Spring-authorization-server token issuance source code analysis

 POST /auth/oauth2/token?grant_type=password&scope=server HTTP/1.1
Host: pig-gateway:9999
Authorization: Basic dGVzdDp0ZXN0
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
username=admin&password=YehdBPev

⓪ Gateway preprocessing

Verification code verification ValidateCodeGatewayFilter.java

Reference:Captcha configuration switch

The front-end encrypted password is decrypted PasswordDecoderFilter.java, mainly to convert the password ciphertext as shown in the figure below into plaintext for processing by Spring Security

Reference: Front-end login request encryption process reference

① Client authentication processing

• As shown in the above figure, the login request will carry Basic base64 (clientId: clientSecret), then first OAuth2ClientAuthenticationFilter will call RegisteredClientRepository (database storage) to determine whether the incoming client is correct

③ Officially receive the login request

OAuth2TokenEndpointFilter will receive requests authenticated by the OAuth2ClientAuthenticationFilter client above

④ Assembly certification object

AuthenticationConverter will assemble the corresponding authorization authentication object according to the parameters and authorization type in the request

⑤ Login authentication object

 public class XXXAuthenticationToken extends OAuth2ResourceOwnerBaseAuthenticationToken {

}

⑥ Authorization and authentication call

⑦ Core authentication logic

Multi-user system matching UserDetailsService

Password match check

User status check

⑧ User query logic

Various implementation forms of user query logic

• Decoupling: Query other systems through feign to obtain and assemble UserDetails
• Simple: The authentication center directly queries the DB and assembles it into UserDetails

⑨ Password verification logic

The default supported encryption methods are as follows:
{noop} password plaintext
{encryption signature} password ciphertext
PasswordEncoder will automatically match the corresponding encryption algorithm according to the feature code, so the previous step ⑧ query user object assembly into UserDetails requires special processing

 return new UserDetails(user.getUsername(),"{bcrypt}"+"数据库存储的密文");

⑩ Generate OAuth2AccessToken

⑪ Token storage persistence

Currently SAS only supports JDBC and memory, and PIG extension supports Redis implementation

⑫ Login successful event processing

Based on SpringEvent event processing, more processing logic such as log processing and personalization can be done here

⑬ Request result output Token

 private void sendAccessTokenResponse(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws IOException {

        OAuth2AccessTokenAuthenticationToken accessTokenAuthentication = (OAuth2AccessTokenAuthenticationToken) authentication;

        OAuth2AccessToken accessToken = accessTokenAuthentication.getAccessToken();
        OAuth2RefreshToken refreshToken = accessTokenAuthentication.getRefreshToken();
        Map<String, Object> additionalParameters = accessTokenAuthentication.getAdditionalParameters();
        // 无状态 注意删除 context 上下文的信息
        SecurityContextHolder.clearContext();
        this.accessTokenHttpResponseConverter.write(accessTokenResponse, null, httpResponse);
    }

Define specific output return format and other logic

Source code for this article: https://github.com/pig-mesh/pig