The following full text Spring Authorization Server is referred to as: SAS

background

  • The Spring team officially announced that Spring Security OAuth is no longer maintained , and the project will not undergo any further iterations

  • At present, the OAuth2 authorization server in the Spring ecosystem is the Spring Authorization Server , which can be officially used in production.
  • As a transitional version of SpringBoot 3.0, SpringBoot 2.7.0 has expired a lot of configuration classes about Spring Security, such as the old version of expired configuration cannot be upgraded.

Migration process

This article uses the PIG microservice development platform as a demonstration, which is suitable for the authentication center migration of Spring Security OAuth 2.3 <-> 2.5

① Java 1.8 support

The latest SAS 0.3 is based on Java 11, and the lower version of Java cannot be used

After communication with the official Spring Security team, 0.3.1 will continue to be compatible with Java 1.8

We cooperated with the springboot Chinese community to compile the version coordinates suitable for java 1.8 as follows

 <dependency>
      <groupId>io.springboot.security</groupId>
      <artifactId>spring-security-oauth2-authorization-server</artifactId>
      <version>0.3.0</version>
  </dependency>

② Extension of authorization mode

  • Extended support for password mode, SAS does not support password mode based on oauth 2.1 protocol
  • Extended support for SMS login

③ Redis token storage

支持Redis存储 令牌

  • The official currently does not provide a Redis-based token persistence scheme
  • PIG extends PigRedisOAuth2AuthorizationService support

④ Token output format

  • The default implementation when using the introspection token is
 ku4R4n7YD1f584KXj4k_3GP9o-HbdY-PDIIh-twPVJTmvHa5mLIoifaNhbBvFNBbse6_wAMcRoOWuVs9qeBWpxQ5zIFrF1A4g1Q7LhVAfH1vo9Uc7WL3SP3u82j0XU5x

默认实现

  • In order to facilitate efficient token retrieval combined with redis, combined with RDM grouping can also be more convenient for graphical observation
 统一前缀::令牌类型::客户端ID::用户名::uuid
 @Bean
public OAuth2TokenGenerator oAuth2TokenGenerator() {
  CustomeOAuth2AccessTokenGenerator accessTokenGenerator = new CustomeOAuth2AccessTokenGenerator();
  // 注入Token 增加关联用户信息
  accessTokenGenerator.setAccessTokenCustomizer(new CustomeOAuth2TokenCustomizer());
  return new DelegatingOAuth2TokenGenerator(accessTokenGenerator, new OAuth2RefreshTokenGenerator());
}

⑤ Token output enhancement

  • Use introspection tokens, the default output Token format
 {
    "access_token": "xx",
    "refresh_token": "xx",
    "scope": "server",
    "token_type": "Bearer",
    "expires_in": 43199
}
  • Token enhanced output associated user information
 {
    "sub": "admin",
    "clientId": "test",
    "access_token": "xx",
    "refresh_token": "xx",
    "license": "https://pig4cloud.com",
    "user_info": {
        "username": "admin",
        "accountNonExpired": true,
        "accountNonLocked": true,
        "credentialsNonExpired": true,
        "enabled": true,
        "id": 1,
        "deptId": 1,
        "phone": "17034642999",
        "name": "admin",
        "attributes": {}
    }
}

⑥ Personalization of authorization code mode

注入自定义confirm

基于授权码的开发平台

⑦ Resource Server

  • Introspection scheme extension supports resource resource server local query

默认的资源服务器自省模式

  • Extended resource server local introspection

扩展资源服务器本地自省

- Advantages: 1. Real-time update of user status 2. Reduce network calls and improve performance


冷冷
300 声望87 粉丝