring officials have strongly recommended Spring Authorization Server replace the outdated Spring Security OAuth2.0 . It is half a year before 16190b4001637c Spring Security OAuth2.0 ends its life cycle. It is time to make changes. NS. Currently Spring Authorization Server has entered the production-ready stage. Today, follow the rhythm of engage in 16190b40016382 Spring Authorization Server authorization server framework.
Current Spring Security system
In the current Spring Security 5.x , OAuth2.0 Client and OAuth2.0 Resource Server are modularized.
Spring Security must be introduced.
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>If you want to add OAuth2.0 Client support, you can introduce:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>If you need OAuth2.0 Resource Server support, you can introduce:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-oauth2-resource-server</artifactId>
</dependency>Now if you want to add OAuth2.0 Authorization Server , you can add the following dependencies:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-authorization-server</artifactId>
<!-- 截至现在版本 -->
<version>0.2.0</version>
</dependency>So far, the three major modules of OAuth2.0 are all alive.
Spring Authorization Server
Our focus is still to return to Spring Authorization Server . At present, the project has production-ready capabilities. After studying for a few days, I simply came up with a DEMO to help students who wish to learn the framework to understand it.
DEMO process
This demo will demonstrate the authorization code mode ( authorization_code ) of OAuth 2.0. There are two projects here;
- oauth2-client The project, as its name implies, is an OAuth2.0 Client, which initiates the request authorization to the authorization server.
- oauth2-server project, based on the authorization server built by Spring Authorization Server
The user first initiates a request to oauth2-client /oauth2/authorization/{registrationId}
GET /oauth2/authorization/felord HTTP/1.1
Host: 127.0.0.1:8080After being OAuth2AuthorizationRequestRedirectFilter , it was assembled into the following request link to initiate authorization code authorization oauth2-server
GET /oauth2/authorize?response_type=code&client_id=felord-client&scope=message.read%20message.write&state=0CI0ziUDEnqMgqW0nzRNRCzLrs-9IMbqJzGZ47Zb0gY%3D&redirect_uri=http://127.0.0.1:8080/foo/bar HTTP/1.1
Host: localhost:9000After the authorization server oauth2-server intercepts the request, it will first check whether the current user who initiated the request is authenticated. If there is no authentication, throw a 401, jump to the login page of the authorization server, and then the user performs the login:
POST /login HTTP/1.1
Host: localhost:9000
Content-Type: application/x-www-form-urlencoded
username=felord&password=password&_csrf=301a7baf-9e9a-4b17-acd4-613c809bf7f5After successfully logging in, a 302 jump is made, and the /oauth2/authorize authorization request is continued. At this time, it will be judged whether the authorization request requires user authorization confirmation. In this DEMO, user authorization requires a second confirmation, and it will jump to the following page:
After agreeing to the authorization, the authorization server will call redirect_uri and carry a code and state to oauth2-client initiate a request:
GET /foo/bar?code=MCSJnvhXNyjilBaCyw1sCrrArWk1bzsEdxe5Z3EFbkdLwp8ASmum62n4M7Tz45VNpp_16IWboBnXlgG3LEfgN7MQqkf0-vVZufGrQpvRioRcBbesAiawMt4cspTk06ca&state=-fRunxjpG0aziPXnfcW1Iw1Fy_5_NwlUAgxABPOfAb8= HTTP/1.1
Host: 127.0.0.1:8080 oauth2-client 's OAuth2AuthorizationCodeGrantFilter intercepts redirect_uri /oauth2/token request to the authorization server:
POST /oauth2/token?grant_type=authorization_code&code=MCSJnvhXNyjilBaCyw1sCrrArWk1bzsEdxe5Z3EFbkdLwp8ASmum62n4M7Tz45VNpp_16IWboBnXlgG3LEfgN7MQqkf0-vVZufGrQpvRioRcBbesAiawMt4cspTk06ca&redirect_uri=https://127.0.0.1:8080/foo/bar HTTP/1.1Host: localhost:9000Authorization: Basic bWVzc2FnaW5nLWNsaWVudDpzZWNyZXQ=The authentication method used here is client-authentication-method: client_secret_basic , see OAuth2.0 protocol for details.The authorization server returns the Token to the client, completes the request, and authenticates the client's information as follows:
entire authorization code process based on 16190b400169d8 Spring Authorization Server 16190b400169d9 is completed. For the complete DEMO, please follow GZH: Code Farmer Little Reply oauthserver get it. If it is not easy to be original, please like it, repost it, and read it again. More details will continue to follow up later.
Follow the public account: Felordcn for more information
java
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。