Embrace Spring's new OAuth2 solution

The following full text Spring Authorization Server is referred to as: SAS

background

• The Spring team officially announced that Spring Security OAuth is no longer maintained , and the project will not undergo any further iterations

• At present, the OAuth2 authorization server in the Spring ecosystem is the Spring Authorization Server , which can be officially used in production.
• As a transitional version of SpringBoot 3.0, SpringBoot 2.7.0 has expired a lot of configuration classes about Spring Security, such as the old version of expired configuration cannot be upgraded.

Migration process

This article uses the PIG microservice development platform as a demonstration, which is suitable for the authentication center migration of Spring Security OAuth 2.3 <-> 2.5

① Java 1.8 support

The latest SAS 0.3 is based on Java 11, and the lower version of Java cannot be used

After communication with the official Spring Security team, 0.3.1 will continue to be compatible with Java 1.8

We cooperated with the springboot Chinese community to compile the version coordinates suitable for java 1.8 as follows

 <dependency>
      <groupId>io.springboot.security</groupId>
      <artifactId>spring-security-oauth2-authorization-server</artifactId>
      <version>0.3.0</version>
  </dependency>

② Extension of authorization mode

• Extended support for password mode, SAS does not support password mode based on oauth 2.1 protocol
• Extended support for SMS login

③ Redis token storage

• The official currently does not provide a Redis-based token persistence scheme
• PIG extends PigRedisOAuth2AuthorizationService support

④ Token output format

• The default implementation when using the introspection token is

 ku4R4n7YD1f584KXj4k_3GP9o-HbdY-PDIIh-twPVJTmvHa5mLIoifaNhbBvFNBbse6_wAMcRoOWuVs9qeBWpxQ5zIFrF1A4g1Q7LhVAfH1vo9Uc7WL3SP3u82j0XU5x

• In order to facilitate efficient token retrieval combined with redis, combined with RDM grouping can also be more convenient for graphical observation

 统一前缀::令牌类型::客户端ID::用户名::uuid

 @Bean
public OAuth2TokenGenerator oAuth2TokenGenerator() {
  CustomeOAuth2AccessTokenGenerator accessTokenGenerator = new CustomeOAuth2AccessTokenGenerator();
  // 注入Token 增加关联用户信息
  accessTokenGenerator.setAccessTokenCustomizer(new CustomeOAuth2TokenCustomizer());
  return new DelegatingOAuth2TokenGenerator(accessTokenGenerator, new OAuth2RefreshTokenGenerator());
}

⑤ Token output enhancement

• Use introspection tokens, the default output Token format

 {
    "access_token": "xx",
    "refresh_token": "xx",
    "scope": "server",
    "token_type": "Bearer",
    "expires_in": 43199
}

• Token enhanced output associated user information

 {
    "sub": "admin",
    "clientId": "test",
    "access_token": "xx",
    "refresh_token": "xx",
    "license": "https://pig4cloud.com",
    "user_info": {
        "username": "admin",
        "accountNonExpired": true,
        "accountNonLocked": true,
        "credentialsNonExpired": true,
        "enabled": true,
        "id": 1,
        "deptId": 1,
        "phone": "17034642999",
        "name": "admin",
        "attributes": {}
    }
}

⑥ Personalization of authorization code mode

⑦ Resource Server

• Introspection scheme extension supports resource resource server local query

• Extended resource server local introspection

- Advantages: 1. Real-time update of user status 2. Reduce network calls and improve performance

• Source code: https://github.com/pig-mesh/pig